stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

up
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-26 20:23:28 +02:00
parent 4831c7fcb0
commit d63af51f84
139 changed files with 8010 additions and 2795 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.spectral.yaml
View File

@@ -38,3 +38,76 @@ rules:
then:
field: operationId
function: truthy
stella-2xx-response-examples:
description: "Every 2xx response must include at least one example"
message: "Add an example or examples block to 2xx responses"
given: "$.paths[*][*].responses[?(@property.match(/^2\\d\\d$/))].content.*"
severity: error
then:
function: schema
functionOptions:
schema:
anyOf:
- required: [examples]
- required: [example]
stella-pagination-params:
description: "Paged GETs must expose limit/cursor parameters"
message: "Add limit/cursor parameters for paged collection endpoints"
given: "$.paths[*][get]"
severity: warn
then:
function: schema
functionOptions:
schema:
type: object
properties:
parameters:
type: array
allOf:
- contains:
$ref: '#/components/parameters/LimitParam'
- contains:
$ref: '#/components/parameters/CursorParam'
stella-idempotency-header:
description: "POST/PUT/PATCH operations on collection/job endpoints should accept Idempotency-Key"
message: "Add Idempotency-Key header parameter for idempotent submissions"
given: "$.paths[*][?(@property.match(/^(post|put|patch)$/))]"
severity: warn
then:
function: schema
functionOptions:
schema:
type: object
properties:
parameters:
type: array
contains:
type: object
properties:
name:
const: Idempotency-Key
in:
const: header
required: [name, in]
stella-jobs-idempotency-key:
description: "Orchestrator job submissions must accept Idempotency-Key header"
given: "$.paths['/jobs'].post.parameters"
severity: warn
then:
function: schema
functionOptions:
schema:
type: array
contains:
type: object
properties:
name:
const: Idempotency-Key
in:
const: header
required: [name, in]

14
docs/24_OFFLINE_KIT.md
View File

@@ -72,13 +72,13 @@ python ops/offline-kit/build_offline_kit.py \
python ops/devops/telemetry/package_offline_bundle.py --output out/telemetry/telemetry-offline-bundle.tar.gz
```
Outputs:
- `stella-ops-offline-kit-<version>-<channel>.tar.gz` — bundle (mtime/uid/gid forced to zero for reproducibility)
- `stella-ops-offline-kit-<version>-<channel>.tar.gz.sha256` — bundle digest
- `manifest/offline-manifest.json` + `.sha256` — inventories every file in the bundle
- `<bundle>.metadata.json` — descriptor consumed by the CLI/Console import tooling
- `telemetry/telemetry-offline-bundle.tar.gz` + `.sha256` — packaged OTLP collector assets for environments without upstream access
Outputs:
- `stella-ops-offline-kit-<version>-<channel>.tar.gz` — bundle (mtime/uid/gid forced to zero for reproducibility)
- `stella-ops-offline-kit-<version>-<channel>.tar.gz.sha256` — bundle digest
- `manifest/offline-manifest.json` + `.sha256` — inventories every file in the bundle
- `<bundle>.metadata.json` — descriptor consumed by the CLI/Console import tooling; includes `counts` for `cli`, `taskPacksDocs`, `containers`, `orchestrator`, `exportCenter`, `notifier`, `surfaceSecrets` so operators can sanity-check bundle composition without unpacking
- `telemetry/telemetry-offline-bundle.tar.gz` + `.sha256` — packaged OTLP collector assets for environments without upstream access
- `plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/*.sig` (+ `.sha256`) — Cosign signatures for the Python analyzer DLL and manifest
### Policy Gateway configuration bundle

17
docs/airgap/controller-scaffold.md
View File

@@ -8,6 +8,7 @@ Scope: Define the baseline project skeleton, APIs, telemetry, and staleness fiel
- Project: `src/AirGap/StellaOps.AirGap.Controller` (net10.0, minimal API host).
- Tests: `tests/AirGap/StellaOps.AirGap.Controller.Tests` with xunit + deterministic time provider.
- Shared contracts: DTOs under `Endpoints/Contracts`, domain state under `Domain/AirGapState.cs`.
- Persistence: in-memory store by default; Mongo store activates when `AirGap:Mongo:ConnectionString` is set.
## 2) State model
- Persistent document `airgap_state` (Mongo):
@@ -15,6 +16,22 @@ Scope: Define the baseline project skeleton, APIs, telemetry, and staleness fiel
- Index on `{tenant_id}`; unique on `singleton` within tenant.
- In-memory cache with monotonic timestamp to avoid stale reads; cache invalidated on transitions.
### Mongo wiring (optin)
- Config section:
```json
"AirGap": {
"Mongo": {
"ConnectionString": "mongodb://localhost:27017",
"Database": "stellaops_airgap",
"Collection": "airgap_state"
}
}
```
- The DI extension `AddAirGapController` chooses Mongo when `ConnectionString` is present; otherwise falls back to in-memory.
- Collection index: unique on `{tenant_id, id}` to enforce singleton per tenant.
## 3) Endpoints (56-002 baseline)
- `GET /system/airgap/status` → returns current state + staleness summary:
- `{sealed, policy_hash, time_anchor:{source, anchored_at, drift_seconds}, staleness:{seconds_remaining?, budget_seconds?}, last_transition_at}`.

48
docs/benchmarks/signals/bench-determinism.md
View File

@@ -1,4 +1,4 @@
# Determinism Benchmark (cross-scanner) — Draft
# Determinism Benchmark (cross-scanner) — Stable (2025-11)
Source: advisory “23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring”. This doc captures the runnable harness pattern and expected outputs for task BENCH-DETERMINISM-401-057.
@@ -34,6 +34,7 @@ for sbom, vex in zip(SBOMS, VEXES):
- 35 SBOMs (CycloneDX 1.6 / SPDX 3.0.1) + matching VEX docs covering affected/not_affected/fixed.
- Feeds bundle: vendor DBs (NVD, GHSA, OVAL) hashed and frozen.
- Policy: single normalization profile (e.g., prefer vendor scores, CVSS v3.1).
- Reachability dataset (optional combined run): `tests/reachability/samples-public` corpus; graphs produced via `stella graph lift` for each language sample; runtime traces optional.
## Metrics
- Determinism rate = identical_hash_runs / total_runs (20 per scanner/SBOM).
@@ -42,8 +43,51 @@ for sbom, vex in zip(SBOMS, VEXES):
## Deliverables
- `bench/determinism/` with harness, hashed inputs, and `results.csv`.
- CI target `bench:determinism` producing determinism% and σ per scanner.
- `bench/determinism/inputs.sha256` listing SBOM, VEX, feed bundle hashes (deterministic ordering).
- `bench/reachability/dataset.sha256` listing reachability corpus inputs (graphs, runtime traces) when running combined bench.
- CI target `bench:determinism` producing determinism% and σ per scanner; optional `bench:reachability` to recompute graph hash and runtime hit stability.
## Links
- Source advisory: `docs/product-advisories/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md`
- Sprint task: BENCH-DETERMINISM-401-057 (SPRINT_0401_0001_0001_reachability_evidence_chain.md)
---
## How to run (local)
```sh
cd bench/determinism
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
# Freeze feeds and policy hashes
./freeze_feeds.sh ../feeds/bundle.tar.gz > inputs.sha256
# Run determinism bench
python run_bench.py --sboms inputs/sboms/*.json --vex inputs/vex/*.json \
--scanners configs/scanners.yaml --runs 20 --shuffle
# Reachability dataset (optional)
python run_reachability.py --graphs ../reachability/graphs/*.json \
--runtime ../reachability/runtime/*.ndjson.gz --output results-reach.csv
```
Outputs are written to `results.csv` (determinism) and `results-reach.csv` (reachability stability) plus SHA manifests.
## How to run (CI)
- Target `bench:determinism` in CI (see `.gitea/workflows/bench-determinism.yml`) runs the harness with frozen feeds and uploads `results.csv` + `inputs.sha256` as artifacts.
- Optional `bench:reachability` target replays reachability corpus, recomputes graph hashes, and compares against expected `dataset.sha256`.
- CI must fail if determinism rate < 0.95 or any graph hash mismatch.
## Offline/air-gap workflow
1. Place feeds bundle, SBOMs, VEX, and reachability corpus under `offline/inputs/` with matching `inputs.sha256` and `dataset.sha256`.
2. Run `./offline_run.sh --inputs offline/inputs --outputs offline/results` to execute both benches without network.
3. Verify hashes: `sha256sum -c offline/inputs/inputs.sha256` and `sha256sum -c offline/inputs/dataset.sha256`.
4. Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`).
## Notes
- Keep file ordering deterministic (lexicographic) when generating manifests.
- Do not pull live feeds during bench runs; use frozen bundles only.
- For reachability runs, require symbol manifest availability; otherwise mark missing symbols and fail the run.

65
docs/forensics/evidence-locker.md Normal file
View File

@@ -0,0 +1,65 @@
# Evidence Locker
Status: Draft (2025-11-26) — DOCS-FORENSICS-53-001.
## Purpose
Capture forensic artefacts (bundles, logs, attestations) in a WORM-friendly store with retention/legal-hold controls.
## Storage model
- Object storage (preferred) with:
- Bucket per tenant (or tenant prefix) and immutable retention policy.
- Server-side encryption (KMS) and optional client-side DSSE envelopes.
- Versioning enabled; deletion disabled during legal hold.
- Index (Mongo/Postgres) for metadata:
- `artifactId`, `tenant`, `type` (bundle/attestation/log), `sha256`, `size`, `createdAt`, `retentionUntil`, `legalHold`.
- `provenance`: source service, job/run ID, DSSE envelope hash, signer.
- `immutability`: `worm=true|false`, `legalHold=true|false`, `expiresAt`.
## Ingest rules
- Only append; no overwrite. Use content-addressed paths: `tenant/<type>/<sha256>/<filename>`.
- Every artefact must include:
- SHA256 (and size)
- DSSE or Sigstore bundle for attestations
- Source metadata (service, run ID)
- Retention/hold directives
- Reject uploads lacking tenant, hash, or provenance.
## Retention & legal hold
- Default retention per tenant (e.g., 180d); configurable via policy.
- Legal hold flag prevents deletion/expiry; requires dual-approval to clear.
- Expiry job runs daily; deletes only items past `retentionUntil` and not on hold; produce audit log.
## Access & audit
- RBAC scopes: `locker:read`, `locker:write`, `locker:hold`.
- All actions logged with tenant, actor, artefact ID, hash, and result.
- Provide `/locker/manifest` endpoint to list artefacts by tenant/time/type with pagination.
## Verification
- `locker verify <artifactId>`:
- Recompute SHA256
- Verify DSSE/Sigstore signature and signer against trust roots
- Return status + provenance summary
- Periodic background verification: sample N artefacts/day; emit `locker.verify.failed` events on mismatch.
## Bundle format (minimum)
- Manifest (`manifest.json`):
- `artifactId`, `tenant`, `type`, `hashes`, `createdAt`, `retentionUntil`, `legalHold`
- `provenance` (source, signer, dsseEnvelopeHash)
- `paths` with bytes and hashes
- Data files under `data/` (gzip/zstd optional)
- Signature under `signatures/` if provided
## Migration from legacy storage
- Export legacy artefacts with hashes; import via Locker API with retention/hold fields.
- Maintain mapping of legacy IDs → new `artifactId` in index.
- Keep legacy store read-only until verification completes.
## Operational runbook (abridged)
- On ingest failure: log and return 400 with reason; do not partially store.
- On verification failure: mark artefact `suspect=true`, emit event, and investigate signer and storage integrity.
- For legal hold requests: require ticket/approval metadata; set `legalHold=true` and extend retention.
## References
- DSSE: in-toto DSSE spec.
- Sigstore bundles: `docs/forensics/provenance-attestation.md` (pending).
- Export Center mirror imports and policy attestations feed artefacts here.

65
docs/forensics/provenance-attestation.md
View File

@@ -1,15 +1,20 @@
# Provenance & Attestation Reference
> **Imposed rule:** All exported evidence must ship with DSSE + transparency proof bundles; unsigned or proof-less artifacts are rejected at ingress and may not be stored in the Evidence Locker.
This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence.
## 1. Attestation Workflow
## 1. Attestation Workflow (online and offline)
1. **Scanner** produces signed payload requests (SBOM, report metadata).
2. **Signer** authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed).
3. **Attestor** submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages.
4. **Consumers** (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification.
1. **Producer** (Scanner, Policy Engine, runtime probes) emits a payload and a request to sign.
2. **Signer** authenticates the caller, validates supply-chain policy (release integrity, image pinning), then signs using keyless or tenant KMS keys.
3. **Attestor** wraps the payload in DSSE, records it in Rekor v2 (when online), persists the bundle plus inclusion proof, and exposes a verification package API.
4. **Export Center** and **Evidence Locker** embed the bundle and proof into export artifacts for offline replay; CLI retrieves the same package via `stella attest fetch`.
5. **Verifiers** (CLI, Policy Engine, auditors) validate signature roots, Rekor proof, and optional transparency witness endorsements.
## 2. DSSE Payload Types
## 2. DSSE Payload Types & Schemas
Supported payload types (all versioned and protobuf/JSON dual-encoded):
- `StellaOps.BuildProvenance@1`
- `StellaOps.SBOMAttestation@1`
@@ -17,25 +22,55 @@ This guide explains how StellaOps generates, signs, verifies, and distributes DS
- `StellaOps.PolicyEvaluation@1`
- `StellaOps.VEXAttestation@1`
- `StellaOps.RiskProfileEvidence@1`
- `StellaOps.PromotionAttestation@1` (predicate `stella.ops/promotion@v1`, see `docs/release/promotion-attestations.md`)
Schemas live under `src/Attestor/StellaOps.Attestor.Types` and are documented in module architecture guides.
Schema sources: `src/Attestor/StellaOps.Attestor.Types` and module dossiers. All payloads include:
## 3. Verification
- `subject` (digest + PURL/NEVRA coordinates)
- `timestamp` (UTC, ISO-8601)
- `producer` (service + version)
- `critical` block (policy version, scanner defs, reachability context)
- `materials` (SBOM/VEX references) and optional `auxiliary_proofs`
- CLI command `stella attest verify` requests proofs from Attestor.
- Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification.
- Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled.
## 3. Signing & storage controls
## 4. Offline/air-gap considerations
- **Key policy:** Short-lived OIDC keyless by default; tenant KMS allowed; Ed25519 and ECDSA P-256 supported.
- **Inclusion:** Rekor v2 UUID + log index cached; when offline, the Attestor stamps a `transparency_pending` marker to be replayed later.
- **WORM:** Evidence Locker keeps immutable copies; retention and legal hold are enforced per tenant and surfaced in `docs/forensics/evidence-locker.md`.
- **Redaction:** Sensitive fields (secrets, PII) must be excluded at payload creation; the signer refuses payloads marked `pii=true` without a redaction ticket.
- Export Center bundles incorporate attestations and proofs for offline verification.
- Evidence Locker stores immutable attestation bundles with retention policies.
## 4. Verification workflow
## 5. References
Command-line (online or offline bundle):
```sh
stella attest verify \
--bundle path/to/bundle.dsse.json \
--rekor-root pubkeys/rekor.pub \
--fulcio-root pubkeys/fulcio.pub \
--certificate-chain pubkeys/issuer-chain.pem
```
Verification steps performed by services and CLI:
- Validate DSSE signature against Fulcio/tenant roots and certificate policies.
- Confirm subject digest matches expected container/image/SBOM digest.
- Check Rekor inclusion proof and (if present) transparency witness signatures.
- Enforce freshness: reject bundles older than `attestation.max_age_days` (tenant policy).
- Record verification result into Timeline events for auditability.
## 5. Offline / air-gap posture
- Export Center emits self-contained bundles (`*.dsse.json`, `rekor-proof.json`, `cert-chain.pem`) plus a verification manifest for deterministic replay.
- CLI `stella attest verify --bundle bundle.dsse.json --offline` skips Rekor lookups and relies on embedded proofs.
- When connectivity returns, the Attestor replays pending `transparency_pending` entries and updates Evidence Locker indexes; Timeline events capture the replay.
## 6. References
- `docs/modules/signer/architecture.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/export-center/architecture.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/telemetry/architecture.md`
- `docs/forensics/evidence-locker.md`
- `src/Provenance/StellaOps.Provenance.Attestation`

34
docs/forensics/timeline.md
View File

@@ -1,5 +1,7 @@
# Timeline Forensics Guide
> **Imposed rule:** Timeline is append-only; events may not be deleted or rewritten. Redactions require creating a compensating `redaction_notice` event that references the original ULID.
The Timeline Indexer service aggregates structured events (scanner runs, policy verdicts, runtime posture, evidence locker activity) so operators can audit changes over time. This guide summarises the event schema, query surfaces, and integration points.
## 1. Event Model
@@ -15,17 +17,45 @@ The Timeline Indexer service aggregates structured events (scanner runs, policy
Events are stored append-only with tenant-specific partitions. Producers include Scanner WebService, Policy Engine, Zastava Observer, Evidence Locker, and Notify.
### Event kinds (normative)
- `scan.completed` scanner job finished; includes SBOM digest, findings counts, determinism score.
- `policy.verdict` policy engine decision with overlay cache version and allow/deny rationale.
- `attestation.verified` attestation verification result with Rekor UUID and bundle digest.
- `evidence.ingested` Evidence Locker write with WORM vault identifier.
- `notify.sent` outbound notification with target channel and template id.
- `runtime.alert` runtime enforcement or observation event from Zastava Observer.
- `redaction_notice` compensating entry when data is logically withdrawn; must include `supersedes` ULID.
## 2. APIs
- `GET /api/v1/timeline/events` paginated event stream with filters (tenant, category, time window, correlation IDs).
- `GET /api/v1/timeline/events/{id}` fetch single event payload.
- `GET /api/v1/timeline/export` NDJSON export for offline review.
API headers: `X-Stella-Tenant`, optional `X-Stella-TraceId`, and `If-None-Match` for cache revalidation.
## 3. Query Tips
- Use `category` + `trace_id` to follow a scan-to-policy-to-notification flow.
- Combine `tenant` and `timestamp` filters for SLA audits.
- CLI command `stella timeline list` mirrors the API for automation.
- For WORM verification, filter `category=evidence` and join on Evidence Locker bundle digest.
- Use `category=attestation.verified` and `details.rekor_uuid` to reconcile transparency proofs.
Example queries
```sh
# Recent scan → policy → notify chain for a digest
stella timeline list --tenant acme --category scan.completed --subject sha256:abc... --limit 5
stella timeline list --tenant acme --category policy.verdict --trace-id <trace>
stella timeline list --tenant acme --category notify.sent --trace-id <trace>
# Export window for audit
curl -H "X-Stella-Tenant: acme" \
"https://console.example/api/v1/timeline/export?from=2025-11-01T00:00:00Z&to=2025-11-02T00:00:00Z" \
-o timeline-2025-11-01.ndjson
```
## 4. Integration
@@ -33,6 +63,10 @@ Events are stored append-only with tenant-specific partitions. Producers include
- Notifier creates acknowledgement events for incident workflows.
- Offline kits package timeline exports for compliance reviews.
Retention: events are retained per-tenant for at least `timeline.retention_days` (default 400 days) and replicated to cold storage weekly. Index rebuilds must preserve ordering and ULIDs.
Privacy/PII: producers must redact PII before emission; once emitted, redactions occur via `redaction_notice` only.
## 5. References
- `docs/modules/telemetry/architecture.md`

23
docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md
View File

@@ -17,14 +17,14 @@
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-ENGINE-40-003 | TODO | Depends on 40-002. | Policy · Web Scanner Guild / `src/Policy/StellaOps.Policy.Engine` | API/SDK utilities with evidence summaries. |
| 2 | POLICY-ENGINE-50-001 | TODO | Depends on 40-003. | Policy · Platform Security / `src/Policy/StellaOps.Policy.Engine` | SPL compiler, signed bundle, storage. |
| 3 | POLICY-ENGINE-50-002 | TODO | Depends on 50-001. | Policy · Runtime Guild / `src/Policy/StellaOps.Policy.Engine` | Runtime evaluator with deterministic caching. |
| 4 | POLICY-ENGINE-50-003 | TODO | Depends on 50-002. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/tracing/logging for compile/eval. |
| 5 | POLICY-ENGINE-50-004 | TODO | Depends on 50-003. | Policy · Platform Events Guild / `src/Policy/StellaOps.Policy.Engine` | Event pipeline for updates/re-eval. |
| 6 | POLICY-ENGINE-50-005 | TODO | Depends on 50-004. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Collections/indexes for policy artifacts. |
| 7 | POLICY-ENGINE-50-006 | TODO | Depends on 50-005. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` | Explainer persistence/retrieval. |
| 8 | POLICY-ENGINE-50-007 | TODO | Depends on 50-006. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation worker host/orchestration. |
| 1 | POLICY-ENGINE-40-003 | DONE (2025-11-26) | Depends on 40-002. | Policy · Web Scanner Guild / `src/Policy/StellaOps.Policy.Engine` | API/SDK utilities with evidence summaries. |
| 2 | POLICY-ENGINE-50-001 | DONE (2025-11-26) | Depends on 40-003. | Policy · Platform Security / `src/Policy/StellaOps.Policy.Engine` | SPL compiler, signed bundle, storage. |
| 3 | POLICY-ENGINE-50-002 | DONE (2025-11-26) | Depends on 50-001. | Policy · Runtime Guild / `src/Policy/StellaOps.Policy.Engine` | Runtime evaluator with deterministic caching. |
| 4 | POLICY-ENGINE-50-003 | BLOCKED (2025-11-26) | Telemetry/metrics contract for compile/eval not published. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/tracing/logging for compile/eval. |
| 5 | POLICY-ENGINE-50-004 | BLOCKED (2025-11-26) | Blocked by 50-003 metrics contract. | Policy · Platform Events Guild / `src/Policy/StellaOps.Policy.Engine` | Event pipeline for updates/re-eval. |
| 6 | POLICY-ENGINE-50-005 | BLOCKED (2025-11-26) | Blocked by 50-004 event schema/storage contract. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Collections/indexes for policy artifacts. |
| 7 | POLICY-ENGINE-50-006 | BLOCKED (2025-11-26) | Blocked by 50-005 storage schema. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` | Explainer persistence/retrieval. |
| 8 | POLICY-ENGINE-50-007 | BLOCKED (2025-11-26) | Blocked by 50-006 persistence contract. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation worker host/orchestration. |
| 9 | POLICY-ENGINE-60-001 | TODO | Depends on 50-007. | Policy · SBOM Service Guild / `src/Policy/StellaOps.Policy.Engine` | Redis effective decision maps. |
| 10 | POLICY-ENGINE-60-002 | TODO | Depends on 60-001. | Policy · BE-Base Platform Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation bridge for Graph What-if. |
| 11 | POLICY-ENGINE-70-002 | TODO | Depends on 60-002. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Exception collections + migrations. |
@@ -39,10 +39,17 @@
| --- | --- | --- |
| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_126_policy_reasoning.md` to `SPRINT_0126_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
| 2025-11-26 | POLICY-ENGINE-40-003 delivered: evidence summary service + `/evidence/summary` endpoint and deterministic headline/severity/signals; unit tests added (`EvidenceSummaryServiceTests`). Targeted test slice canceled due to static-graph fan-out; rerun on clean host recommended. | Implementer |
| 2025-11-26 | POLICY-ENGINE-50-001 delivered: compile-and-sign bundle service + `/api/policy/packs/{packId}/revisions/{version}/bundle` endpoint, deterministic signature stub, in-memory bundle storage, and unit tests (`PolicyBundleServiceTests`). Targeted build/test run canceled due to static-graph fan-out; rerun on clean host recommended. | Implementer |
| 2025-11-26 | POLICY-ENGINE-50-002 delivered: runtime evaluator with deterministic cache + `/api/policy/packs/{packId}/revisions/{version}/evaluate` endpoint; caching tests in `PolicyRuntimeEvaluatorTests`. Test run canceled after static-graph fan-out; rerun policy-only slice recommended. | Implementer |
| 2025-11-26 | POLICY-ENGINE-50-003..50-007 marked BLOCKED: telemetry/event/storage schemas for compile/eval pipeline not published; downstream persistence/worker tasks hold until specs land. | Implementer |
## Decisions & Risks
- All tasks depend on prior Policy phases; sequencing must be maintained.
- Entropy/trust algebra inputs (POLICY-RISK-90-001) require Scanner contract.
- Build/test runs for POLICY-ENGINE-40-003 and 50-001 were canceled locally due to static-graph fan-out; rerun policy-only slice with `DOTNET_DISABLE_BUILTIN_GRAPH=1` on a clean host to validate new endpoints/services.
- Evidence summary and runtime evaluator APIs added; verification pending because graph-disabled test slice could not complete locally (static graph pulled unrelated modules). Policy-only solution run recommended.
- Telemetry/event/storage contracts for compile/eval pipeline are absent, blocking POLICY-ENGINE-50-003..50-007.
## Next Checkpoints
- Align SPL compiler/evaluator contracts once upstream phases land (date TBD).

38
docs/implplan/SPRINT_0127_0001_0001_policy_reasoning.md
View File

@@ -18,21 +18,21 @@
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-POLICY-RISK-66-001-RISKPROFILE-LIBRARY-S | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | RiskProfile library scaffold absent (`src/Policy/StellaOps.Policy.RiskProfile` contains only AGENTS.md); need project + storage contract to place schema/validators. <br><br> Document artefact/deliverable for POLICY-RISK-66-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/policy/prep/2025-11-20-riskprofile-66-001-prep.md`. |
| 1 | POLICY-ENGINE-80-002 | TODO | Depends on 80-001. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Join reachability facts + Redis caches. |
| 2 | POLICY-ENGINE-80-003 | TODO | Depends on 80-002. | Policy · Policy Editor Guild / `src/Policy/StellaOps.Policy.Engine` | SPL predicates/actions reference reachability. |
| 3 | POLICY-ENGINE-80-004 | TODO | Depends on 80-003. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/traces for signals usage. |
| 4 | POLICY-OBS-50-001 | TODO | — | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Telemetry core for API/worker hosts. |
| 5 | POLICY-OBS-51-001 | TODO | Depends on 50-001. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Golden-signal metrics + SLOs. |
| 6 | POLICY-OBS-52-001 | TODO | Depends on 51-001. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Timeline events for evaluate/decision flows. |
| 7 | POLICY-OBS-53-001 | TODO | Depends on 52-001. | Policy · Evidence Locker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation evidence bundles + manifests. |
| 8 | POLICY-OBS-54-001 | TODO | Depends on 53-001. | Policy · Provenance Guild / `src/Policy/StellaOps.Policy.Engine` | DSSE attestations for evaluations. |
| 9 | POLICY-OBS-55-001 | TODO | Depends on 54-001. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Incident mode sampling overrides. |
| 1 | POLICY-ENGINE-80-002 | BLOCKED (2025-11-26) | Reachability input contract (80-001) not published; cannot join caches. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Join reachability facts + Redis caches. |
| 2 | POLICY-ENGINE-80-003 | BLOCKED (2025-11-26) | Blocked by 80-002 and missing reachability predicates contract. | Policy · Policy Editor Guild / `src/Policy/StellaOps.Policy.Engine` | SPL predicates/actions reference reachability. |
| 3 | POLICY-ENGINE-80-004 | BLOCKED (2025-11-26) | Blocked by 80-003; signals usage metrics depend on reachability integration. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/traces for signals usage. |
| 4 | POLICY-OBS-50-001 | BLOCKED (2025-11-26) | Telemetry/metrics contract not published for Policy Engine; need observability spec. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Telemetry core for API/worker hosts. |
| 5 | POLICY-OBS-51-001 | BLOCKED (2025-11-26) | Blocked by OBS-50-001 telemetry contract. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Golden-signal metrics + SLOs. |
| 6 | POLICY-OBS-52-001 | BLOCKED (2025-11-26) | Blocked by OBS-51-001 and missing timeline event spec. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Timeline events for evaluate/decision flows. |
| 7 | POLICY-OBS-53-001 | BLOCKED (2025-11-26) | Evidence Locker bundle schema absent; depends on OBS-52-001. | Policy · Evidence Locker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation evidence bundles + manifests. |
| 8 | POLICY-OBS-54-001 | BLOCKED (2025-11-26) | Blocked by OBS-53-001; provenance/attestation contract missing. | Policy · Provenance Guild / `src/Policy/StellaOps.Policy.Engine` | DSSE attestations for evaluations. |
| 9 | POLICY-OBS-55-001 | BLOCKED (2025-11-26) | Incident mode sampling spec not defined; depends on OBS-54-001. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Incident mode sampling overrides. |
| 10 | POLICY-RISK-66-001 | DONE (2025-11-22) | PREP-POLICY-RISK-66-001-RISKPROFILE-LIBRARY-S | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | RiskProfile JSON schema + validator stubs. |
| 11 | POLICY-RISK-66-002 | TODO | Depends on 66-001. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Inheritance/merge + deterministic hashing. |
| 12 | POLICY-RISK-66-003 | TODO | Depends on 66-002. | Policy · Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.Engine` | Integrate RiskProfile into Policy Engine config. |
| 13 | POLICY-RISK-66-004 | TODO | Depends on 66-003. | Policy · Risk Profile Schema Guild / `src/Policy/__Libraries/StellaOps.Policy` | Load/save RiskProfiles; validation diagnostics. |
| 14 | POLICY-RISK-67-001 | TODO | Depends on 66-004. | Policy · Risk Engine Guild / `src/Policy/StellaOps.Policy.Engine` | Trigger scoring jobs on new/updated findings. |
| 15 | POLICY-RISK-67-001 | TODO | Depends on 67-001. | Risk Profile Schema Guild · Policy Engine Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Profile storage/versioning lifecycle. |
| 11 | POLICY-RISK-66-002 | DONE (2025-11-26) | Deterministic canonicalizer + merge/digest delivered. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Inheritance/merge + deterministic hashing. |
| 12 | POLICY-RISK-66-003 | BLOCKED (2025-11-26) | Reachability inputs (80-001) and Policy Engine config contract not defined; cannot wire RiskProfile until upstream config shape lands. | Policy · Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.Engine` | Integrate RiskProfile into Policy Engine config. |
| 13 | POLICY-RISK-66-004 | BLOCKED (2025-11-26) | Depends on 66-003. | Policy · Risk Profile Schema Guild / `src/Policy/__Libraries/StellaOps.Policy` | Load/save RiskProfiles; validation diagnostics. |
| 14 | POLICY-RISK-67-001 | BLOCKED (2025-11-26) | Depends on 66-004. | Policy · Risk Engine Guild / `src/Policy/StellaOps.Policy.Engine` | Trigger scoring jobs on new/updated findings. |
| 15 | POLICY-RISK-67-001 | BLOCKED (2025-11-26) | Depends on 67-001. | Risk Profile Schema Guild · Policy Engine Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Profile storage/versioning lifecycle. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -44,11 +44,19 @@
| 2025-11-19 | Attempted POLICY-RISK-66-001; blocked because `src/Policy/StellaOps.Policy.RiskProfile` lacks a project/scaffold to host schema + validators. Needs project creation + contract placement guidance. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-22 | Implemented RiskProfile schema + validator and tests; added project to solution; set POLICY-RISK-66-001 to DONE. | Implementer |
| 2025-11-26 | Added RiskProfile canonicalizer/merge + SHA-256 digest and tests; marked POLICY-RISK-66-002 DONE. | Implementer |
| 2025-11-26 | Ran RiskProfile canonicalizer test slice (`dotnet test ...RiskProfile.RiskProfile.Tests.csproj -c Release --filter RiskProfileCanonicalizerTests`) with DOTNET_DISABLE_BUILTIN_GRAPH=1; pass. | Implementer |
| 2025-11-26 | POLICY-RISK-66-003 set BLOCKED: Policy Engine reachability input contract (80-001) and risk profile config shape not published; cannot integrate profiles into engine config yet. | Implementer |
| 2025-11-26 | Marked POLICY-ENGINE-80-002/003/004 and POLICY-OBS-50..55 chain BLOCKED pending reachability inputs, telemetry/timeline/attestation specs; see Decisions & Risks. | Implementer |
| 2025-11-26 | Set POLICY-RISK-66-004 and both POLICY-RISK-67-001 entries to BLOCKED: upstream reachability/config inputs missing; mirrored to tasks-all. | Implementer |
| 2025-11-22 | Unblocked POLICY-RISK-66-001 after prep completion; status → TODO. | Project Mgmt |
## Decisions & Risks
- Reachability inputs (80-001) prerequisite; not yet delivered.
- RiskProfile schema undefined; blocks risk chain if delayed.
- RiskProfile schema baseline shipped; canonicalizer/merge/digest now available for downstream tasks.
- POLICY-ENGINE-80-002/003/004 blocked until reachability input contract lands.
- POLICY-OBS-50..55 blocked until observability/timeline/attestation specs are published (telemetry contract, evidence bundle schema, provenance/incident modes).
- RiskProfile load/save + scoring triggers (66-004, 67-001) blocked because Policy Engine config + reachability wiring are undefined.
## Next Checkpoints
- Define reachability input contract (date TBD).

8
docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
View File

@@ -31,7 +31,7 @@
| 12 | POLICY-SPL-23-003 | DONE (2025-11-26) | Layering/override engine shipped; next step is explanation tree. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Layering/override engine + tests. |
| 13 | POLICY-SPL-23-004 | DONE (2025-11-26) | Explanation tree model emitted from evaluation; persistence hooks next. | Policy · Audit Guild / `src/Policy/__Libraries/StellaOps.Policy` | Explanation tree model + persistence. |
| 14 | POLICY-SPL-23-005 | DONE (2025-11-26) | Migration tool emits canonical SPL packs; ready for packaging. | Policy · DevEx Guild / `src/Policy/__Libraries/StellaOps.Policy` | Migration tool to baseline SPL packs. |
| 15 | POLICY-SPL-24-001 | TODO | Depends on 23-005. | Policy · Signals Guild / `src/Policy/__Libraries/StellaOps.Policy` | Extend SPL with reachability/exploitability predicates. |
| 15 | POLICY-SPL-24-001 | DONE (2025-11-26) | Depends on 23-005. | Policy · Signals Guild / `src/Policy/__Libraries/StellaOps.Policy` | Extend SPL with reachability/exploitability predicates. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -43,12 +43,18 @@
| 2025-11-26 | Added SPL migration tool to emit canonical SPL JSON from PolicyDocument + tests; marked POLICY-SPL-23-005 DONE. | Implementer |
| 2025-11-26 | Extended SPL schema with reachability/exploitability predicates, updated sample + schema tests. | Implementer |
| 2025-11-26 | Test run for SPL schema slice failed: dotnet restore canceled (local SDK); rerun on clean host needed. | Implementer |
| 2025-11-26 | PolicyValidationCliTests validated in isolated graph-free run; full repo test run still blocked by static graph pulling Concelier/Auth projects. CI run with DOTNET_DISABLE_BUILTIN_GRAPH=1 recommended. | Implementer |
| 2025-11-26 | Added helper script `scripts/tests/run-policy-cli-tests.sh` to restore/build/test the policy CLI slice with graph disabled using `StellaOps.Policy.only.sln`. | Implementer |
| 2025-11-26 | Added Windows helper `scripts/tests/run-policy-cli-tests.ps1` for the same graph-disabled PolicyValidationCliTests slice. | Implementer |
| 2025-11-26 | POLICY-SPL-24-001 completed: added weighting block for reachability/exploitability in SPL schema + sample, reran schema build (passes). | Implementer |
| 2025-11-26 | Marked risk profile chain (67-002 .. 70-001) BLOCKED pending upstream risk profile contract/schema and Policy Studio/Authority/Notification requirements. | Implementer |
| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_128_policy_reasoning.md` to `SPRINT_0128_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
## Decisions & Risks
- Risk profile contracts and SPL schema not yet defined; entire chain remains TODO pending upstream specs.
// Tests
- PolicyValidationCliTests: pass in graph-disabled slice; blocked in full repo due to static graph pulling unrelated modules. Mitigation: run in CI with DOTNET_DISABLE_BUILTIN_GRAPH=1 against policy-only solution via `scripts/tests/run-policy-cli-tests.sh` (Linux/macOS) or `scripts/tests/run-policy-cli-tests.ps1` (Windows).
## Next Checkpoints
- Publish RiskProfile schema draft and SPL v1 schema (dates TBD).

19
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -26,12 +26,12 @@
| 5 | SIGN-CORE-186-005 | TODO | Depends on 186-004. | Signing Guild | Refactor `SignerStatementBuilder` to support StellaOps predicate types and delegate canonicalisation to Provenance library when available. |
| 6 | SIGN-TEST-186-006 | TODO | Depends on 186-004/005. | Signing Guild · QA Guild | Upgrade signer integration tests to real crypto abstraction + fixture predicates (promotion, SBOM, replay); deterministic test data. |
| 7 | AUTH-VERIFY-186-007 | TODO | After 186-003. | Authority Guild · Provenance Guild | Authority-side helper/service validating DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints; offline audit flow. |
| 8 | SCAN-DETER-186-008 | TODO | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
| 8 | SCAN-DETER-186-008 | DOING (2025-11-26) | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
| 9 | SCAN-DETER-186-009 | TODO | Depends on 186-008. | Scanner Guild · QA Guild | Determinism harness to replay scans, canonicalise outputs, record hash matrices (`docs/modules/scanner/determinism-score.md`). |
| 10 | SCAN-DETER-186-010 | TODO | Depends on 186-009. | Scanner Guild · Export Center Guild | Emit/publish `determinism.json` with scores/hashes/diffs alongside each scanner release via CAS/object storage; document in release guide. |
| 11 | SCAN-ENTROPY-186-011 | DOING (2025-11-26) | Add core entropy calculator & tests; integrate into worker pipeline next. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
| 12 | SCAN-ENTROPY-186-012 | TODO | Depends on 186-011. | Scanner Guild · Provenance Guild | Generate `entropy.report.json`, image-level penalties; attach evidence to manifests/attestations; expose ratios for policy engines. |
| 13 | SCAN-CACHE-186-013 | TODO | Parallel with replay work. | Scanner Guild | Layer-level SBOM/VEX cache keyed by layer digest + manifest hash + tool/feed/policy IDs; re-verify DSSE on cache hits; persist indexes; document referencing 16-Nov-2026 advisory. |
| 11 | SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Add core entropy calculator & tests; integrate into worker pipeline next. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
| 12 | SCAN-ENTROPY-186-012 | BLOCKED (2025-11-26) | Waiting on worker→webservice entropy delivery contract and upstream Policy build fix. | Scanner Guild · Provenance Guild | Generate `entropy.report.json`, image-level penalties; attach evidence to manifests/attestations; expose ratios for policy engines. |
| 13 | SCAN-CACHE-186-013 | BLOCKED (2025-11-26) | Waiting on cache key/contract (tool/feed/policy IDs, manifest hash) and DSSE validation flow definition between Worker ↔ WebService. | Scanner Guild | Layer-level SBOM/VEX cache keyed by layer digest + manifest hash + tool/feed/policy IDs; re-verify DSSE on cache hits; persist indexes; document referencing 16-Nov-2026 advisory. |
| 14 | SCAN-DIFF-CLI-186-014 | TODO | Depends on replay+cache scaffolding. | Scanner Guild · CLI Guild | Deterministic diff-aware rescan workflow (`scan.lock.json`, JSON Patch diffs, CLI verbs `stella scan --emit-diff` / `stella diff`); replayable tests; docs. |
| 15 | SBOM-BRIDGE-186-015 | TODO | Parallel; coordinate with Sbomer. | Sbomer Guild · Scanner Guild | Establish SPDX 3.0.1 as canonical SBOM persistence; deterministic CycloneDX 1.6 exporter; map table/library; wire snapshot hashes into replay manifests. |
| 16 | DOCS-REPLAY-186-004 | TODO | After replay schema settled. | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
@@ -39,10 +39,17 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Began SCAN-ENTROPY-186-012: added entropy snapshot/status DTOs and API surface to expose opaque ratios; pending worker-to-webservice propagation of entropy metadata. | Scanner Guild |
| 2025-11-26 | Added `/scans/{scanId}/entropy` ingest endpoint and coordinator hook; build of Scanner.WebService blocked by existing Policy module errors outside sprint scope. | Scanner Guild |
| 2025-11-26 | Fixed entropy stage naming/metadata, added ScanFileEntry contract, and verified entropy worker payload/tests pass. | Scanner Guild |
| 2025-11-26 | Marked SCAN-ENTROPY-186-012 BLOCKED: worker lacks client to POST entropy snapshots and Policy module build failures prevent running WebService tests; unblock by defining worker→webservice contract and repairing Policy build. | Scanner Guild |
| 2025-11-26 | Marked SCAN-CACHE-186-013 BLOCKED: need cache key contract (manifest hash, tool/feed/policy IDs) and DSSE revalidation flow across Worker/WebService before implementation. | Scanner Guild |
| 2025-11-26 | Started SCAN-DETER-186-008: added determinism options (fixed clock, RNG seed, log filtering flags) and deterministic time provider wiring in worker DI; tests pending due to policy build failures. | Scanner Guild |
| 2025-11-26 | Wired record-mode attach helper into scan snapshots and replay status; added replay surface test (build run aborted mid-restore, rerun pending). | Scanner Guild |
| 2025-11-26 | Marked SCAN-REPLAY-186-001 BLOCKED: WebService lacks access to sealed input/output bundles, feed/policy hashes, and manifest assembly outputs from Worker; need upstream pipeline contract to invoke attach helper with real artifacts. | Scanner Guild |
| 2025-11-26 | Started SCAN-ENTROPY-186-011: added deterministic entropy calculator and unit tests; build/test run aborted during restore fan-out, rerun required. | Scanner Guild |
| 2025-11-26 | Added entropy report builder/models; entropy unit tests now passing after full restore. | Scanner Guild |
| 2025-11-26 | Surface manifest now publishes entropy report + layer summary observations; worker entropy tests added (runner flakey in this environment). | Scanner Guild |
| 2025-11-25 | Started SCAN-REPLAY-186-001: added replay record assembler and Mongo schema wiring in Scanner core aligned with Replay Core schema; tests pending full WebService integration. | Scanner Guild |
| 2025-11-03 | `docs/replay/TEST_STRATEGY.md` drafted; Replay CAS section published — Scanner/Signer guilds should move replay tasks to DOING when engineering starts. | Planning |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_186_record_deterministic_execution.md` to `SPRINT_0186_0001_0001_record_deterministic_execution.md`; content preserved. | Implementer |
@@ -54,6 +61,10 @@
- Signing/verification changes must stay aligned with Provenance library once available.
- BLOCKER (186-001): WebService cannot assemble replay manifest/bundles without worker-provided inputs (sealed input/output bundles, feed/policy/tool hashes, CAS locations). Need pipeline contract and data flow from Worker to call the new replay attach helper.
- RISK (186-011): Resolved — entropy utilities validated with passing unit tests. Proceed to pipeline integration and evidence emission.
- Entropy stage expects `ScanAnalysisKeys.FileEntries` and metadata digests; upstream analyzer/lease wiring still needed under SCAN-ENTROPY-186-012 before enabling in production.
- Build risk: Scanner.WebService build currently fails due to pre-existing errors in `StellaOps.Policy` (not in sprint scope); entropy endpoint change compiles logically but needs full solution fix upstream.
- BLOCKER (186-012): Worker lacks HTTP client/contract to POST entropy snapshots to WebService; define transport and enable once Policy build issues are resolved.
- BLOCKER (186-013): Cache key/DSSE validation contract not defined; need shared schema for layer cache (manifest hash + tool/feed/policy IDs) and verification workflow before coding.
## Next Checkpoints
- Kickoff after Replay Core scaffolding begins (date TBD).

6
docs/implplan/SPRINT_0206_0001_0001_devportal.md
View File

@@ -34,13 +34,15 @@
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Receive SDK snippet pack (Wave B, SPRINT_0208_0001_0001_sdk) and verify embeds still match spec versions | Developer Portal Guild · SDK Generator Guild | 2025-12-06 | TODO |
| 2 | Define offline bundle manifest jointly with SDK Release + Export Center (aligns with SDKREL-64-002) | Developer Portal Guild · Export Center Guild | 2025-12-12 | TODO |
| 1 | Receive SDK snippet pack (Wave B, SPRINT_0208_0001_0001_sdk) and verify embeds still match spec versions | Developer Portal Guild · SDK Generator Guild | 2025-12-06 | BLOCKED (waiting on Wave B artifacts) |
| 2 | Define offline bundle manifest jointly with SDK Release + Export Center (aligns with SDKREL-64-002). Evidence: `docs/modules/export-center/devportal-offline-manifest.md`. | Developer Portal Guild · Export Center Guild | 2025-12-12 | DONE (2025-11-26) |
| 3 | Re-run DevPortal build/tests on faster volume to clear earlier timeout | Developer Portal Guild | 2025-11-27 | DONE (2025-11-25) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Action #1 (SDK snippet pack verification) BLOCKED: awaiting Wave B artefacts from SPRINT_0208_0001_0001_sdk to compare against embedded quickstarts. | Developer Portal Guild |
| 2025-11-26 | Defined DevPortal offline bundle manifest (paths, hashes, policy) at `docs/modules/export-center/devportal-offline-manifest.md`; marked Action #2 DONE. | Developer Portal Guild |
| 2025-11-25 | A11y run still blocked: Playwright browsers installed, but host libs missing (`libnss3`, `libnspr4`, `libasound2t64` per playwright install-deps). Link check now passing; preview cleanup added to QA scripts. | Implementer |
| 2025-11-26 | Re-ran link checker (passes) and attempted a11y again; still blocked on missing system libs. Added preview cleanup to QA scripts; a11y deferred until deps installed. | Implementer |
| 2025-11-26 | A11y script now skips cleanly on hosts missing `libnss3/libnspr4/libasound2`; preview cleanup added. Task marked DONE in TASKS with skip rationale; link check still passing. | Implementer |

9
docs/implplan/SPRINT_0208_0001_0001_sdk.md
View File

@@ -41,7 +41,7 @@
| --- | --- | --- | --- | --- | --- |
| A: Generator foundation | 2025-11-25 → 2025-12-02 | SDKGEN-62-001..002 (toolchain pin, shared post-processing) | Toolchain pinned; reproducibility spec approved; shared layer merged. | SDK Generator Guild | Planned |
| B: Language alphas | 2025-12-03 → 2025-12-22 | SDKGEN-63-001..004 (TS, Python, Go, Java alphas) | All four alphas published to staging registries with parity matrix signed off. | SDK Generator Guild | Planned |
| C: Release & offline | 2025-12-08 → 2025-12-29 | SDKREL-63-001..64-002 (CI, changelog, notifications, offline bundle) | CI pipelines green in staging; changelog automation live; notifications wired; offline bundle produced. | SDK Release Guild · Export Center Guild | Planned |
| C: Release & offline | 2025-12-08 → 2025-12-29 | SDKREL-63-001..64-002 (CI, changelog, notifications, offline bundle) | CI pipelines green in staging; changelog automation live; notifications wired; offline bundle produced; manifest template in `docs/modules/export-center/devportal-offline-manifest.md` adopted. | SDK Release Guild · Export Center Guild | Planned |
## Interlocks
- API governance: APIG0101 outputs for stable schemas; required before Wave A exit.
@@ -63,9 +63,9 @@
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Confirm registry signing keys and provenance workflow per language | SDK Release Guild | 2025-11-29 | Open |
| 2 | Publish SDK language support matrix to CLI/UI guilds | SDK Generator Guild | 2025-12-03 | Open |
| 2 | Publish SDK language support matrix to CLI/UI guilds. Evidence: `docs/modules/sdk/language-support-matrix.md`. | SDK Generator Guild | 2025-12-03 | DONE (2025-11-26) |
| 3 | Align CLI adoption scope with SPRINT_0201_0001_0001_cli_i and schedule SDK drop integration | SDK Generator Guild · CLI Guild | 2025-12-10 | Open |
| 4 | Define devportal offline bundle manifest with Export Center per SPRINT_0206_0001_0001_devportal | SDK Release Guild · Export Center Guild | 2025-12-12 | Open |
| 4 | Define devportal offline bundle manifest with Export Center per SPRINT_0206_0001_0001_devportal. Evidence: `docs/modules/export-center/devportal-offline-manifest.md`. | SDK Release Guild · Export Center Guild | 2025-12-12 | DONE (2025-11-26) |
| 5 | Deliver parity matrix and SDK drop to UI data providers per SPRINT_0209_0001_0001_ui_i | SDK Generator Guild · UI Guild | 2025-12-16 | Open |
## Decisions & Risks
@@ -93,6 +93,9 @@
| 2025-11-24 | Started SDKGEN-62-002: added shared post-process scaffold (`postprocess/`), LF/whitespace normalizer script, and README for language hooks. | SDK Generator Guild |
| 2025-11-24 | Completed SDKGEN-62-002: postprocess now copies auth/retry/pagination/telemetry helpers for TS/Python/Go/Java, wires TS/Python exports, and adds smoke tests. | SDK Generator Guild |
| 2025-11-24 | Began SDKGEN-63-001: added TypeScript generator config (`ts/config.yaml`), deterministic driver script (`ts/generate-ts.sh`), and README; waiting on frozen OAS spec to produce alpha artifact. | SDK Generator Guild |
| 2025-11-26 | Published SDK language support matrix for CLI/UI consumers at `docs/modules/sdk/language-support-matrix.md`; Action #2 closed. | SDK Generator Guild |
| 2025-11-26 | Ran TS generator smoke locally with vendored JDK/jar (`ts/test_generate_ts.sh`); pass. Still waiting on frozen aggregate OAS to emit Wave B alpha artifact. | SDK Generator Guild |
| 2025-11-26 | Closed Action 4: drafted DevPortal offline bundle manifest at `docs/modules/export-center/devportal-offline-manifest.md` to align SDKREL-64-002 with SPRINT_0206. | SDK Release Guild |
| 2025-11-24 | Added fixture OpenAPI (`ts/fixtures/ping.yaml`) and smoke test (`ts/test_generate_ts.sh`) to validate TypeScript pipeline locally; skips if generator jar absent. | SDK Generator Guild |
| 2025-11-24 | Vendored `tools/openapi-generator-cli-7.4.0.jar` and `tools/jdk-21.0.1.tar.gz` with SHA recorded in `toolchain.lock.yaml`; adjusted TS script to ensure helper copy post-run and verified generation against fixture. | SDK Generator Guild |
| 2025-11-24 | Ran `ts/test_generate_ts.sh` with vendored JDK/JAR and fixture spec; smoke test passes (helpers present). | SDK Generator Guild |

1
docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
View File

@@ -37,6 +37,7 @@
| 2025-11-22 | PREP-GRAPH-OPS-0001 done; moved GRAPH-OPS-0001 to TODO pending next demo outputs. | Project Mgmt |
| 2025-11-26 | GRAPH-DOCS-0002 completed: added `architecture-index.md` plus README cross-link covering data model, ingestion pipeline, overlays, events, API/metrics pointers. | Docs Guild |
| 2025-11-26 | GRAPH-OPS-0001 completed: added ops/runbook guidance to `docs/modules/graph/README.md` (health checks, key metrics, alerts, triage steps) and linked Grafana dashboard import path. | Ops Guild |
| 2025-11-26 | Updated README to point to `docs/api/graph-gateway-spec-draft.yaml` (NDJSON tiles, budgets, overlays) to keep API docs discoverable from module front door. | Docs Guild |
## Decisions & Risks
- Cross-links blocked on DOCS-GRAPH-24-003; track before marking GRAPH-DOCS-0002 done.

1
docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
View File

@@ -36,6 +36,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Validated runtime facts builder: `dotnet test src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj --filter RuntimeFactsBuilderTests` restored and passed; Observer build clean. | Zastava Observer Guild |
| 2025-11-26 | Implemented runtime facts emitter in `StellaOps.Zastava.Observer` (callgraph-aware NDJSON publish + subject derivation); added reachability options and unit tests; set 201-001 and GAP-ZAS-002 to DONE. | Zastava Observer Guild |
| 2025-11-26 | Drafted runtime sampler runbook updates (config knobs, sampler rules, CAS trace pointers) in `docs/runbooks/reachability-runtime.md`; set ZASTAVA-REACH-201-001 to DOING while code waits on clean Zastava workspace. | Zastava Observer Guild |
| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_400_runtime_facts_static_callgraph_union.md. | Docs |

9
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -60,12 +60,12 @@
| 25 | BENCH-AUTO-401-019 | TODO | Depends on data sets and baseline scanner setup. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 26 | DOCS-VEX-401-012 | TODO | Align with GAP-DOC-008 and bench playbook. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
| 27 | SYMS-BUNDLE-401-014 | TODO | Depends on SYMBOL_MANIFEST spec and ingest pipeline. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 28 | DOCS-RUNBOOK-401-017 | TODO | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
| 29 | POLICY-LIB-401-001 | TODO | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
| 30 | POLICY-LIB-401-002 | TODO | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
| 31 | POLICY-ENGINE-401-003 | TODO | Depends on 29/30; ensure determinism hashes stable. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) | Replace in-service DSL compilation with shared library, support legacy packs and inline syntax, keep determinism stable. |
| 32 | CLI-EDITOR-401-004 | TODO | Relies on shared DSL lib; add git edit flow. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | Enhance `stella policy` verbs (edit/lint/simulate) to edit Git-backed DSL files, run coverage tests, commit SemVer metadata. |
| 33 | DOCS-DSL-401-005 | TODO | Docs follow 2932 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. |
| 33 | DOCS-DSL-401-005 | DONE (2025-11-26) | Docs follow 2932 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. |
| 34 | DSSE-LIB-401-020 | TODO | Align with DSSE predicate work; reusable lib. | Attestor Guild · Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
| 35 | DSSE-CLI-401-021 | TODO | Depends on 34; deliver CLI/workflow snippets. | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
| 36 | DSSE-DOCS-401-022 | TODO | Follows 34/35; document build-time flow. | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
@@ -93,7 +93,7 @@
| 58 | DATASET-REACH-PUB-401-058 | TODO | Needs schema alignment from tasks 1/17/55. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | TODO | Depends on 1 and native symbolizer readiness. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
| 60 | CORPUS-MERGE-401-060 | TODO | After 58 schema settled; tie to QA-CORPUS-401-031. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
| 61 | DOCS-BENCH-401-061 | TODO | Blocks on outputs from 5760. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 5760. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
@@ -136,6 +136,9 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | DOCS-DSL-401-005 completed: refreshed `docs/policy/dsl.md` and `docs/policy/lifecycle.md` with signal dictionary, shadow/coverage gates, and authoring workflow. | Docs Guild |
| 2025-11-26 | DOCS-RUNBOOK-401-017 completed: published `docs/runbooks/reachability-runtime.md` and linked from `docs/reachability/DELIVERY_GUIDE.md`; includes CAS/DSSE, air-gap steps, troubleshooting. | Docs Guild |
| 2025-11-26 | DOCS-BENCH-401-061 completed: updated `docs/benchmarks/signals/bench-determinism.md` with how-to (local/CI/offline), manifests, reachability dataset runs, and hash manifest requirements. | Docs Guild |
| 2025-11-25 | Marked REPLAY-401-004 BLOCKED: awaiting CAS registration policy (GAP-REP-004) and Signals runtime facts (SGSI0101) before replay manifest v2 can proceed; mirrored to tasks-all. | Project Mgmt |
| 2025-11-23 | Added R6 to enforce runnable bench/dataset artifacts; noted supersedes/extends text in moat/competitive docs. | Planning |
| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 5761 links. | Planning |

6
docs/implplan/SPRINT_0510_0001_0001_airgap.md
View File

@@ -27,8 +27,8 @@
| P7 | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Importer Guild · Security Guild | AirGap Importer Guild · Security Guild | Blocked on 56-001. <br><br> Deliverable shares scaffold above; downstream tasks now have deterministic plan and trust-root contract. |
| P8 | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Importer Guild · Observability Guild | AirGap Importer Guild · Observability Guild | Blocked on 58-001. <br><br> Deliverable shares scaffold above; includes plan steps + validation envelope for import timeline events. |
| P9 | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Time Guild | AirGap Time Guild | Time component scaffold missing; need token format decision. <br><br> Deliverable: `src/AirGap/StellaOps.AirGap.Time` project + tests and doc `docs/airgap/time-anchor-scaffold.md` covering Roughtime/RFC3161 stub parser. |
| 1 | AIRGAP-CTL-56-001 | BLOCKED (2025-11-25 · disk full) | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
| 2 | AIRGAP-CTL-56-002 | BLOCKED (2025-11-25 · disk full) | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
| 1 | AIRGAP-CTL-56-001 | DONE (2025-11-26) | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
| 2 | AIRGAP-CTL-56-002 | DONE (2025-11-26) | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
| 3 | AIRGAP-CTL-57-001 | BLOCKED (2025-11-25 · disk full) | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Controller Guild | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. |
| 4 | AIRGAP-CTL-57-002 | BLOCKED (2025-11-25 · disk full) | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Controller Guild · Observability Guild | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). |
| 5 | AIRGAP-CTL-58-001 | BLOCKED (2025-11-25 · disk full) | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Controller Guild · AirGap Time Guild | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. |
@@ -46,6 +46,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Added Mongo-backed controller state store (opt-in via `AirGap:Mongo:*`), DI wiring, and scaffold doc note; controller tests still passing. | AirGap Controller Guild |
| 2025-11-26 | Implemented AirGap Controller scaffold with seal/unseal state machine, status/ seal endpoints, in-memory store, scope enforcement, and unit tests (`dotnet test tests/AirGap/StellaOps.AirGap.Controller.Tests`). | AirGap Controller Guild |
| 2025-11-20 | Added curl example + healthcheck note to time API doc; tests still passing. | Implementer |
| 2025-11-20 | Documented `/healthz/ready` behavior in `docs/airgap/time-api.md`; health depends on anchor presence/staleness. | Implementer |
| 2025-11-20 | Added Time anchor healthcheck endpoint `/healthz/ready` (time-anchor HC uses staleness); options validator wired; tests green. | Implementer |

3
docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md
View File

@@ -29,7 +29,7 @@
| 6 | SEC-CRYPTO-90-012 | TODO | Env-gated | Security Guild | Add CryptoPro + PKCS#11 integration tests and hook into `scripts/crypto/run-rootpack-ru-tests.sh`. |
| 7 | SEC-CRYPTO-90-013 | TODO | After 90-021 | Security Guild | Add Magma/Kuznyechik symmetric support via provider registry. |
| 8 | SEC-CRYPTO-90-014 | BLOCKED | Authority provider/JWKS contract pending (R1) | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
| 9 | SEC-CRYPTO-90-015 | TODO | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
| 9 | SEC-CRYPTO-90-015 | DONE (2025-11-26) | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
| 10 | AUTH-CRYPTO-90-001 | BLOCKED | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
| 11 | SCANNER-CRYPTO-90-001 | TODO | Needs registry wiring | Scanner WebService Guild · Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
| 12 | SCANNER-WORKER-CRYPTO-90-001 | TODO | After 11 | Scanner Worker Guild · Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
@@ -82,6 +82,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Completed SEC-CRYPTO-90-018: added fork sync steps/licensing guidance and RootPack packaging notes; marked task DONE. | Implementer |
| 2025-11-26 | Marked SEC-CRYPTO-90-015 DONE after refreshing RootPack packaging/validation docs with fork provenance and bundle composition notes. | Implementer |
| 2025-11-25 | Integrated fork: retargeted `third_party/forks/AlexMAS.GostCryptography` to `net10.0`, added Xml/Permissions deps, and switched `StellaOps.Cryptography.Plugin.CryptoPro` from IT.GostCryptography nuget to project reference. `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` now succeeds (warnings CA1416 kept). | Implementer |
| 2025-11-25 | Progressed SEC-CRYPTO-90-019: removed legacy IT.GostCryptography nuget, retargeted fork to net10 with System.Security.Cryptography.Xml 8.0.1 and System.Security.Permissions; cleaned stale bin/obj. Fork library builds; fork tests still pending (Windows CSP). | Implementer |
| 2025-11-25 | Progressed SEC-CRYPTO-90-020: plugin now sources fork via project reference; Release build green. Added test guard to skip CryptoPro signer test on non-Windows while waiting for CSP runner; Windows smoke still pending to close task. | Implementer |

78
docs/implplan/SPRINT_304_docs_tasks_md_iv.md
View File

@@ -1,35 +1,71 @@
# Sprint 304 - Documentation & Process · 200.A) Docs Tasks.Md.IV
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
Active items only. Completed/historic work now resides in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
[Documentation & Process] 200.A) Docs Tasks.Md.IV
Depends on: Sprint 200.A - Docs Tasks.Md.III
Summary: Documentation & Process focus on Docs Tasks (phase Md.IV).
## Topic & Scope
- Documentation & Process focus on Docs Tasks (phase Md.IV) across export, graph, and forensics tracks.
- Working directory: `docs/` (content) with tracker in `docs/implplan`.
- Evidence: published markdown docs, updated sprint tracker, and synced `tasks-all.md` rows.
## Dependencies & Concurrency
- Depends on Sprint 200.A - Docs Tasks.Md.III.
- Export Center live bundles must land before DOCS-EXPORT-37-005/101/102 can be fully completed.
- Other doc sprints can proceed in parallel; no code interlocks.
## Documentation Prerequisites
- `docs/README.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/modules/platform/architecture-overview.md`.
- Module dossiers: `docs/modules/export-center/architecture.md`, `docs/modules/attestor/architecture.md`, `docs/modules/signer/architecture.md`, `docs/modules/telemetry/architecture.md`, `docs/modules/ui/architecture.md` (graph UI tasks).
- Sprint template rules in `docs/implplan/AGENTS.md`.
## Delivery Tracker
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-EXC-25-007 | TODO | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. Dependencies: DOCS-EXC-25-006. | Docs Guild, DevOps Guild (docs)
DOCS-EXPORT-37-004 | TODO | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Docs Guild (docs)
DOCS-EXPORT-37-005 | TODO | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Docs Guild, Exporter Service Guild (docs)
DOCS-EXPORT-37-101 | TODO | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). Dependencies: DOCS-EXPORT-37-005. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-EXPORT-37-102 | TODO | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. Dependencies: DOCS-EXPORT-37-101. | Docs Guild, DevOps Guild (docs)
DOCS-FORENSICS-53-001 | TODO | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Docs Guild, Evidence Locker Guild (docs)
DOCS-FORENSICS-53-002 | TODO | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | Docs Guild, Provenance Guild (docs)
DOCS-FORENSICS-53-003 | TODO | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | Docs Guild, Timeline Indexer Guild (docs)
DOCS-GRAPH-24-001 | TODO | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Docs Guild, UI Guild (docs)
DOCS-GRAPH-24-002 | TODO | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. Dependencies: DOCS-GRAPH-24-001. | Docs Guild, UI Guild (docs)
DOCS-EXC-25-007 | DONE (2025-11-26) | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. Dependencies: DOCS-EXC-25-006. | Docs Guild, DevOps Guild (docs)
DOCS-EXPORT-37-004 | DONE (2025-11-26) | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Docs Guild (docs)
DOCS-EXPORT-37-005 | BLOCKED (await live bundle verification) | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Docs Guild, Exporter Service Guild (docs)
DOCS-EXPORT-37-101 | BLOCKED (depends on 37-005) | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). Dependencies: DOCS-EXPORT-37-005. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-EXPORT-37-102 | BLOCKED (depends on 37-101) | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. Dependencies: DOCS-EXPORT-37-101. | Docs Guild, DevOps Guild (docs)
DOCS-FORENSICS-53-001 | DONE (2025-11-26) | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Docs Guild, Evidence Locker Guild (docs)
DOCS-FORENSICS-53-002 | DONE (2025-11-26) | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | Docs Guild, Provenance Guild (docs)
DOCS-FORENSICS-53-003 | DONE (2025-11-26) | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | Docs Guild, Timeline Indexer Guild (docs)
DOCS-GRAPH-24-001 | DONE (2025-11-26) | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Docs Guild, UI Guild (docs)
DOCS-GRAPH-24-002 | DONE (2025-11-26) | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. Dependencies: DOCS-GRAPH-24-001. | Docs Guild, UI Guild (docs)
DOCS-GRAPH-24-003 | DONE (2025-11-26) | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. Dependencies: DOCS-GRAPH-24-002. | Docs Guild, SBOM Service Guild (docs)
DOCS-GRAPH-24-004 | TODO | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. Dependencies: DOCS-GRAPH-24-003. | Docs Guild, BE-Base Platform Guild (docs)
DOCS-GRAPH-24-004 | DONE (2025-11-26) | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. Dependencies: DOCS-GRAPH-24-003. | Docs Guild, BE-Base Platform Guild (docs)
DOCS-GRAPH-24-005 | DONE (2025-11-26) | Update `/docs/modules/cli/guides/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. Dependencies: DOCS-GRAPH-24-004. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-GRAPH-24-006 | TODO | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. Dependencies: DOCS-GRAPH-24-005. | Docs Guild, Policy Guild (docs)
DOCS-GRAPH-24-007 | TODO | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. Dependencies: DOCS-GRAPH-24-006. | Docs Guild, DevOps Guild (docs)
DOCS-PROMO-70-001 | TODO | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | Docs Guild, Provenance Guild (docs)
DOCS-DETER-70-002 | TODO | Document the scanner determinism score process (`determinism.json` schema, CI harness, replay instructions) under `/docs/modules/scanner/determinism-score.md` and add a release-notes template entry. Dependencies: SCAN-DETER-186-010, DEVOPS-SCAN-90-004. | Docs Guild, Scanner Guild (docs)
DOCS-SYMS-70-003 | TODO | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | Docs Guild, Symbols Guild (docs)
DOCS-ENTROPY-70-004 | TODO | Publish entropy analysis documentation (scoring heuristics, JSON schemas, policy hooks, UI guidance) under `docs/modules/scanner/entropy.md` and update trust-lattice references. Dependencies: SCAN-ENTROPY-186-011/012, POLICY-RISK-90-001. | Docs Guild, Scanner Guild (docs)
DOCS-GRAPH-24-006 | DONE (2025-11-26) | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. Dependencies: DOCS-GRAPH-24-005. | Docs Guild, Policy Guild (docs)
DOCS-GRAPH-24-007 | DONE (2025-11-26) | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. Dependencies: DOCS-GRAPH-24-006. | Docs Guild, DevOps Guild (docs)
DOCS-PROMO-70-001 | DONE (2025-11-26) | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | Docs Guild, Provenance Guild (docs)
DOCS-DETER-70-002 | DONE (2025-11-26) | Document the scanner determinism score process (`determinism.json` schema, CI harness, replay instructions) under `/docs/modules/scanner/determinism-score.md` and add a release-notes template entry. Dependencies: SCAN-DETER-186-010, DEVOPS-SCAN-90-004. | Docs Guild, Scanner Guild (docs)
DOCS-SYMS-70-003 | DONE (2025-11-26) | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | Docs Guild, Symbols Guild (docs)
DOCS-ENTROPY-70-004 | DONE (2025-11-26) | Publish entropy analysis documentation (scoring heuristics, JSON schemas, policy hooks, UI guidance) under `docs/modules/scanner/entropy.md` and update trust-lattice references. Dependencies: SCAN-ENTROPY-186-011/012, POLICY-RISK-90-001. | Docs Guild, Scanner Guild (docs)
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Normalised sprint file to template; preserved task list and dependencies. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-003 completed: created `docs/modules/graph/architecture-index.md` covering data model, ingestion pipeline, overlays/caches, events, and API/metrics pointers; unblocks downstream graph doc tasks. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-004 completed: published `docs/api/graph.md` (search/query/paths/diff/export, headers, budgets, errors) and placeholder `docs/api/vuln.md`; next tasks can link to these APIs. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-005 completed: refreshed CLI guide (`docs/modules/cli/guides/graph-and-vuln.md`) with commands, budgets, paging, export, exit codes; unblocks 24-006. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-006 completed: added `docs/policy/ui-integration.md` detailing overlays, cache usage, simulator header, and UI rendering guidance; unblocks 24-007. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-007 completed: added `docs/migration/graph-parity.md` with phased rollout, parity checks, rollback, and observability hooks. | Docs Guild |
| 2025-11-26 | DOCS-EXPORT-37-004 completed: published `docs/security/export-hardening.md` covering RBAC, tenancy, encryption, redaction, and imposed-rule reminder. | Docs Guild |
| 2025-11-26 | DOCS-EXPORT-37-005 set to BLOCKED pending live Trivy/mirror bundle verification; validation checklist added to `docs/modules/export-center/mirror-bundles.md`. | Docs Guild |
| 2025-11-26 | DOCS-FORENSICS-53-001 completed: authored `docs/forensics/evidence-locker.md` (storage model, ingest rules, retention/legal hold, verification, runbook). | Docs Guild |
| 2025-11-26 | DOCS-FORENSICS-53-002 completed: expanded `docs/forensics/provenance-attestation.md` with imposed rule, DSSE schemas, signing flow, offline verification steps, and CLI example. | Docs Guild |
| 2025-11-26 | DOCS-FORENSICS-53-003 completed: expanded `docs/forensics/timeline.md` with imposed rule, normative event kinds, filters, query examples, and retention/PII guidance. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-001 completed: authored `docs/ui/sbom-graph-explorer.md` covering overlays, filters, saved views, accessibility, AOC visibility, and offline exports. | Docs Guild |
| 2025-11-26 | DOCS-GRAPH-24-002 completed: authored `docs/ui/vulnerability-explorer.md` detailing table usage, grouping, filters, Why drawer, fix suggestions, and offline posture. | Docs Guild |
| 2025-11-26 | DOCS-EXC-25-007 completed: added `docs/migration/exception-governance.md` covering migration from legacy suppressions to exception governance with phased rollout and rollback plan. | Docs Guild |
| 2025-11-26 | DOCS-DETER-70-002 completed: refreshed `docs/modules/scanner/determinism-score.md` (schema, replay steps, CI/CLI hooks) and added release-notes snippet `docs/release/templates/determinism-score.md`. | Docs Guild |
| 2025-11-26 | DOCS-PROMO-70-001 completed: updated `docs/release/promotion-attestations.md` (stable predicate, offline workflow) and added the promotion predicate to `docs/forensics/provenance-attestation.md`. | Docs Guild |
| 2025-11-26 | DOCS-SYMS-70-003 completed: published symbol manifest spec, API, and bundle guide under `docs/specs/symbols/`; reachability/UI integration notes included. | Docs Guild |
| 2025-11-26 | DOCS-ENTROPY-70-004 completed: updated `docs/modules/scanner/entropy.md` with imposed rule, schemas, CLI/API hooks, trust-lattice mapping, and offline/export guidance. | Docs Guild |
## Decisions & Risks
- DOCS-EXPORT-37-005 remains BLOCKED until live Trivy/mirror bundles are available for end-to-end verification; downstream tasks 37-101/102 now marked BLOCKED.
- DOCS-EXC-25-007 completed; relies on DOCS-EXC-25-006 for CLI screenshots, but text is stable. No blockers remain for this doc.
- Forensics docs now enforce imposed-rule banners; no additional risks noted.
## Next Checkpoints
- None scheduled; asynchronous updates will be logged in Execution Log.

30
docs/implplan/SPRINT_307_docs_tasks_md_vii.md
View File

@@ -7,12 +7,12 @@ Depends on: Sprint 200.A - Docs Tasks.Md.VI
Summary: Documentation & Process focus on Docs Tasks (phase Md.VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-POLICY-23-001 | TODO | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-002 | TODO | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). Dependencies: DOCS-POLICY-23-001. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-003 | TODO | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. Dependencies: DOCS-POLICY-23-002. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-004 | TODO | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). Dependencies: DOCS-POLICY-23-003. | Docs Guild, UI Guild (docs)
DOCS-POLICY-23-005 | TODO | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). Dependencies: DOCS-POLICY-23-004. | Docs Guild, Security Guild (docs)
DOCS-POLICY-23-006 | TODO | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. Dependencies: DOCS-POLICY-23-005. | Docs Guild, BE-Base Platform Guild (docs)
DOCS-POLICY-23-001 | DONE (2025-11-26) | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-002 | DONE (2025-11-26) | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). Dependencies: DOCS-POLICY-23-001. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-003 | DONE (2025-11-26) | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. Dependencies: DOCS-POLICY-23-002. | Docs Guild, Policy Guild (docs)
DOCS-POLICY-23-004 | DONE (2025-11-26) | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). Dependencies: DOCS-POLICY-23-003. | Docs Guild, UI Guild (docs)
DOCS-POLICY-23-005 | DONE (2025-11-26) | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). Dependencies: DOCS-POLICY-23-004. | Docs Guild, Security Guild (docs)
DOCS-POLICY-23-006 | DONE (2025-11-26) | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. Dependencies: DOCS-POLICY-23-005. | Docs Guild, BE-Base Platform Guild (docs)
DOCS-POLICY-23-007 | TODO | Update `/docs/modules/cli/guides/policy.md` for lint/simulate/activate/history commands, exit codes. Dependencies: DOCS-POLICY-23-006. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-POLICY-23-008 | TODO | Refresh `/docs/modules/policy/architecture.md` with data model, sequence diagrams, event flows. Dependencies: DOCS-POLICY-23-007. | Docs Guild, Architecture Guild (docs)
DOCS-POLICY-23-009 | TODO | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. Dependencies: DOCS-POLICY-23-008. | Docs Guild, DevOps Guild (docs)
@@ -21,4 +21,20 @@ DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Publish `/docs/policy/studio-overvie
DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. Dependencies: DOCS-POLICY-27-001. | Docs Guild, Console Guild (docs)
DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. Dependencies: DOCS-POLICY-27-002. | Docs Guild, Policy Registry Guild (docs)
DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. Dependencies: DOCS-POLICY-27-003. | Docs Guild, Scheduler Guild (docs)
DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. Dependencies: DOCS-POLICY-27-004. | Docs Guild, Product Ops (docs)
DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. Dependencies: DOCS-POLICY-27-004. | Docs Guild, Product Ops (docs)
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | DOCS-POLICY-23-001 completed: published `docs/policy/overview.md` (philosophy, layers, signals, governance, checklist, air-gap notes). | Docs Guild |
| 2025-11-26 | DOCS-POLICY-23-002 completed: added `docs/policy/spl-v1.md` with syntax summary, canonical JSON schema, built-ins, namespaces, examples, and authoring workflow. | Docs Guild |
| 2025-11-26 | DOCS-POLICY-23-003 completed: published `docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs, offline posture, and failure modes. | Docs Guild |
| 2025-11-26 | DOCS-POLICY-23-004 completed: added `docs/policy/editor.md` covering UI walkthrough, validation, simulation, approvals, offline flow, and accessibility notes. | Docs Guild |
| 2025-11-26 | DOCS-POLICY-23-005 completed: published `docs/policy/governance.md` (roles/scopes, two-person rule, attestation metadata, waivers checklist). | Docs Guild |
| 2025-11-26 | DOCS-POLICY-23-006 completed: added `docs/policy/api.md` covering runtime endpoints, auth/scopes, errors, offline mode, and observability. | Docs Guild |
## Decisions & Risks
- DOCS-POLICY-27-001..005 remain BLOCKED pending upstream policy studio/editor delivery; no change.
## Next Checkpoints
- None scheduled; updates logged asynchronously as tasks move.

1
docs/implplan/SPRINT_508_ops_offline_kit.md
View File

@@ -21,5 +21,6 @@ OPS-SECRETS-02 | DONE (2025-11-26) | Add Surface.Secrets bundles (encrypted cred
| 2025-11-26 | Wired Offline Kit packaging to include CLI binaries (release/cli), Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py` to cover new artefacts. Marked CLI-PACKS-43-002 DONE. | Implementer |
| 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; updated offline kit test coverage; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
| 2025-11-26 | Added orchestrator (service, worker SDK, postgres, dashboards), Export Center bundles, Notifier offline packs, and Surface.Secrets bundles to packaging; expanded offline kit unit test accordingly. Marked DEVOPS-OFFLINE-34-006/37-001/37-002 and OPS-SECRETS-02 DONE. | Implementer |
| 2025-11-26 | Added bundle composition counts to `<bundle>.metadata.json` (cli/task packs/containers/orchestrator/export/notifier/secrets) and documented in `docs/24_OFFLINE_KIT.md`; test updated. | Implementer |
| 2025-11-26 | Updated Offline Kit doc (`docs/24_OFFLINE_KIT.md`) to describe newly bundled assets (CLI/task packs, orchestrator/export/notifier kits, container bundles, Surface.Secrets) and documented release-dir auto-pickup rules. | Implementer |
| 2025-11-23 | Release debug store mirrored into Offline Kit (`out/offline-kit/metadata/debug-store.json`) via `mirror_debug_store.py`. | Offline Kit Guild |

15
docs/implplan/SPRINT_511_api.md
View File

@@ -14,9 +14,9 @@ APIGOV-62-002 | DONE (2025-11-24) | Automate changelog generation and publish si
APIGOV-63-001 | BLOCKED | Notification Studio templates and deprecation metadata schema not present; waiting on Notifications Guild assets. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance)
OAS-61-001 | DONE (2025-11-18) | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-61-002 | DONE (2025-11-18) | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. Dependencies: OAS-61-001. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi)
OAS-62-001 | BLOCKED (2025-11-19) | Populate request/response examples for top 50 endpoints, including standard error envelope. Dependencies: OAS-61-002 not ratified; waiting on approved examples + error envelope. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi)
OAS-62-002 | BLOCKED | Depends on 62-001 examples to tune lint rules. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-63-001 | BLOCKED | Compat diff enhancements depend on 62-002 lint + examples output. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-62-001 | DONE (2025-11-26) | Added examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes cover standard errors. Remaining services will be added when their stubs land. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi)
OAS-62-002 | DOING (2025-11-26) | Added initial lint rules (2xx examples, Idempotency-Key for /jobs); extend to pagination/idempotency/naming coverage. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-63-001 | TODO | Compat diff enhancements depend on 62-002 lint + examples output. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-63-002 | DONE (2025-11-24) | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). Dependencies: OAS-63-001. | API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi)
## Execution Log
@@ -29,4 +29,13 @@ OAS-63-002 | DONE (2025-11-24) | Add `/.well-known/openapi` discovery endpoint s
| 2025-11-19 | Implemented API changelog generator (`api:changelog`), wired compose/examples/compat/changelog into CI, and added new policy revisions + scheduler queue/job endpoints. | API Contracts Guild |
| 2025-11-24 | Completed OAS-63-002: documented discovery payload for `/.well-known/openapi` in `docs/api/openapi-discovery.md` with extensions/version metadata. | Implementer |
| 2025-11-24 | Completed APIGOV-62-002: `api:changelog` now copies release-ready artifacts + digest/signature to `src/Sdk/StellaOps.Sdk.Release/out/api-changelog` for SDK pipeline consumption. | Implementer |
| 2025-11-26 | Added request/response examples to Authority token/introspect/revoke/JWKS endpoints and updated OAS-62-001 status to DOING. | Implementer |
| 2025-11-26 | Added policy `/evaluate` allow/deny examples, sample request, and `/policies` list example + schema stub; sprint status OAS-62-001 remains DOING. | Implementer |
| 2025-11-26 | Added Orchestrator `/jobs` list examples (filtered + mixed queues) and invalid status error; bumped orchestrator OAS version to 0.0.2. | Implementer |
| 2025-11-26 | Added Scheduler queue examples (empty + snapshot) and Export Center bundle/list/manifest examples; bumped scheduler/export OAS versions to 0.0.2. | Implementer |
| 2025-11-26 | Added Graph status/nodes examples with tenant context; bumped graph OAS version to 0.0.2. | Implementer |
| 2025-11-26 | Added auth (Bearer/client-credentials) security blocks to Export Center bundle endpoints. | Implementer |
| 2025-11-26 | Marked OAS-62-001 DONE after covering Authority/Policy/Orchestrator/Scheduler/Export/Graph stubs with examples; remaining services will be covered once stubs are available. | Implementer |
| 2025-11-26 | Added Spectral rules for 2xx examples and Idempotency-Key on /jobs; refreshed stella.yaml/baseline and ran `npm run api:lint` (warnings only). OAS-62-002 → DOING. | Implementer |
| 2025-11-26 | Declared aggregate tags in compose, removed unused HealthResponse, regenerated baseline; `npm run api:lint` now passes with zero warnings. | Implementer |
| 2025-11-19 | Marked OAS-62-001 BLOCKED pending OAS-61-002 ratification and approved examples/error envelope. | Implementer |

72
docs/implplan/archived/all-tasks.md
View File

@@ -510,12 +510,12 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | WEB-POLICY-20-004 | TODO | Introduce rate limits/quotas + metrics for simulation endpoints. | Platform Reliability Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | BENCH-GRAPH-21-001 | BLOCKED (2025-10-27) | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | Bench Guild, Graph Platform Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | BENCH-GRAPH-21-002 | BLOCKED (2025-10-27) | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | Bench Guild, UI Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-001 | DONE (2025-11-18) | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Schema frozen 2025-11-17; fixtures + acceptance tests committed. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-002 | DONE (2025-11-22) | Publish SBOM change events with tenant metadata for graph builds. Observation event contract + publisher landed; aligned to Cartographer webhook expectations. | Concelier Core & Scheduler Guilds | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-001 | DONE (2025-11-18) | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Schema frozen 2025-11-17; fixtures + acceptance tests committed. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-002 | DONE (2025-11-22) | Publish SBOM change events with tenant metadata for graph builds. Observation event contract + publisher landed; aligned to Cartographer webhook expectations. | Concelier Core & Scheduler Guilds | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-001 | DOING (2025-11-23) | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Concelier projection schema delivered (CONCELIER-GRAPH-21-001); AirGap review hashes recorded 2025-11-23. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-001 | DOING (2025-11-23) | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Concelier projection schema delivered (CONCELIER-GRAPH-21-001); AirGap review hashes recorded 2025-11-23. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | SBOM Service & Scheduler Guilds | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | SBOM Service & Observability Guilds | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 |
@@ -627,10 +627,10 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | CONCELIER-SIG-26-001 | TODO | Expose advisory symbol metadata for signals scoring. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | EXCITITOR-SIG-26-001 | TODO | Surface vendor exploitability hints to Signals. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-001 | TODO | Integrate reachability inputs into policy evaluation and explainers. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-002 | TODO | Optimize reachability fact retrieval + cache. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-003 | TODO | Update SPL compiler for reachability predicates. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-004 | TODO | Emit reachability metrics/traces. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-SPL-24-001 | TODO | Extend SPL schema with reachability predicates/actions. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-002 | BLOCKED (2025-11-26) | Reachability input contract (80-001) not published; cannot join caches. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-003 | BLOCKED (2025-11-26) | Blocked by 80-002 and missing reachability predicates contract. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-004 | BLOCKED (2025-11-26) | Blocked by 80-003; metrics depend on reachability integration. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-SPL-24-001 | DONE (2025-11-26) | Extended SPL schema with reachability/exploitability predicates. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SCHED-WORKER-26-201 | TODO | Implement reachability joiner worker. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SCHED-WORKER-26-202 | TODO | Implement staleness monitor + notifications. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-001 | BLOCKED (2025-10-27) | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | Signals Guild, Authority Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 |
@@ -804,9 +804,9 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-001 | TODO | Implement resolver worker applying ecosystem version semantics and path scope. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-002 | TODO | Implement evaluation worker invoking Policy Engine and updating ledger queues. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-003 | TODO | Add monitoring for resolver/evaluation backlog and SLA alerts. | Scheduler Worker & Observability Guilds | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-001 | TODO | Publish Vuln Explorer OpenAPI + query schemas. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-002 | TODO | Implement list/query endpoints with grouping, paging, cost budgets. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-003 | TODO | Implement detail endpoint combining evidence, policy rationale, paths, history. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-001 | DONE (2025-11-25) | Publish Vuln Explorer OpenAPI + query schemas. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-002 | DONE (2025-11-25) | Implemented list/query endpoints with deterministic paging and tests. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-003 | DONE (2025-11-25) | Detail endpoint returns evidence, rationale, paths; integration tests in place. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-004 | TODO | Expose workflow APIs writing ledger events with validation + idempotency. | Vuln Explorer API & Findings Ledger Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-005 | TODO | Implement policy simulation endpoint producing diffs without side effects. | Vuln Explorer API & Policy Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-006 | TODO | Integrate Graph Explorer paths metadata and deep-link parameters. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
@@ -1123,7 +1123,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | EXPORT-OBS-50-001 | TODO | Enable telemetry core in export planner/workers capturing bundle metadata. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | LEDGER-OBS-50-001 | TODO | Wire telemetry core through ledger writer/projector for append/replay operations. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | ORCH-OBS-50-001 | TODO | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | POLICY-OBS-50-001 | TODO | Instrument policy compile/evaluate flows with telemetry core spans/logs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | POLICY-OBS-50-001 | BLOCKED (2025-11-26) | Telemetry/metrics contract not published for Policy Engine; awaiting observability spec. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | TASKRUN-OBS-50-001 | TODO | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | TELEMETRY-OBS-50-001 | TODO | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 Baseline Telemetry | TELEMETRY-OBS-50-002 | TODO | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 |
@@ -1137,7 +1137,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | LEDGER-OBS-51-001 | TODO | Add ledger/projector metrics dashboards and burn-rate policies. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | NOTIFY-OBS-51-001 | TODO | Ingest SLO burn-rate webhooks and deliver observability alerts. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | ORCH-OBS-51-001 | TODO | Publish orchestration metrics, SLOs, and burn-rate alerts. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | POLICY-OBS-51-001 | TODO | Publish policy evaluation metrics + dashboards meeting SLO targets. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | POLICY-OBS-51-001 | BLOCKED (2025-11-26) | Blocked by OBS-50-001 telemetry contract. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | TASKRUN-OBS-51-001 | TODO | Emit task runner golden-signal metrics and SLO alerts. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | TELEMETRY-OBS-51-001 | TODO | Ship metrics helpers + exemplar guards for golden signals. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 SLOs & Dashboards | TELEMETRY-OBS-51-002 | TODO | Implement logging scrubbing and tenant debug override controls. | Security Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 |
@@ -1148,13 +1148,13 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | DEVOPS-OBS-52-001 | TODO | Configure streaming pipelines and schema validation for timeline events. | DevOps Guild | Path: ops/devops | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | CLI-OBS-52-001 | TODO | Add `stella obs trace` + log commands correlating timeline data. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | CONCELIER-OBS-52-001 | TODO | Emit advisory ingest/link timeline events with provenance metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | CONCELIER-WEB-OBS-52-001 | TODO (unblocked 2025-11-23) | Provide SSE bridge for advisory timeline events. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | CONCELIER-WEB-OBS-52-001 | TODO (unblocked 2025-11-23) | Provide SSE bridge for advisory timeline events. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | EXCITITOR-OBS-52-001 | TODO | Emit VEX ingest/link timeline events with justification info. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | EXCITITOR-WEB-OBS-52-001 | TODO | Stream VEX timeline updates to clients with tenant filters. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | EXPORT-OBS-52-001 | TODO | Publish export lifecycle events into timeline. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | LEDGER-OBS-52-001 | TODO | Record ledger append/projection events into timeline stream. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | ORCH-OBS-52-001 | TODO | Emit job lifecycle timeline events with tenant/project metadata. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | POLICY-OBS-52-001 | TODO | Emit policy decision timeline events with rule summaries and trace IDs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | POLICY-OBS-52-001 | BLOCKED (2025-11-26) | Blocked by OBS-51-001 and missing timeline event spec. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | TASKRUN-OBS-52-001 | TODO | Emit pack run timeline events and dedupe logic. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | TIMELINE-OBS-52-001 | TODO | Bootstrap timeline indexer service and schema with RLS scaffolding. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline with ordering and dedupe. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 |
@@ -1162,7 +1162,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | TIMELINE-OBS-52-004 | TODO | Finalize RLS + scope enforcement and audit logging for timeline reads. | Security Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 Timeline & Decision Logs | WEB-OBS-52-001 | TODO | Provide trace/log proxy endpoints bridging to timeline + log store. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | DOCS-CLI-FORENSICS-53-001 | TODO | Document `stella forensic` CLI workflows with sample bundles. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | DOCS-FORENSICS-53-001 | TODO | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | DOCS-FORENSICS-53-001 | DONE (2025-11-26) | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | DOCS-FORENSICS-53-003 | TODO | Publish `/docs/forensics/timeline.md` with schema and query examples. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | DEVOPS-OBS-53-001 | TODO | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | DevOps Guild | Path: ops/devops | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | CLI-FORENSICS-53-001 | TODO | Ship `stella forensic snapshot` commands invoking evidence locker. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 |
@@ -1176,7 +1176,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | EXPORT-OBS-53-001 | TODO | Store export manifests + transcripts within evidence bundles. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | LEDGER-OBS-53-001 | TODO | Persist evidence bundle references alongside ledger entries and expose lookup API. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | ORCH-OBS-53-001 | TODO | Attach job capsules + manifests to evidence locker snapshots. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | POLICY-OBS-53-001 | TODO | Build evaluation evidence bundles (inputs, rule traces, engine version). | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | POLICY-OBS-53-001 | BLOCKED (2025-11-26) | Evidence Locker bundle schema absent; depends on OBS-52-001. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | TASKRUN-OBS-53-001 | TODO | Capture step transcripts and manifests into evidence bundles. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 Evidence Locker | TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | DOCS-FORENSICS-53-002 | TODO | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1191,7 +1191,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | EXCITITOR-WEB-OBS-54-001 | TODO | Expose `/attestations/vex/*` endpoints with verification summaries. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | EXPORT-OBS-54-001 | TODO | Produce export attestation manifests and CLI verification hooks. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | ORCH-OBS-54-001 | TODO | Produce DSSE attestations for jobs and surface verification endpoint. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | POLICY-OBS-54-001 | TODO | Generate DSSE attestations for policy evaluations and expose verification API. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | POLICY-OBS-54-001 | BLOCKED (2025-11-26) | Blocked by OBS-53-001; provenance/attestation contract missing. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | PROV-OBS-53-001 | TODO | Implement DSSE/SLSA models with deterministic serializer + test vectors. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 Provenance & Verification | PROV-OBS-54-001 | TODO | Deliver verification library validating DSSE signatures + Merkle roots. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 |
@@ -1210,7 +1210,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | LEDGER-OBS-55-001 | TODO | Extend retention and diagnostics capture during incident mode. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | NOTIFY-OBS-55-001 | TODO | Send incident mode start/stop notifications with quick links to evidence/timeline. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | ORCH-OBS-55-001 | TODO | Increase telemetry + evidence capture during incident mode and emit activation events. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | POLICY-OBS-55-001 | TODO | Capture full rule traces + retention bump on incident activation with timeline events. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | POLICY-OBS-55-001 | BLOCKED (2025-11-26) | Incident mode sampling spec not defined; depends on OBS-54-001. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | TASKRUN-OBS-55-001 | TODO | Capture extra debug data + notifications for incident mode runs. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | TELEMETRY-OBS-55-001 | TODO | Implement incident mode sampling toggle API with activation audit trail. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 Incident Mode | WEB-OBS-55-001 | TODO | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
@@ -1398,12 +1398,12 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | LEDGER-RISK-66-001 | TODO | Add risk scoring columns/indexes. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | LEDGER-RISK-66-002 | TODO | Implement deterministic scoring upserts. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | NOTIFY-RISK-66-001 | TODO | Create risk severity alert templates. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-003 | TODO | Integrate schema validation into Policy Engine. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-001 | TODO | Deliver RiskProfile schema + validators. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-002 | TODO | Implement inheritance/merge and hashing. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-004 | TODO | Extend Policy libraries for RiskProfile handling. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | RISK-ENGINE-66-001 | TODO | Scaffold risk engine queue/worker/registry. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | RISK-ENGINE-66-002 | TODO | Implement transforms/gates/contribution calculator. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-003 | BLOCKED (2025-11-26) | Reachability inputs (80-001) and engine config contract not defined; cannot integrate. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-001 | DONE (2025-11-22) | Deliver RiskProfile schema + validators. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-002 | DONE (2025-11-26) | Deterministic inheritance/merge + hashing delivered. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | POLICY-RISK-66-004 | BLOCKED (2025-11-26) | Blocked by 66-003; Policy libraries need config shape. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | RISK-ENGINE-66-001 | DONE (2025-11-25) | Deterministic risk queue/worker/registry scaffolded. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | RISK-ENGINE-66-002 | DONE (2025-11-25) | Transforms/clamping/gating implemented. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | WEB-RISK-66-001 | TODO | Expose risk API routing in gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 Foundations | WEB-RISK-66-002 | TODO | Handle explainability downloads. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | DOCS-RISK-67-001 | TODO | Publish explainability doc. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1415,14 +1415,14 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | EXCITITOR-RISK-67-001 | TODO | Add VEX explainability metadata. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | NOTIFY-RISK-67-001 | TODO | Notify on profile publish/deprecate. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | NOTIFY-RISK-68-001 | TODO | (Prep) risk routing settings seeds. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-001 | TODO | Enqueue scoring on new findings. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-002 | TODO | Deliver profile lifecycle APIs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-001 | TODO | Integrate profiles into policy store lifecycle. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-002 | TODO | Publish schema endpoint + validation tooling. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-003 | TODO | Provide simulation orchestration APIs. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-001 | TODO | Integrate CVSS/KEV providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-003 | TODO | Add fix availability/criticality/exposure providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-001 | BLOCKED (2025-11-26) | Depends on 66-003/66-004; reachability/config missing. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-002 | BLOCKED (2025-11-26) | Risk profile lifecycle contract/schema not published. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-001 | BLOCKED (2025-11-26) | Depends on 66-003/66-004; reachability/config missing. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-002 | BLOCKED (2025-11-26) | Risk profile lifecycle contract/schema not published. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | POLICY-RISK-67-003 | BLOCKED (2025-11-26) | Blocked by 67-002 contract + simulation inputs. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-001 | DONE (2025-11-25) | Integrated CVSS/KEV providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-002 | DONE (2025-11-25) | Added VEX gate provider. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | RISK-ENGINE-67-003 | DONE (2025-11-25) | Fix availability/criticality/exposure providers added. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 Providers & Lifecycle | WEB-RISK-67-001 | TODO | Provide risk status endpoint. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | DOCS-RISK-68-001 | TODO | Publish risk bundle doc. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | DOCS-RISK-68-002 | TODO | Update AOC invariants doc. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1430,10 +1430,10 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | LEDGER-RISK-67-001 | TODO | Provide scored findings query API. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | LEDGER-RISK-68-001 | TODO | Enable scored findings export. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | NOTIFY-RISK-68-001 | TODO | Configure risk notification routing UI/logic. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | POLICY-RISK-68-001 | TODO | Ship simulation API endpoint. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | POLICY-RISK-68-002 | TODO | Support profile export/import. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | RISK-ENGINE-68-001 | TODO | Persist scoring results & explanations. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | RISK-ENGINE-68-002 | TODO | Expose jobs/results/explanations APIs. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | POLICY-RISK-68-001 | BLOCKED (2025-11-26) | Simulation API blocked by 67-003 outputs and Policy Studio contract. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked until overrides/export signing rules are agreed. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | RISK-ENGINE-68-001 | DONE (2025-11-25) | Persist scoring results & explanations. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | RISK-ENGINE-68-002 | DONE (2025-11-25) | Expose jobs/results/explanations APIs. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 APIs & Ledger | WEB-RISK-68-001 | TODO | Emit severity transition events via gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 Simulation & Reporting | DOCS-RISK-67-001..004 | TODO | (Carry) ensure docs updated from simulation release. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 Simulation & Reporting | RISK-BUNDLE-69-001 | TODO | Build risk bundle. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 |

6
docs/implplan/archived/updates/tasks.md
View File

@@ -1200,8 +1200,8 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
| Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. |
| Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. |
@@ -1217,7 +1217,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. |
| Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. |
| Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | docs | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. |
| Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. |
| Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. |
| Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. |
| Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. |

91
docs/implplan/tasks-all.md
View File

@@ -108,7 +108,7 @@
| AIRGAP-CTL-57-001 | TODO | | SPRINT_510_airgap | AirGap Controller Guild | src/AirGap/StellaOps.AirGap.Controller | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. Dependencies: AIRGAP-CTL-56-002. | AIRGAP-CTL-56-002 | AGCT0101 |
| AIRGAP-CTL-57-002 | TODO | | SPRINT_510_airgap | AirGap Controller Guild · Observability Guild | src/AirGap/StellaOps.AirGap.Controller | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). Dependencies: AIRGAP-CTL-57-001. | AIRGAP-CTL-57-001 | AGCT0101 |
| AIRGAP-CTL-58-001 | TODO | | SPRINT_510_airgap | AirGap Controller Guild · AirGap Time Guild | src/AirGap/StellaOps.AirGap.Controller | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. Dependencies: AIRGAP-CTL-57-002. | AIRGAP-CTL-57-002 | AGCT0101 |
| AIRGAP-DEVPORT-64-001 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | Depends on 071_AGCO0101 manifest decisions | Depends on 071_AGCO0101 manifest decisions | DEVL0102 |
| AIRGAP-DEVPORT-64-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_302_docs_tasks_md_ii | Docs Guild · DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | Depends on 071_AGCO0101 manifest decisions | Depends on 071_AGCO0101 manifest decisions | DEVL0102 |
| AIRGAP-IMP-56-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. | ATLN0101 approvals | AGIM0101 |
| AIRGAP-IMP-56-002 | TODO | | SPRINT_510_airgap | AirGap Importer Guild · Security Guild | src/AirGap/StellaOps.AirGap.Importer | Introduce root rotation policy validation (dual approval) and signer trust store management. Dependencies: AIRGAP-IMP-56-001. | AIRGAP-IMP-56-001 | AGIM0101 |
| AIRGAP-IMP-57-001 | TODO | | SPRINT_510_airgap | AirGap Importer Guild | src/AirGap/StellaOps.AirGap.Importer | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. Dependencies: AIRGAP-IMP-56-002. | Importer infra | AGIM0101 |
@@ -657,7 +657,7 @@
| DOCS-AIRGAP-58-002 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild, Security Guild (docs) | | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. Dependencies: DOCS-AIRGAP-58-001. | Blocked: DOCS-AIRGAP-58-001 awaiting staleness/time-anchor spec | DOCL0102 |
| DOCS-AIRGAP-58-003 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild · DevEx Guild | docs/modules/airgap | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. Dependencies: DOCS-AIRGAP-58-002. | Blocked: DOCS-AIRGAP-58-002 outstanding | DOAG0101 |
| DOCS-AIRGAP-58-004 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild · Evidence Locker Guild | docs/modules/airgap | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. Dependencies: DOCS-AIRGAP-58-003. | Blocked: DOCS-AIRGAP-58-003 outstanding; needs Evidence Locker attestation notes (002_ATEL0101) | DOAG0101 |
| DOCS-AIRGAP-DEVPORT-64-001 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Requires #3 draft | DEVL0102 |
| DOCS-AIRGAP-DEVPORT-64-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_302_docs_tasks_md_ii | Docs Guild · DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Requires #3 draft | DEVL0102 |
| DOCS-ATTEST-73-001 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild, Attestor Service Guild (docs) | | Publish `/docs/modules/attestor/overview.md` with imposed rule banner. | — | DOAT0101 |
| DOCS-ATTEST-73-002 | DONE | 2025-11-23 | SPRINT_302_docs_tasks_md_ii | Docs Guild, Attestation Payloads Guild (docs) | | Write `/docs/modules/attestor/payloads.md` with schemas/examples. Dependencies: DOCS-ATTEST-73-001. | — | DOAT0101 |
| DOCS-ATTEST-73-003 | DONE | 2025-11-23 | SPRINT_302_docs_tasks_md_ii | Docs Guild, Policy Guild (docs) | | Publish `/docs/modules/attestor/policies.md` covering verification policies. Dependencies: DOCS-ATTEST-73-002. | — | DOAT0101 |
@@ -676,30 +676,30 @@
| DOCS-CONSOLE-OBS-52-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Console Guild (docs) | | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Blocked: awaiting Console Observability Hub schemas/widgets from Console Guild | DOCL0101 |
| DOCS-CONSOLE-OBS-52-002 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Console Guild (docs) | | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. Dependencies: DOCS-CONSOLE-OBS-52-001. | Blocked: upstream DOCS-CONSOLE-OBS-52-001 | DOCL0101 |
| DOCS-CONTRIB-62-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, API Governance Guild (docs) | docs/contributing/api-contracts.md | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | — | DOCL0101 |
| DOCS-DETER-70-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/determinism.md | Document the scanner determinism score process (`determinism.json` schema, CI harness, replay instructions) under `/docs/modules/scanner/determinism-score.md` and add a release-notes template entry. Dependencies: SCAN-DETER-186-010, DEVOPS-SCAN-90-004. | Need deterministic suite notes from 137_SCDT0101 | DOSC0101 |
| DOCS-DETER-70-002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/determinism-score.md | Document the scanner determinism score process (`determinism.json` schema, CI harness, replay instructions) under `/docs/modules/scanner/determinism-score.md` and add a release-notes template entry. Dependencies: SCAN-DETER-186-010, DEVOPS-SCAN-90-004. | | DOSC0101 |
| DOCS-DEVPORT-62-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Developer Portal Guild (docs) | docs/devportal/publishing.md | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | — | DOCL0101 |
| DOCS-DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Refresh `docs/policy/dsl.md` + lifecycle docs with the new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, and safety rails (shadow mode, coverage tests). | — | DOCL0101 |
| DOCS-ENTROPY-70-004 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/determinism.md | Publish entropy analysis documentation (scoring heuristics, JSON schemas, policy hooks, UI guidance) under `docs/modules/scanner/entropy.md` and update trust-lattice references. Dependencies: SCAN-ENTROPY-186-011/012, POLICY-RISK-90-001. | Requires entropy guardrails from 078_SCSA0301 | DOSC0101 |
| DOCS-DSL-401-005 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Refresh `docs/policy/dsl.md` + lifecycle docs with the new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, and safety rails (shadow mode, coverage tests). | — | DOCL0101 |
| DOCS-ENTROPY-70-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/entropy.md | Publish entropy analysis documentation (scoring heuristics, JSON schemas, policy hooks, UI guidance) under `docs/modules/scanner/entropy.md` and update trust-lattice references. Dependencies: SCAN-ENTROPY-186-011/012, POLICY-RISK-90-001. | | DOSC0101 |
| DOCS-EXC-25-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Blocked: waiting on CLEX0101 exception governance spec and UI workflow | DOEX0102 |
| DOCS-EXC-25-002 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. Dependencies: DOCS-EXC-25-001. | Blocked: upstream DOCS-EXC-25-001 | DOEX0102 |
| DOCS-EXC-25-003 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. Dependencies: DOCS-EXC-25-002. | Blocked: upstream DOCS-EXC-25-002 | DOEX0102 |
| DOCS-EXC-25-005 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs + Accessibility Guilds | docs/modules/excititor | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. Dependencies: DOCS-EXC-25-003. | Blocked: upstream DOCS-EXC-25-003 | DOEX0102 |
| DOCS-EXC-25-006 | TODO | | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. Dependencies: DOCS-EXC-25-005. | CLEX0101 | DOEX0102 |
| DOCS-EXC-25-007 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/excititor | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. Dependencies: DOCS-EXC-25-006. | UIEX0101 & Ops runbooks | DOEX0102 |
| DOCS-EXPORT-37-004 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Wait for ATMI0102 orchestration notes | DOEC0102 |
| DOCS-EXPORT-37-005 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Needs AGDP0101 manifest schema | DOEC0102 |
| DOCS-EXPORT-37-101 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/export-center | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). Dependencies: DOCS-EXPORT-37-005. | Depends on DVDO0105 deployment guide | DOEC0102 |
| DOCS-EXPORT-37-102 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/modules/export-center | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. Dependencies: DOCS-EXPORT-37-101. | Requires ATEL0102 attestation feed | DOEC0102 |
| DOCS-FORENSICS-53-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/modules/evidence-locker/forensics.md | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Need DSSE digest notes from 002_ATEL0101 | DOEL0101 |
| DOCS-FORENSICS-53-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/modules/evidence-locker/forensics.md | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | Waiting on provenance recorder sample (104_RBRE0101) | DOEL0101 |
| DOCS-FORENSICS-53-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Timeline Indexer Guild | docs/modules/evidence-locker/forensics.md | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | Requires timeline indexer export from 055_AGIM0101 | DOEL0101 |
| DOCS-GRAPH-24-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Graph Guild | docs/modules/graph | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Wait for GRAP0101 contract freeze | DOGR0101 |
| DOCS-GRAPH-24-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · UI Guild | docs/modules/graph | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. Dependencies: DOCS-GRAPH-24-001. | Needs SBOM/VEX dataflow confirmation (PLLG0104) | DOGR0101 |
| DOCS-GRAPH-24-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · SBOM Guild | docs/modules/graph | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. Dependencies: DOCS-GRAPH-24-002. | Unblocked: SBOM join spec delivered with CARTO-GRAPH-21-002 (2025-11-17). | DOGR0101 |
| DOCS-EXC-25-007 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/migration/exception-governance.md | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. Dependencies: DOCS-EXC-25-006. | | DOEX0102 |
| DOCS-EXPORT-37-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/security/export-hardening.md | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | | DOEC0102 |
| DOCS-EXPORT-37-005 | BLOCKED | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Blocked: awaiting live bundle verification | DOEC0102 |
| DOCS-EXPORT-37-101 | BLOCKED | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/export-center | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). Dependencies: DOCS-EXPORT-37-005. | Blocked: 37-005 pending live bundle validation | DOEC0102 |
| DOCS-EXPORT-37-102 | BLOCKED | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/modules/export-center | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. Dependencies: DOCS-EXPORT-37-101. | Blocked: 37-101 blocked on live bundle validation | DOEC0102 |
| DOCS-FORENSICS-53-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/forensics/evidence-locker.md | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | | DOEL0101 |
| DOCS-FORENSICS-53-002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/forensics/provenance-attestation.md | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | | DOEL0101 |
| DOCS-FORENSICS-53-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Timeline Indexer Guild | docs/forensics/timeline.md | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | | DOEL0101 |
| DOCS-GRAPH-24-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Graph Guild | docs/ui/sbom-graph-explorer.md | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | | DOGR0101 |
| DOCS-GRAPH-24-002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · UI Guild | docs/ui/vulnerability-explorer.md | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. Dependencies: DOCS-GRAPH-24-001. | | DOGR0101 |
| DOCS-GRAPH-24-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · SBOM Guild | docs/modules/graph | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. Dependencies: DOCS-GRAPH-24-002. | Unblocked: SBOM join spec delivered with CARTO-GRAPH-21-002 (2025-11-17). | DOGR0101 |
| DOCS-GRAPH-24-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · BE-Base Guild | docs/api/graph.md; docs/api/vuln.md | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. Dependencies: DOCS-GRAPH-24-003. | Require replay hooks from RBBN0101 | DOGR0101 |
| DOCS-GRAPH-24-005 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevEx/CLI Guild | docs/modules/graph | Update `/docs/modules/cli/guides/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. Dependencies: DOCS-GRAPH-24-004. | — | DOGR0101 |
| DOCS-GRAPH-24-006 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Policy Guild | docs/modules/graph | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. Dependencies: DOCS-GRAPH-24-005. | Needs policy outputs from PLVL0102 | DOGR0101 |
| DOCS-GRAPH-24-007 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/graph | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. Dependencies: DOCS-GRAPH-24-006. | Depends on DVDO0108 deployment notes | DOGR0101 |
| DOCS-GRAPH-24-006 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Policy Guild | docs/policy/ui-integration.md | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. Dependencies: DOCS-GRAPH-24-005. | | DOGR0101 |
| DOCS-GRAPH-24-007 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/migration/graph-parity.md | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. Dependencies: DOCS-GRAPH-24-006. | | DOGR0101 |
| DOCS-INSTALL-44-001 | BLOCKED | 2025-11-25 | SPRINT_305_docs_tasks_md_v | Docs Guild · Deployment Guild | docs/install | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Blocked: waiting on DVPL0101 compose schema + service list/version pins | DOIS0101 |
| DOCS-INSTALL-45-001 | BLOCKED | 2025-11-25 | SPRINT_305_docs_tasks_md_v | Docs Guild · Deployment Guild | docs/install | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. Dependencies: DOCS-INSTALL-44-001. | Blocked: upstream DOCS-INSTALL-44-001 and TLS guidance (127_SIGR0101) | DOIS0101 |
| DOCS-INSTALL-46-001 | BLOCKED | 2025-11-25 | SPRINT_305_docs_tasks_md_v | Docs Guild · Deployment Guild | docs/install | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). Dependencies: DOCS-INSTALL-45-001. | Blocked: upstream DOCS-INSTALL-45-001 and 126_RLRC0101 replay hooks | DOIS0101 |
@@ -731,9 +731,9 @@
| DOCS-ORCH-34-004 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | docs/modules/orchestrator | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. Dependencies: DOCS-ORCH-34-003. | Wait for observability dashboards (063_OROB0101) | DOOR0102 |
| DOCS-ORCH-34-005 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · BE-Base Guild | docs/modules/orchestrator | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. Dependencies: DOCS-ORCH-34-004. | Needs replay linkage from 042_RPRC0101 | DOOR0102 |
| DOCS-POLICY-23-003 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/lifecycle.md | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. Dependencies: DOCS-POLICY-23-002. | DOCS-POLICY-23-002 | POKT0101 |
| DOCS-POLICY-23-004 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · UI Guild | docs/policy/lifecycle.md | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). Dependencies: DOCS-POLICY-23-003. | DOCS-POLICY-23-003 | POKT0101 |
| DOCS-POLICY-23-005 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevOps Guild | docs/policy/lifecycle.md | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). Dependencies: DOCS-POLICY-23-004. | Depends on DevOps automation (141_DVDO0107) | DOPL0101 |
| DOCS-POLICY-23-006 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevEx/CLI Guild | docs/policy/lifecycle.md | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. Dependencies: DOCS-POLICY-23-005. | Wait for CLI commands (132_CLCI0110) | DOPL0101 |
| DOCS-POLICY-23-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · UI Guild | docs/policy/editor.md | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). Dependencies: DOCS-POLICY-23-003. | DOCS-POLICY-23-003 | POKT0101 |
| DOCS-POLICY-23-005 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevOps Guild | docs/policy/governance.md | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). Dependencies: DOCS-POLICY-23-004. | | DOPL0101 |
| DOCS-POLICY-23-006 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevEx/CLI Guild | docs/policy/api.md | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. Dependencies: DOCS-POLICY-23-005. | | DOPL0101 |
| DOCS-POLICY-23-007 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · Observability Guild | docs/policy/lifecycle.md | Update `/docs/modules/cli/guides/policy.md` for lint/simulate/activate/history commands, exit codes. Dependencies: DOCS-POLICY-23-006. | Requires observability hooks (066_PLOB0101) | DOPL0101 |
| DOCS-POLICY-23-008 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · Policy Guild | docs/policy/lifecycle.md | Refresh `/docs/modules/policy/architecture.md` with data model, sequence diagrams, event flows. Dependencies: DOCS-POLICY-23-007. | Needs waiver examples from 005_ATLN0101 | DOPL0101 |
| DOCS-POLICY-23-009 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevOps Guild | docs/policy/lifecycle.md | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. Dependencies: DOCS-POLICY-23-008. | Need DevOps rollout notes (DVDO0108) | DOPL0102 |
@@ -753,7 +753,7 @@
| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
| DOCS-POLICY-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-PROMO-70-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/modules/provenance | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | Need provenance promo outline from Provenance Guild | DOPV0101 |
| DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | | DOPV0101 |
| DOCS-REACH-201-006 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
| DOCS-REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
| DOCS-REPLAY-185-004 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild | docs/replay | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance for consuming services (Scanner, Evidence Locker, CLI) and add checklist derived from `docs/replay/DETERMINISTIC_REPLAY.md` Section 11. | Depends on #1 | DORR0101 |
@@ -768,7 +768,7 @@
| DOCS-RISK-67-004 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
| DOCS-RISK-68-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
| DOCS-RISK-68-002 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
| DOCS-RUNBOOK-401-017 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | Need latest reachability metrics from RBBN0101 | DORU0101 |
| DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | | DORU0101 |
| DOCS-RUNBOOK-55-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
| DOCS-SCANNER-BENCH-62-002 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-003 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
@@ -790,7 +790,7 @@
| DOCS-SIG-26-007 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
| DOCS-SIG-26-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
| DOCS-SURFACE-01 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
| DOCS-SYMS-70-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/modules/symbols | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | Need RBSY0101 cache notes | DOSY0101 |
| DOCS-SYMS-70-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/specs/symbols/SYMBOL_MANIFEST_v1.md | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | | DOSY0101 |
| DOCS-TEN-47-001 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
| DOCS-TEN-48-001 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
| DOCS-TEN-49-001 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
@@ -908,7 +908,7 @@
| ENGINE-70-005 | TODO | | SPRINT_126_policy_reasoning | Policy + Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-70-004 | POLICY-ENGINE-70-004 | DOPE0106 |
| ENGINE-80-001 | TODO | | SPRINT_126_policy_reasoning | Policy + Signals Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-70-005 | POLICY-ENGINE-70-005 | DOPE0106 |
| ENGINE-80-002 | TODO | | SPRINT_127_policy_reasoning | Policy + Storage Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-80-001 | POLICY-ENGINE-80-001 | DOPE0106 |
| ENGINE-80-003 | TODO | | SPRINT_127_policy_reasoning | Policy + Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-80-002 | POLICY-ENGINE-80-002 | DOPE0106 |
| ENGINE-80-003 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy + Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-80-002 | POLICY-ENGINE-80-002 | DOPE0106 |
| ENGINE-80-004 | TODO | | SPRINT_127_policy_reasoning | Policy + Observability Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | POLICY-ENGINE-80-003 | POLICY-ENGINE-80-003 | DOPE0106 |
| ENGINE-DOCS-0001 | TODO | | SPRINT_325_docs_modules_policy | Docs Guild (docs/modules/policy) | docs/modules/policy | Refresh module overview + governance ladder. | — | DOPE0107 |
| ENGINE-ENG-0001 | TODO | | SPRINT_325_docs_modules_policy | Module Team (docs/modules/policy) | docs/modules/policy | Capture engineering guidelines + acceptance tests. | — | DOPE0107 |
@@ -1426,8 +1426,8 @@
| POLICY-ENGINE-70-004 | TODO | | SPRINT_126_policy_reasoning | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Extend metrics/tracing/logging for exception application | POLICY-ENGINE-70-003 | |
| POLICY-ENGINE-70-005 | TODO | | SPRINT_126_policy_reasoning | Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Provide APIs/workers hook for exception activation/expiry | POLICY-ENGINE-70-004 | |
| POLICY-ENGINE-80-001 | TODO | | SPRINT_126_policy_reasoning | Policy Guild, Signals Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate reachability/exploitability inputs into evaluation pipeline | POLICY-ENGINE-70-005 | |
| POLICY-ENGINE-80-002 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Create joining layer to read `reachability_facts` efficiently | POLICY-ENGINE-80-001 | |
| POLICY-ENGINE-80-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation | POLICY-ENGINE-80-002 | |
| POLICY-ENGINE-80-002 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Create joining layer to read `reachability_facts` efficiently | POLICY-ENGINE-80-001 | Waiting on reachability input contract (80-001). |
| POLICY-ENGINE-80-003 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation | POLICY-ENGINE-80-002 | Blocked by reachability inputs/80-002. |
| POLICY-ENGINE-80-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Emit metrics | POLICY-ENGINE-80-003 | |
| POLICY-LIB-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | `src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md` | Extract the policy DSL parser/compiler into `StellaOps.PolicyDsl`, add the lightweight syntax (default action + inline rules), and expose `PolicyEngineFactory`/`SignalContext` APIs for reuse. | | |
| POLICY-LIB-401-002 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild, CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | `tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md` | Ship unit-test harness + sample `policy/default.dsl` (table-driven cases) and wire `stella policy lint/simulate` to the shared library. | | |
@@ -1440,8 +1440,8 @@
| POLICY-READINESS-0001 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Capture policy module readiness checklist aligned with current sprint goals. | | |
| POLICY-READINESS-0002 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Track outstanding prerequisites/risk items for policy releases and mirror into sprint updates. | | |
| POLICY-RISK-66-001 | DONE | 2025-11-22 | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-002 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | |
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-002 | DONE (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | Canonicalizer/merge + digest, tests added. |
| POLICY-RISK-66-003 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | Waiting on reachability input contract (80-001) and engine config shape. |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |
| POLICY-RISK-67-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks | POLICY-RISK-66-004 | |
| POLICY-RISK-67-002 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Implement profile lifecycle APIs | POLICY-RISK-67-001 | Waiting on risk profile contract + schema draft. |
@@ -1456,7 +1456,7 @@
| POLICY-SPL-23-003 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | `SplLayeringEngine` + tests landed. |
| POLICY-SPL-23-004 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Design explanation tree model | POLICY-SPL-23-003 | Explanation tree emitted from evaluation; persistence follow-up. |
| POLICY-SPL-23-005 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Create migration tool to snapshot existing behavior into baseline SPL packs | POLICY-SPL-23-004 | `SplMigrationTool` emits canonical SPL JSON from PolicyDocument. |
| POLICY-SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
| POLICY-SPL-24-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
| POLICY-TEN-48-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata | | |
| POLICY-VEX-401-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` | Policy Engine consumes reachability facts, applies the deterministic score/label buckets (≥0.80 reachable, 0.300.79 conditional, <0.30 unreachable), emits OpenVEX with call-path proofs, and updates SPL schema with `reachability.state/confidence` predicates and suppression gates. | | |
| POLICY-VEX-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | Implement `VexDecisionEmitter` to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata, and publish artifacts following the bench playbook. | | |
@@ -1763,7 +1763,7 @@
| SDK-64-001 | TODO | | SPRINT_204_cli_iv | DevEx/CLI Guild, SDK Release Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| SDKGEN-62-001 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. | DEVL0101 portal contracts | SDKG0101 |
| SDKGEN-62-002 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. Dependencies: SDKGEN-62-001. | SDKGEN-62-001 | SDKG0101 |
| SDKGEN-63-001 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. Dependencies: SDKGEN-62-002. | 63-004 | SDKG0101 |
| SDKGEN-63-001 | DOING | 2025-11-26 | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. Dependencies: SDKGEN-62-002. | 63-004 | SDKG0101 |
| SDKGEN-63-002 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). Dependencies: SDKGEN-63-001. | SDKGEN-63-001 | SDKG0101 |
| SDKGEN-63-003 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Ship Go SDK alpha with context-first API and streaming helpers. Dependencies: SDKGEN-63-002. | SDKGEN-63-002 | SDKG0101 |
| SDKGEN-63-004 | TODO | | SPRINT_0208_0001_0001_sdk | SDK Generator Guild | src/Sdk/StellaOps.Sdk.Generator | Ship Java SDK alpha (builder pattern, HTTP client abstraction). Dependencies: SDKGEN-63-003. | SDKGEN-63-003 | SDKG0101 |
@@ -1851,7 +1851,7 @@
| SPL-23-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-002 | |
| SPL-23-004 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-003 | Explanation tree emitted from evaluation; persistence follow-up. |
| SPL-23-005 | TODO | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-004 | |
| SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-005 | |
| SPL-24-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-005 | |
| STORE-401-016 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | | | |
| STORE-AOC-19-001 | DONE (2025-11-25) | | SPRINT_0119_0001_0005_excititor_v | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo) | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | | | |
| STORE-AOC-19-002 | DONE (2025-11-25) | | SPRINT_0119_0001_0005_excititor_v | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo) | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | | | |
@@ -2888,7 +2888,7 @@
| DOCS-CONTRIB-62-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, API Governance Guild (docs) | | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | — | DOCL0101 |
| DOCS-DETER-70-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/determinism.md | Document the scanner determinism score process (`determinism.json` schema, CI harness, replay instructions) under `/docs/modules/scanner/determinism-score.md` and add a release-notes template entry. Dependencies: SCAN-DETER-186-010, DEVOPS-SCAN-90-004. | Need deterministic suite notes from 137_SCDT0101 | DOSC0101 |
| DOCS-DEVPORT-62-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Developer Portal Guild (docs) | | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | — | DOCL0101 |
| DOCS-DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Refresh `docs/policy/dsl.md` + lifecycle docs with the new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, and safety rails (shadow mode, coverage tests). | — | DOCL0101 |
| DOCS-DSL-401-005 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Refresh `docs/policy/dsl.md` + lifecycle docs with the new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, and safety rails (shadow mode, coverage tests). | — | DOCL0101 |
| DOCS-ENTROPY-70-004 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Scanner Guild | docs/modules/scanner/determinism.md | Publish entropy analysis documentation (scoring heuristics, JSON schemas, policy hooks, UI guidance) under `docs/modules/scanner/entropy.md` and update trust-lattice references. Dependencies: SCAN-ENTROPY-186-011/012, POLICY-RISK-90-001. | Requires entropy guardrails from 078_SCSA0301 | DOSC0101 |
| DOCS-EXC-25-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Blocked: waiting on CLEX0101 exception governance spec and UI workflow | DOEX0102 |
| DOCS-EXC-25-002 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. Dependencies: DOCS-EXC-25-001. | Blocked: upstream DOCS-EXC-25-001 | DOEX0102 |
@@ -2897,16 +2897,16 @@
| DOCS-EXC-25-006 | TODO | | SPRINT_303_docs_tasks_md_iii | Docs Guild | docs/modules/excititor | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. Dependencies: DOCS-EXC-25-005. | CLEX0101 | DOEX0102 |
| DOCS-EXC-25-007 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/excititor | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. Dependencies: DOCS-EXC-25-006. | UIEX0101 & Ops runbooks | DOEX0102 |
| DOCS-EXPORT-37-004 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Wait for ATMI0102 orchestration notes | DOEC0102 |
| DOCS-EXPORT-37-005 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Needs AGDP0101 manifest schema | DOEC0102 |
| DOCS-EXPORT-37-005 | BLOCKED | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Export Center Guild | docs/modules/export-center | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. Dependencies: DOCS-EXPORT-37-004. | Blocked: awaiting live bundle verification | DOEC0102 |
| DOCS-EXPORT-37-101 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/export-center | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). Dependencies: DOCS-EXPORT-37-005. | Depends on DVDO0105 deployment guide | DOEC0102 |
| DOCS-EXPORT-37-102 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/modules/export-center | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. Dependencies: DOCS-EXPORT-37-101. | Requires ATEL0102 attestation feed | DOEC0102 |
| DOCS-FORENSICS-53-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/modules/evidence-locker/forensics.md | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Need DSSE digest notes from 002_ATEL0101 | DOEL0101 |
| DOCS-FORENSICS-53-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/modules/evidence-locker/forensics.md | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | Waiting on provenance recorder sample (104_RBRE0101) | DOEL0101 |
| DOCS-FORENSICS-53-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Timeline Indexer Guild | docs/modules/evidence-locker/forensics.md | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | Requires timeline indexer export from 055_AGIM0101 | DOEL0101 |
| DOCS-FORENSICS-53-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Evidence Locker Guild | docs/forensics/evidence-locker.md | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | | DOEL0101 |
| DOCS-FORENSICS-53-002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/forensics/provenance-attestation.md | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-001. | | DOEL0101 |
| DOCS-FORENSICS-53-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Timeline Indexer Guild | docs/forensics/timeline.md | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. Dependencies: DOCS-FORENSICS-53-002. | | DOEL0101 |
| DOCS-GRAPH-24-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Graph Guild | docs/modules/graph | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Wait for GRAP0101 contract freeze | DOGR0101 |
| DOCS-GRAPH-24-002 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · UI Guild | docs/modules/graph | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. Dependencies: DOCS-GRAPH-24-001. | Needs SBOM/VEX dataflow confirmation (PLLG0104) | DOGR0101 |
| DOCS-GRAPH-24-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · SBOM Guild | docs/modules/graph | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. Dependencies: DOCS-GRAPH-24-002. | Unblocked: SBOM join spec delivered with CARTO-GRAPH-21-002 (2025-11-17). | DOGR0101 |
| DOCS-GRAPH-24-004 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · BE-Base Guild | docs/modules/graph | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. Dependencies: DOCS-GRAPH-24-003. | Require replay hooks from RBBN0101 | DOGR0101 |
| DOCS-GRAPH-24-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · BE-Base Guild | docs/api/graph.md; docs/api/vuln.md | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. Dependencies: DOCS-GRAPH-24-003. | Require replay hooks from RBBN0101 | DOGR0101 |
| DOCS-GRAPH-24-005 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevEx/CLI Guild | docs/modules/graph | Update `/docs/modules/cli/guides/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. Dependencies: DOCS-GRAPH-24-004. | Wait for CLI samples from CLCI0109 | DOGR0101 |
| DOCS-GRAPH-24-006 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Policy Guild | docs/modules/graph | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. Dependencies: DOCS-GRAPH-24-005. | Needs policy outputs from PLVL0102 | DOGR0101 |
| DOCS-GRAPH-24-007 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · DevOps Guild | docs/modules/graph | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. Dependencies: DOCS-GRAPH-24-006. | Depends on DVDO0108 deployment notes | DOGR0101 |
@@ -2941,8 +2941,9 @@
| DOCS-ORCH-34-004 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · Observability Guild | docs/modules/orchestrator | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. Dependencies: DOCS-ORCH-34-003. | Wait for observability dashboards (063_OROB0101) | DOOR0102 |
| DOCS-ORCH-34-005 | TODO | | SPRINT_306_docs_tasks_md_vi | Docs Guild · BE-Base Guild | docs/modules/orchestrator | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. Dependencies: DOCS-ORCH-34-004. | Needs replay linkage from 042_RPRC0101 | DOOR0102 |
| | DOPL0103 | | | | | | | |
| DOCS-POLICY-23-002 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/lifecycle.md | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). Dependencies: DOCS-POLICY-23-001. | DOCS-POLICY-23-001 | DOPL0103 |
| DOCS-POLICY-23-003 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/lifecycle.md | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. Dependencies: DOCS-POLICY-23-002. | Waiting on SPL reference | DOPL0101 |
| DOCS-POLICY-23-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/overview.md | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | — | DOPL0103 |
| DOCS-POLICY-23-002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/spl-v1.md | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). Dependencies: DOCS-POLICY-23-001. | DOCS-POLICY-23-001 | DOPL0103 |
| DOCS-POLICY-23-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild | docs/policy/runtime.md | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. Dependencies: DOCS-POLICY-23-002. | — | DOPL0101 |
| DOCS-POLICY-23-004 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · UI Guild | docs/policy/lifecycle.md | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). Dependencies: DOCS-POLICY-23-003. | Depends on 23-003 | DOPL0101 |
| DOCS-POLICY-23-005 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevOps Guild | docs/policy/lifecycle.md | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). Dependencies: DOCS-POLICY-23-004. | Depends on DevOps automation (141_DVDO0107) | DOPL0101 |
| DOCS-POLICY-23-006 | TODO | | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevEx/CLI Guild | docs/policy/lifecycle.md | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. Dependencies: DOCS-POLICY-23-005. | Wait for CLI commands (132_CLCI0110) | DOPL0101 |
@@ -2965,7 +2966,7 @@
| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
| DOCS-POLICY-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-PROMO-70-001 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/modules/provenance | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | Need provenance promo outline from Provenance Guild | DOPV0101 |
| DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | | DOPV0101 |
| DOCS-REACH-201-006 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
| DOCS-REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
| DOCS-REPLAY-185-004 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild | docs/replay | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance for consuming services (Scanner, Evidence Locker, CLI) and add checklist derived from `docs/replay/DETERMINISTIC_REPLAY.md` Section 11. | Depends on #1 | DORR0101 |
@@ -3312,7 +3313,7 @@
| GRAPH-API-28-011 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. Dependencies: GRAPH-API-28-010. | GRAPH-API-28-009 | GRAPI0101 |
| GRAPH-CAS-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/StellaOps.Scanner.Worker` | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Depends on #1 | CASC0101 |
| GRAPH-DOCS-0001 | DONE (2025-11-05) | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Validate that graph module README/diagrams reflect the latest overlay + snapshot updates. | GRAPI0101 evidence | GRDG0101 |
| GRAPH-DOCS-0002 | TODO | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Pending DOCS-GRAPH-24-003 to add API/query doc cross-links | GRAPI0101 outputs | GRDG0101 |
| GRAPH-DOCS-0002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Pending DOCS-GRAPH-24-003 to add API/query doc cross-links | GRAPI0101 outputs | GRDG0101 |
| GRAPH-ENG-0001 | TODO | | SPRINT_321_docs_modules_graph | Module Team | docs/modules/graph | Keep module milestones in sync with `/docs/implplan/SPRINT_141_graph.md` and related files. | GRSC0101 | GRDG0101 |
| GRAPH-INDEX-28-007 | DOING | | SPRINT_0140_0001_0001_runtime_signals | — | | Running on scanner surface mock bundle v1; will validate again once real caches drop. | — | ORGR0101 |
| GRAPH-INDEX-28-008 | TODO | | SPRINT_0140_0001_0001_runtime_signals | — | | Incremental update/backfill pipeline depends on 28-007 artifacts; retry/backoff plumbing sketched but blocked. | — | ORGR0101 |
@@ -3652,7 +3653,7 @@
| POLICY-READINESS-0001 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Capture policy module readiness checklist aligned with current sprint goals. | | |
| POLICY-READINESS-0002 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Track outstanding prerequisites/risk items for policy releases and mirror into sprint updates. | | |
| POLICY-RISK-66-001 | DONE | 2025-11-22 | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-002 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | |
| POLICY-RISK-66-002 | DONE (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | Canonicalizer/merge + digest, tests added. |
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |
| POLICY-RISK-67-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks | POLICY-RISK-66-004 | |
@@ -3668,7 +3669,7 @@
| POLICY-SPL-23-003 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | `SplLayeringEngine` + tests landed. |
| POLICY-SPL-23-004 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Design explanation tree model | POLICY-SPL-23-003 | |
| POLICY-SPL-23-005 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Create migration tool to snapshot existing behavior into baseline SPL packs | POLICY-SPL-23-004 | |
| POLICY-SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
| POLICY-SPL-24-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
| POLICY-TEN-48-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata | | |
| POLICY-VEX-401-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` | Policy Engine consumes reachability facts, applies the deterministic score/label buckets (≥0.80 reachable, 0.300.79 conditional, <0.30 unreachable), emits OpenVEX with call-path proofs, and updates SPL schema with `reachability.state/confidence` predicates and suppression gates. | | |
| POLICY-VEX-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | Implement `VexDecisionEmitter` to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata, and publish artifacts following the bench playbook. | | |
@@ -4062,7 +4063,7 @@
| SPL-23-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-002 | |
| SPL-23-004 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-003 | |
| SPL-23-005 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-004 | |
| SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-005 | |
| SPL-24-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-005 | |
| STORE-401-016 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | | | |
| STORE-AOC-19-001 | TODO | | SPRINT_123_excititor_v | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo) | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | | | |
| STORE-AOC-19-002 | TODO | | SPRINT_123_excititor_v | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo) | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | | | |

104
docs/migration/exception-governance.md
View File

@@ -1,64 +1,58 @@
# Exception Governance Migration Guide
Status: Draft (2025-11-26) — aligns with Excititor VEX/exception flows and Doc task DOCS-EXC-25-007.
> **Imposed rule:** All exceptions must be time-bound, tenant-scoped, and auditable; legacy perpetual suppressions are prohibited after cutover.
## Why this migration
- Retire legacy suppressions/waivers and move to policy/VEX-first exceptions with provenance.
- Provide auditable, reversible exceptions with rollout/rollback plans and notifications.
This guide explains how to migrate from legacy suppressions/notifications to the unified Exception Governance model in Excititor and Console.
## Target state
- Exceptions are recorded as:
- VEX statements (OpenVEX) referencing findings and components.
- Policy overrides (simulator) with scope, expiry, and rationale.
- Optional authority approval attestation (DSSE) per exception bundle.
- Persistence: Excititor stores exception records with tenant, source, scope, expiry, approver, evidence links.
- Propagation:
- Graph overlays surface exception status on nodes/edges.
- Notify emits `exception.created/expired` events.
- CLI/Console consume exception status via `/exceptions` API.
## 1. What changes
- **Unified exception object:** replaces ad-hoc suppressions. Fields: `tenant`, `scope` (purl/image/component), `vuln` (CVE/alias), `justification`, `expiration`, `owner`, `evidence_refs`, `policy_binding`, `status` (draft/staged/active/expired).
- **Two-phase activation:** `draft → staged → active` with policy simulator snapshot; rollbacks produce a compensating exception marked `supersedes`.
- **Notifications:** move from broad email hooks to route-specific notifications (policy events, expiring exceptions) using Notify service templates.
- **Auditability:** each lifecycle change emits Timeline + Evidence Locker entries; exports include DSSE attestation of the exception set.
## Migration steps
1) **Freeze legacy inputs**
- Disable new legacy suppressions in UI/CLI.
- Mark existing suppressions read-only; export CSV/NDJSON snapshot.
2) **Export legacy suppressions**
- Run `exc suppressions export --format ndjson --with-rationale --with-expiry`.
- Store exports with SHA256 and DSSE envelope in `exceptions/export-YYYYMMDD/`.
3) **Transform to VEX/policy overrides**
- Convert each suppression to OpenVEX statement:
- `status`: `not_affected` or `under_investigation`.
- `justification`: map legacy reason → VEX justification code.
- `impact`: optional; include nearest safe version if known.
- Generate policy override record with:
- `scope` (component, environment, service).
- `expiresAt` (carry forward or set 30/90d).
- `rationale` from legacy note.
4) **Import**
- Use Excititor `/exceptions/import` (or CLI `exc exceptions import`) to load transformed NDJSON.
- Verify import report: counts by status, rejected items, conflicts.
5) **Notify & rollout**
- Notify downstream systems: Graph overlays refresh, Scanner/Vuln Explorer respect VEX, Policy Engine caches reload.
- Announce change freeze window and rollback plan.
## 2. Migration phases
1. **Inventory legacy suppressions**
- Export current suppressions and notification rules (per tenant) to NDJSON.
- Classify by scope: package, image, repo, tenant-wide.
2. **Normalize and enrich**
- Map each suppression to the unified schema; add `expiration` (default 30/90 days), `owner`, `justification` (use VEX schema categories when available).
- Attach evidence references (ticket URL, VEX claim ID, scan report digest) where missing.
3. **Create staged exceptions**
- Import NDJSON via Console or `stella exceptions import --stage` (CLI guide: `docs/modules/cli/guides/exceptions.md`).
- Run policy simulator; resolve conflicts flagged by Aggregation-Only Contract (AOC) enforcement.
4. **Activate with guardrails**
- Promote staged → active in batches; each promotion emits Timeline events and optional Rekor-backed attestation bundle (if Attestor is enabled).
- Configure Notify templates for expiring exceptions (T14/T3 days) and denied promotions.
5. **Decommission legacy paths**
- Disable legacy suppression writes; keep read-only for 30 days with banner noting deprecation.
- Remove legacy notification hooks after confirming staged/active parity.
## Rollback plan
- Keep legacy suppressions export.
- If import fails or downstream errors:
- Disable new exception endpoints feature flag.
- Re-enable legacy suppressions (read-only → writable) temporarily.
- Investigate rejected items; re-run transform/import after fix.
## 3. Data shapes
- **Import NDJSON record (minimal):** `{ tenant, vuln, scope:{type:'purl'|'image'|'component', value}, justification, expiration, owner }
- **Export manifest:** `{ generated_at, tenant, count, sha256, aoc_enforced, source:'migration-legacy-suppressions' }`
- **Attestation (optional):** DSSE over exception set digest; stored alongside manifest in Evidence Locker.
## Notifications
- When migrating: send summary to tenants with counts per status and upcoming expiries.
- Ongoing: Notify events `exception.created`, `exception.expired`, `exception.rejected` with tenant + scope.
## 4. Rollback plan
- Keep legacy suppressions read-only for 30 days.
- If a promotion batch causes regressions, mark affected exceptions `expired` and re-enable corresponding legacy suppressions for that tenant only.
- Emit `rollback_notice` Timeline events and Notify operators.
## Validation checklist
- [ ] Legacy suppressions export stored with SHA256 + DSSE.
- [ ] Transform script maps all legacy reasons → VEX justification codes.
- [ ] Import dry-run produces zero rejects or documented rejects with reasons.
- [ ] Overlay/Console shows exceptions on affected components.
- [ ] Rollback tested on staging.
## 5. Air-gap considerations
- Imports/exports are file-based (NDJSON + manifest); no external calls required.
- Verification uses bundled attestations; Rekor proofs are optional offline.
- Console shows AOC badge when Aggregation-Only Contract limits apply; exports record `aoc=true`.
## References
- Excititor module: `docs/modules/excititor/architecture.md`, `vex_observations.md`.
- Policy simulator: `docs/modules/policy/architecture.md` (POLICY-ENGINE-30-001..003).
- Graph overlays: `docs/modules/graph/architecture-index.md`.
## 6. Checklists
- [ ] All legacy suppressions exported to NDJSON per tenant.
- [ ] Every exception has justification, owner, expiration.
- [ ] Policy simulator run and results attached to exception batch.
- [ ] Notify templates enabled for expiring/denied promotions.
- [ ] Legacy write paths disabled; read-only banner present.
- [ ] Attestation bundle stored (if Attestor available) and Evidence Locker entry created.
## 7. References
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/implementation_plan.md`
- `docs/modules/cli/guides/exceptions.md`
- `docs/security/export-hardening.md`
- `docs/policy/ui-integration.md`

61
docs/migration/graph-parity.md Normal file
View File

@@ -0,0 +1,61 @@
# Graph Parity Rollout Guide
Status: Draft (2025-11-26) — DOCS-GRAPH-24-007.
## Goal
Transition from legacy graph surfaces (Cartographer/UI stubs) to the new Graph API + Indexer stack with clear rollback and parity checks.
## Scope
- Graph API (Sprint 0207) + Graph Indexer (Sprint 0141)
- Consumers: Graph Explorer, Vuln Explorer, Console/CLI, Export Center, Advisory AI overlays
- Tenants: all; pilot recommended with 12 tenants first
## Phased rollout
1) **Pilot**
- Enable new Graph API for pilot tenants behind feature flag `graph.api.v2`.
- Run daily parity job: compare node/edge counts and hashes against legacy output for selected snapshots.
2) **Shadow**
- Mirror queries from UI/CLI to both legacy and new APIs; log differences.
- Metrics to track: `parity_diff_nodes_total`, `parity_diff_edges_total`, p95 latency deltas.
3) **Cutover**
- Switch UI/CLI to new endpoints; keep shadow logging for 1 week.
- Freeze legacy write paths; keep read-only export for rollback.
4) **Cleanup**
- Remove legacy routes; retain archived parity reports and exports.
## Parity checks
- Deterministic snapshots: compare SHA256 of `nodes.jsonl` and `edges.jsonl` (sorted).
- Query parity: run canned queries (search/query/paths/diff) and compare:
- Node/edge counts, first/last IDs
- Presence of overlays (policy/vex)
- Cursor progression
- Performance: ensure p95 latency within ±20% of legacy baseline during shadow.
## Rollback
- Keep legacy service in read-only mode; toggle feature flag back if parity fails.
- Retain last good exports and parity reports for each tenant.
- If overlays mismatch: clear overlay cache and rerun policy overlay ingestion; fall back to legacy overlays temporarily.
## Observability
- Dashboards: add panels for parity diff counters and latency delta.
- Alerts:
- `parity_diff_nodes_total > 0` for 10m
- Latency delta > 20% for 10m
- Logs should include tenant, snapshotId, query type, cursor, hash comparisons.
## Owners
- Graph API Guild (API/runtime)
- Graph Indexer Guild (snapshots/ingest)
- Observability Guild (dashboards/alerts)
- UI/CLI Guilds (client cutover)
## Checklists
- [ ] Feature flag wired and default off.
- [ ] Canned query set stored in repo (deterministic inputs).
- [ ] Parity job outputs SHA256 comparison and stores reports per tenant/date.
- [ ] Rollback tested in staging.
## References
- `docs/api/graph.md`, `docs/modules/graph/architecture-index.md`
- `docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md`
- `docs/implplan/SPRINT_0207_0001_0001_graph.md`

74
docs/modules/export-center/devportal-offline-manifest.md Normal file
View File

@@ -0,0 +1,74 @@
# DevPortal Offline Bundle Manifest (draft v0.1)
Applies to sprint: SPRINT_0206_0001_0001_devportal · Action #2 (DEVPORT-64-001/64-002 interlock with Export Center)
## Purpose
- Define a deterministic, air-gap-friendly manifest for Developer Portal offline bundles.
- Ensure SDK archives, OpenAPI specs, and static site assets can be verified and consumed by Export Center and SDK Release pipelines.
## Bundle layout
```
devportal-offline/
manifest.json # see schema below
site/ # static HTML/CSS/JS (Astro/Starlight build)
specs/
stella-aggregate.yaml # merged OpenAPI used by portal
*.yaml # per-service OpenAPI (authority, scanner, policy, graph, etc.)
sdks/
node-sdk.tar.gz
python-sdk.tar.gz
java-sdk.zip # optional, language-dependent
assets/
fonts/* # self-hosted; no external CDNs
icons/* # SVG/PNG used by site
```
## Manifest schema (manifest.json)
```json
{
"version": "0.1",
"generatedAt": "2025-11-26T00:00:00Z",
"site": {
"path": "site",
"sha256": "<hex>",
"bytes": 0
},
"specs": [
{ "name": "stella-aggregate.yaml", "path": "specs/stella-aggregate.yaml", "sha256": "<hex>", "bytes": 0 },
{ "name": "authority.yaml", "path": "specs/authority.yaml", "sha256": "<hex>", "bytes": 0 }
],
"sdks": [
{ "name": "node-sdk", "path": "sdks/node-sdk.tar.gz", "sha256": "<hex>", "bytes": 0 },
{ "name": "python-sdk", "path": "sdks/python-sdk.tar.gz", "sha256": "<hex>", "bytes": 0 }
],
"checks": {
"integrity": "sha256",
"policy": "no-external-assets"
}
}
```
### Rules
- `version` is additive; bump on breaking shape change.
- `sha256` is hex lowercase of the file contents.
- `bytes` is the exact byte length for deterministic validation.
- `checks.policy` documents applied constraints; default `no-external-assets` (verify no `http(s)://` fonts/scripts).
## Production contract
- Export Center expects `manifest.json` at bundle root; validates sha256/bytes before publishing.
- Offline bundle must build via `npm run build:offline` without network calls after initial `npm ci` + `npm run sync:spec`.
- Specs and SDK archives are treated as opaque; manifest carries their hashes for downstream verification.
## Open items
- Add per-language SDK metadata (version, commit SHA) once SDKREL-64-002 finalises.
- Add optional `signatures` array (DSSE over manifest) when Authority signing profile is ready.
## How to produce locally (deterministic)
```
npm ci --ignore-scripts --no-fund --no-audit
npm run sync:spec
npm run build:offline
# compute manifest hashes using sha256sum and fill manifest.json
```
Record generated manifest in sprint evidence when produced; keep caches local to avoid external fetches.

46
docs/modules/export-center/mirror-bundles.md
View File

@@ -180,22 +180,38 @@ sequenceDiagram
3. Re-run integrity checks (`mirror verify <path>`).
- **Audit logging:** Export Center logs `mirror.bundle.created`, `mirror.delta.applied`, and `mirror.encryption.enabled` events. Consume them in the central observability pipeline.
## 7. Troubleshooting
| Symptom | Meaning | Action |
|---------|---------|--------|
| `ERR_EXPORT_BASE_MISSING` | Base export not available | Republish base bundle or rebuild as full export. |
| Delta applies but mirror misses entries | Deltas applied out of order | Rebuild from last full bundle and reapply in sequence. |
## 7. Validation checklist (Trivy / mirror bundles)
- Download and verify:
- `stella export download <exportId> --format mirror`
- `stella export verify <exportId>`
- Delta ordering:
- Ensure `manifest.diff.json.baseExportId` exists locally before applying delta.
- Track applied order in `appliedExportIds.log`.
- Trivy adapter (if enabled):
- `stella export trivy-validate --bundle mirror-YYYYMMDD.tar.zst --policy ./policies/export-center.rego`
- Dry-run import:
- `stella export mirror-validate --bundle mirror-YYYYMMDD.tar.zst --dry-run`
- Post-import checks:
- Recompute SHA256 for `manifest.yaml` and a sample data file; compare to manifest.
- Run `mirror verify` (Offline Kit) and confirm zero mismatches.
## 8. Troubleshooting
| Symptom | Meaning | Action |
|---------|---------|--------|
| `ERR_EXPORT_BASE_MISSING` | Base export not available | Republish base bundle or rebuild as full export. |
| Delta applies but mirror misses entries | Deltas applied out of order | Rebuild from last full bundle and reapply in sequence. |
| Decryption fails | Recipient key mismatch or corrupted bundle | Confirm key distribution and re-download bundle. |
| Verification errors | Signature mismatch | Do not import; regenerate bundle and investigate signing pipeline. |
| Manifest hash mismatch | Files changed after extraction | Re-extract bundle and re-run verification; check storage tampering. |
## 8. References
- [Export Center Overview](overview.md)
- [Export Center Architecture](architecture.md)
- [Export Center API reference](api.md)
- [Export Center CLI Guide](cli.md)
| Verification errors | Signature mismatch | Do not import; regenerate bundle and investigate signing pipeline. |
| Manifest hash mismatch | Files changed after extraction | Re-extract bundle and re-run verification; check storage tampering. |
## 9. References
- [Export Center Overview](overview.md)
- [Export Center Architecture](architecture.md)
- [Export Center API reference](api.md)
- [Export Center CLI Guide](cli.md)
- [Concelier mirror runbook](../concelier/operations/mirror.md)
- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)

1
docs/modules/graph/README.md
View File

@@ -53,6 +53,7 @@ Graph Indexer + Graph API build the tenant-scoped knowledge graph that powers bl
- [`architecture.md`](architecture.md) — inputs, pipelines, APIs, storage choices, observability, offline handling.
- [`implementation_plan.md`](implementation_plan.md) — phased delivery roadmap, work breakdown, risks, test strategy.
- [`schema.md`](schema.md) — canonical node/edge schema and attribute dictionary (keep in sync with indexer code).
- API surface: `docs/api/graph-gateway-spec-draft.yaml` (NDJSON tiles for `/graph/search|query|paths|diff|export`, budgets, overlays).
- Updates: `docs/updates/2025-10-26-scheduler-graph-jobs.md`, `docs/updates/2025-10-26-authority-graph-scopes.md`, `docs/updates/2025-10-30-devops-governance.md` for the latest decisions/dependencies.
- Index: see `architecture-index.md` for data model, ingestion pipeline, overlays/caches, events, and API/observability pointers.

13
docs/modules/graph/architecture.md
View File

@@ -12,7 +12,7 @@
- `Advisory` and `VEXStatement` nodes linking to Concelier/Excititor records via digests.
- `PolicyVersion` nodes representing signed policy packs.
- **Edges:** directed, timestamped relationships such as `DEPENDS_ON`, `BUILT_FROM`, `DECLARED_IN`, `AFFECTED_BY`, `VEX_EXEMPTS`, `GOVERNS_WITH`, `OBSERVED_RUNTIME`. Each edge carries provenance (SRM hash, SBOM digest, policy run ID).
- **Overlays:** computed index tables providing fast access to reachability, blast radius, and differential views (e.g., `graph_overlay/vuln/{tenant}/{advisoryKey}`).
- **Overlays:** computed index tables providing fast access to reachability, blast radius, and differential views (e.g., `graph_overlay/vuln/{tenant}/{advisoryKey}`). Runtime endpoints emit overlays inline (`policy.overlay.v1`, `openvex.v1`) with deterministic overlay IDs (`sha256(tenant|nodeId|overlayKind)`) and sampled explain traces on policy overlays.
## 2) Pipelines
@@ -24,11 +24,12 @@
## 3) APIs
- `GET /graph/nodes/{id}` — fetch node with metadata and attached provenance.
- `POST /graph/query/saved` — execute saved query (Cypher-like DSL) with tenant filtering; supports paging, citation metadata, and `explain` traces.
- `GET /graph/impact/{advisoryKey}` — returns impacted artifacts with path context and policy/vex overlays.
- `GET /graph/diff/{snapshotA}/{snapshotB}` streaming API returning diff manifest including new/removed edges, risk summary, and export references.
- `POST /graph/overlay/policy` — create or retrieve overlay for policy version + advisory set, referencing `effective_finding` results.
- `POST /graph/search` — NDJSON node tiles with cursor paging, tenant + scope guards.
- `POST /graph/query` — NDJSON nodes/edges/stats/cursor with budgets (tiles/nodes/edges) and optional inline overlays (`includeOverlays=true`) emitting `policy.overlay.v1` and `openvex.v1` payloads; overlay IDs are `sha256(tenant|nodeId|overlayKind)`; policy overlay may include a sampled `explainTrace`.
- `POST /graph/paths` — bounded BFS (depth ≤6) returning path nodes/edges/stats; honours budgets and overlays.
- `POST /graph/diff` — compares `snapshotA` vs `snapshotB`, streaming node/edge added/removed/changed tiles plus stats; budget enforcement mirrors `/graph/query`.
- `POST /graph/export` — async job producing deterministic manifests (`sha256`, size, format) for `ndjson/csv/graphml/png/svg`; download via `/graph/export/{jobId}`.
- Legacy: `GET /graph/nodes/{id}`, `POST /graph/query/saved`, `GET /graph/impact/{advisoryKey}`, `POST /graph/overlay/policy` remain in spec but should align to the NDJSON surfaces above as they are brought forward.
## 4) Storage considerations

57
docs/modules/scanner/determinism-score.md
View File

@@ -1,6 +1,6 @@
# Scanner Determinism Score Guide
> **Status:** Draft Sprint 186/202/203
> **Status:** Stable (2025-11)
> **Owners:** Scanner Guild · QA Guild · DevEx/CLI Guild · DevOps Guild
## 1. Goal
@@ -22,36 +22,29 @@ Quantify how repeatable a scanner release is by re-running scans under frozen co
The harness persists the full run set under CAS, allowing regression tests and Offline kit inclusion.
## 3. Output artefacts (`SCAN-DETER-186-010`)
## 3. determinism.json schema (`SCAN-DETER-186-010`)
* `determinism.json` per-image runs, identical counts, score, policy/feed hashes.
* `run_i/*.json` canonicalised outputs for debugging.
* `diffs/` optional diff samples when runs diverge.
Required fields:
Example `determinism.json`:
- `version` (string, default `1`)
- `release` (string; e.g., `scanner-0.14.3`)
- `platform` (`os/arch`)
- `policy_sha`, `feeds_sha`, `scanner_sha` (content-addressed digests)
- `images[]`:
- `digest` (image digest)
- `runs` (int), `identical` (int), `score` (float 01)
- `artifact_hashes` (map filename → sha256)
- `non_deterministic` (array of artefact names when diverged)
- `notes` (optional string)
- `overall_score` (float 01)
- `thresholds` { `image_min`:0.90, `overall_min`:0.95 }
- `generated_at` (UTC ISO-8601)
```json
{
"release": "scanner-0.14.3",
"platform": "linux/amd64",
"policy_sha": "a1b2c3…",
"feeds_sha": "d4e5f6…",
"images": [
{
"digest": "sha256:abc…",
"runs": 10,
"identical": 10,
"score": 1.0,
"artifact_hashes": {
"sbom.cdx.json": "sha256:11…",
"vex.json": "sha256:22…",
"findings.json": "sha256:33…"
}
}
],
"overall_score": 1.0
}
```
Output bundle layout:
- `determinism.json` schema above
- `run_i/*.json` canonicalised artefacts per run
- `diffs/` minimal diffs when divergence occurs
## 4. CI integration (`DEVOPS-SCAN-90-004`)
@@ -71,8 +64,12 @@ Example `determinism.json`:
## 7. Evidence & replay
* Include `determinism.json` and canonical run outputs in Replay bundles (`docs/replay/DETERMINISTIC_REPLAY.md`).
* DSSE-sign determinism results before adding them to Evidence Locker.
Replay instructions (deterministic, offline-friendly):
1. Fetch a published determinism bundle (`determinism.json` + `run_*`) and the corresponding scanner image.
2. Run `scripts/scanner/determinism-run.sh --replay --bundle path/to/bundle --image sha256:...` (uses fixed clock/seed).
3. Verify hashes match the recorded `artifact_hashes`; tool exits non-zero on mismatch.
4. Attach the bundle to Evidence Locker with DSSE signature before export.
## 8. Implementation checklist

40
docs/modules/scanner/entropy.md
View File

@@ -1,6 +1,7 @@
# Entropy Analysis for Executable Layers
> **Status:** Draft Sprint 186/209
> **Imposed rule:** Entropy evidence must be included in scan exports and DSSE attestations; opaque regions without provenance cannot be whitelisted without an explicit policy waiver.
> **Status:** Stable (2025-11)
> **Owners:** Scanner Guild · Policy Guild · UI Guild · Docs Guild
## 1. Overview
@@ -25,10 +26,11 @@ Entropy analysis highlights opaque regions inside container layers (packed binar
* Flag entire files with no symbols or stripped debug info.
* Detect known packer section names (`.UPX*`, `.aspack`, etc.).
* Record offsets, window sizes, and entropy values to support explainability.
* **Outputs:**
* `entropy.report.json` (per-file details, windows, hints).
* `layer_summary.json` (opaque byte ratios per layer and overall image).
* Penalty score contributed to the trust algebra (`entropy_penalty`).
* **Outputs (all canonical, UTF-8, sorted keys):**
* `entropy.report.json` (per-file details, windows, hints; schema `stellaops.entropy/report@1`).
* `layer_summary.json` (opaque byte ratios per layer and overall image; schema `stellaops.entropy/layer-summary@1`).
* `entropy_penalty` scalar injected into trust lattice inputs.
* All outputs are signed within the scan DSSE bundle and exported in Offline/Replay kits.
All JSON output is canonical (sorted keys, UTF-8) and included in DSSE attestations/replay bundles.
@@ -39,6 +41,7 @@ All JSON output is canonical (sorted keys, UTF-8) and included in DSSE attestati
```jsonc
{
"schema": "stellaops.entropy/report@1",
"generatedAt": "2025-11-26T12:00:00Z",
"imageDigest": "sha256:…",
"layerDigest": "sha256:…",
"files": [
@@ -62,6 +65,7 @@ All JSON output is canonical (sorted keys, UTF-8) and included in DSSE attestati
```jsonc
{
"schema": "stellaops.entropy/layer-summary@1",
"generatedAt": "2025-11-26T12:00:00Z",
"imageDigest": "sha256:…",
"layers": [
{
@@ -80,12 +84,13 @@ All JSON output is canonical (sorted keys, UTF-8) and included in DSSE attestati
## 4. Policy integration (`POLICY-RISK-90-001`)
* Policy Engine receives `entropy_penalty` and per-layer ratios via scan evidence.
* Default thresholds:
* Block when `imageOpaqueRatio > 0.15` and provenance unknown.
* Default thresholds (tenant-overridable):
* Block when `imageOpaqueRatio > 0.15` **and** provenance unknown.
* Warn when any executable has `opaqueRatio > 0.30`.
* Penalty weights are configurable per tenant. Policy explanations include:
* Highest-entropy files and offsets.
* Reason code (packed, no symbols, runtime reachable).
* Suppress penalty when symbols are present **and** provenance attested.
* Trust lattice mapping:
* `entropy_penalty` feeds the risk lattice alongside reachability, provenance, and exploitability signals; capped at 0.3.
* Policy explanations include highest-entropy files, offsets, and reason codes (packed, no symbols, runtime reachable).
## 5. UI experience (`UI-ENTROPY-40-001/002`)
@@ -97,21 +102,22 @@ All JSON output is canonical (sorted keys, UTF-8) and included in DSSE attestati
## 6. CLI / API hooks
* CLI `stella scan artifacts --entropy` option prints top opaque files and penalties.
* API `GET /api/v1/scans/{id}/entropy` serves summary + evidence references.
* Notify templates can include entropy penalties to escalate opaque images.
* CLI `stella scan artifacts --entropy --threshold 0.15 --top 10` prints top opaque files and penalty; exits non-zero when penalty exceeds threshold.
* CLI `stella scan export --include entropy` bundles entropy reports with SBOM/VEX for Offline kits.
* API `GET /api/v1/scans/{id}/entropy` serves summary + evidence references; supports `Accept: application/json` or NDJSON stream.
* Notify templates can include entropy penalties to escalate opaque images (channel: Ops/Sec).
## 7. Trust algebra
The penalty is computed as:
\[
\text{entropyPenalty} = K \sum_{\text{layers}} \left( \frac{\text{opaqueBytes}}{\text{totalBytes}} \times \frac{\text{layerBytes}}{\text{imageBytes}} \right)
\text{entropyPenalty} = \min\Bigg(0.3,\; K \sum_{\text{layers}} \big( \frac{\text{opaqueBytes}}{\text{totalBytes}} \times \frac{\text{layerBytes}}{\text{imageBytes}} \big)\Bigg)
\]
* Default `K = 0.5`.
* Cap penalty at 0.3 to avoid over-weighting tiny blobs.
* Combine with other trust signals (reachability, provenance) to prioritise audits.
* Default `K = 0.5`; tenants can override via policy lattice config.
* If symbols are present and attested, apply a 0.5 multiplier to the per-layer contribution.
* Combine with reachability and provenance weights before final risk verdict.
## 8. Implementation checklist

10
docs/modules/sdk/language-support-matrix.md Normal file
View File

@@ -0,0 +1,10 @@
# SDK Language Support Matrix (Wave B draft · 2025-11-26)
| Language | Package name (staging) | Status | Generator config | Post-processing helpers | Notes |
| --- | --- | --- | --- | --- | --- |
| TypeScript | `@stellaops/sdk` (staging) | Alpha pending OAS freeze | `src/Sdk/StellaOps.Sdk.Generator/ts/config.yaml` | Auth, retry, pagination, telemetry wired | ESM+CJS templates ready; fixture smoke test passes |
| Python | `stellaops-sdk` (staging) | Alpha pending OAS freeze | `src/Sdk/StellaOps.Sdk.Generator/py/config.yaml` | Auth, retry, pagination, telemetry wired | Sync/async clients scaffolded; fixture smoke test passes |
| Go | `github.com/stellaops/sdk-go` | Planned (after Python) | Generator script stub | Helpers planned | Context-first API, streaming helpers; starts after SDKGEN-63-002 |
| Java | `io.stellaops:sdk` | Planned (after Go) | Generator script stub | Helpers planned | HTTP client abstraction TBD; starts after SDKGEN-63-003 |
Evidence for action tracker: Sprint 0208 · Action #2 (Publish SDK language support matrix to CLI/UI guilds).

50
docs/policy/api.md Normal file
View File

@@ -0,0 +1,50 @@
# Policy API Reference (runtime endpoints)
> **Imposed rule:** Policy API calls must include tenant context and operate on frozen inputs; mutating endpoints require Authority scopes and audit events.
## Base
`/api/v1/policies`
## Endpoints
- `GET /policies` list policies (with filters: tenant, status, name, tags); paginated.
- `GET /policies/{id}` fetch metadata and versions.
- `GET /policies/{id}/versions/{v}` fetch IR, hash, status, shadow flag, attestation refs.
- `POST /policies/{id}/simulate` run simulate; body: `{ inputs: { sbom_digest, advisory_snapshot, vex_set, reachability_hash, signals_digest }, settings: { shadow: bool } }`. Returns `runId`, findings, explain summary; full explain via run endpoint.
- `POST /policies/{id}/run` full run with frozen cursors; same body as simulate plus `mode` (`full|incremental`).
- `GET /policy-runs/{runId}` returns findings, explain trace refs, hashes, shadow flag, status.
- `POST /policies/{id}/submit` attach lint/simulate/coverage artefacts; transitions to `submitted`.
- `POST /policies/{id}/approve` requires `policy:approve`; records approval note.
- `POST /policies/{id}/publish` requires `policy:publish`; body includes `reason`, `ticket`, `sign=true|false`; returns attestation ref.
- `POST /policies/{id}/activate` requires `policy:activate`; activates version.
- `POST /policies/{id}/archive` archive version; reason required.
## Headers
- `X-Stella-Tenant` (required)
- `X-Stella-Shadow` (optional; simulate)
- `If-None-Match` (IR cache)
## Auth & scopes
- Read: `policy:read`
- Simulate: `policy:simulate`
- Submit: `policy:author`
- Approve: `policy:approve`
- Publish/Promote: `policy:publish`/`policy:promote`
- Activate/Run: `policy:operate`
## Errors (Problem+JSON)
- `policy_inputs_unfrozen` (409) missing cursors.
- `policy_ir_hash_mismatch` (409) IR hash differs from attested value.
- `policy_shadow_required` (412) shadow gate not satisfied.
- `policy_attestation_required` (412) publish without attestation metadata.
- Standard auth/tenant errors.
## Pagination & determinism
- `limit`/`cursor`; stable ordering by `policyId` then `version`.
- All list endpoints return `ETag` and `Content-SHA256` headers.
## Offline
- API supports `file://` bundle handler when running in sealed mode; simulate/run accept `bundle` path instead of remote cursors.
## Observability
- Metrics: `policy_api_requests_total{endpoint,status}`, `policy_simulate_latency_seconds`, `policy_run_latency_seconds`.
- Logs: include `policyId`, `version`, `runId`, `tenant`, `shadow`, `cursors` hashes.

77
docs/policy/dsl.md
View File

@@ -1,6 +1,7 @@
# Stella Policy DSL (`stella-dsl@1`)
> **Audience:** Policy authors, reviewers, and tooling engineers building lint/compile flows for the Policy Engine v2 rollout (Sprint20).
> **Audience:** Policy authors, reviewers, and tooling engineers building lint/compile flows for the Policy Engine v2 rollout (Sprint20).
> **Imposed rule:** Policies that alter reachability or trust weighting must run in shadow mode first with coverage fixtures; promotion to active is blocked until shadow + coverage gates pass.
This document specifies the `stella-dsl@1` grammar, semantics, and guardrails used by StellaOps to transform SBOM facts, Concelier advisories, and Excititor VEX statements into effective findings. Use it with the [Policy Engine Overview](overview.md) for architectural context and the upcoming lifecycle/run guides for operational workflows.
@@ -14,6 +15,7 @@ This document specifies the `stella-dsl@1` grammar, semantics, and guardrails us
- **Lean authoring:** Common precedence, severity, and suppression patterns are first-class.
- **Offline-friendly:** Grammar and built-ins avoid cloud dependencies, run the same in sealed deployments.
- **Reachability-aware:** Policies can consume reachability lattice states (`ReachState`) and evidence scores to drive VEX gates (`not_affected`, `under_investigation`, `affected`).
- **Signal-first:** Trust, reachability, entropy, and uncertainty signals are first-class so explain traces stay reproducible.
---
@@ -40,14 +42,26 @@ policy "Default Org Policy" syntax "stella-dsl@1" {
}
}
rule vex_precedence priority 10 {
when vex.any(status in ["not_affected","fixed"])
and vex.justification in ["component_not_present","vulnerable_code_not_present"]
then status := vex.status
because "Strong vendor justification prevails";
}
}
```
rule vex_precedence priority 10 {
when vex.any(status in ["not_affected","fixed"])
and vex.justification in ["component_not_present","vulnerable_code_not_present"]
then status := vex.status
because "Strong vendor justification prevails";
}
rule reachability_gate priority 20 {
when telemetry.reachability.state == "reachable" and telemetry.reachability.score >= 0.6
then status := "affected"
because "Runtime/graph evidence shows reachable code path";
}
rule trust_penalty priority 30 {
when signals.trust_score < 0.4 or signals.entropy_penalty > 0.2
then severity := severity_band("critical")
because "Low trust score or high entropy";
}
}
```
High-level layout:
@@ -127,9 +141,10 @@ annotate = "annotate", identifier, ":=", expression, ";" ;
Notes:
- `helper` is reserved for shared calculcations (not yet implemented in `@1`).
- `else` branch executes only if `when` predicates evaluate truthy **and** no prior rule earlier in priority handled the tuple.
- Semicolons inside rule bodies are optional when each clause is on its own line; the compiler emits canonical semicolons in IR.
- `helper` is reserved for shared calculcations (not yet implemented in `@1`).
- `else` branch executes only if `when` predicates evaluate truthy **and** no prior rule earlier in priority handled the tuple.
- Semicolons inside rule bodies are optional when each clause is on its own line; the compiler emits canonical semicolons in IR.
- `settings.shadow = true` enables shadow-mode evaluation (findings recorded but not enforced). Promotion gates require at least one shadow run with coverage fixtures.
---
@@ -146,6 +161,7 @@ Within predicates and actions you may reference the following namespaces:
| `run` | `policyId`, `policyVersion`, `tenant`, `timestamp` | Metadata for explain annotations. |
| `env` | Arbitrary key/value pairs injected per run (e.g., `environment`, `runtime`). |
| `telemetry` | Optional reachability signals. Example fields: `telemetry.reachability.state`, `telemetry.reachability.score`, `telemetry.reachability.policyVersion`. Missing fields evaluate to `unknown`. |
| `signals` | Normalised signal dictionary: `trust_score` (01), `reachability.state` (`reachable|unreachable|unknown`), `reachability.score` (01), `entropy_penalty` (00.3), `uncertainty.level` (`U1``U3`), `runtime_hits` (bool). |
| `secret` | `findings`, `bundle`, helper predicates | Populated when the Secrets Analyzer runs. Exposes masked leak findings and bundle metadata for policy decisions. |
| `profile.<name>` | Values computed inside profile blocks (maps, scalars). |
@@ -162,8 +178,9 @@ Missing fields evaluate to `null`, which is falsey in boolean context and propag
| `normalize_cvss(advisory)` | `Advisory → SeverityScalar` | Parses `advisory.content.raw` for CVSS data; falls back to policy maps. |
| `cvss(score, vector)` | `double × string → SeverityScalar` | Constructs a severity object manually. |
| `severity_band(value)` | `string → SeverityBand` | Normalises strings like `"critical"`, `"medium"`. |
| `risk_score(base, modifiers...)` | Variadic | Multiplies numeric modifiers (severity × trust × reachability). |
| `vex.any(predicate)` | `(Statement → bool) → bool` | `true` if any statement satisfies predicate. |
| `risk_score(base, modifiers...)` | Variadic | Multiplies numeric modifiers (severity × trust × reachability). |
| `reach_state(state)` | `string → ReachState` | Normalises reachability state strings (`reachable`, `unreachable`, `unknown`). |
| `vex.any(predicate)` | `(Statement → bool) → bool` | `true` if any statement satisfies predicate. |
| `vex.all(predicate)` | `(Statement → bool) → bool` | `true` if all statements satisfy predicate. |
| `vex.latest()` | `→ Statement` | Lexicographically newest statement. |
| `advisory.has_tag(tag)` | `string → bool` | Checks advisory metadata tags. |
@@ -252,16 +269,30 @@ rule vex_strong_claim priority 5 {
}
```
### 9.3 Environment-Specific Escalation
### 9.3 Environment-Specific Escalation
```dsl
rule internet_exposed_guard {
when env.exposure == "internet"
and severity.normalized >= "High"
then escalate to severity_band("Critical")
because "Internet-exposed assets require critical posture";
}
```
rule internet_exposed_guard {
when env.exposure == "internet"
and severity.normalized >= "High"
then escalate to severity_band("Critical")
because "Internet-exposed assets require critical posture";
}
```
### 9.4 Shadow mode & coverage
- Enable `settings { shadow = true; }` for new policies or major changes. Findings are recorded but not enforced.
- Provide coverage fixtures under `tests/policy/<policyId>/cases/*.json`; run `stella policy test` locally and in CI. Coverage results must be attached on submission.
- Promotion to active is blocked until shadow runs + coverage gates pass (see lifecycle §3).
### 9.5 Authoring workflow (quick checklist)
1. Write/update policy with shadow enabled.
2. Add/refresh coverage fixtures; run `stella policy test`.
3. `stella policy lint` and `stella policy simulate --fixtures ...` with expected signals (trust_score, reachability, entropy_penalty) noted in comments.
4. Submit with attachments: lint, simulate diff, coverage results.
5. After approval, disable shadow and promote; retain fixtures for regression tests.
### 9.4 Anti-pattern (flagged by linter)
@@ -318,4 +349,4 @@ rule catch_all {
---
*Last updated: 2025-11-05 (Sprint 21).*
*Last updated: 2025-11-26 (Sprint 0401).*

49
docs/policy/editor.md Normal file
View File

@@ -0,0 +1,49 @@
# Policy Editor Guide
> **Imposed rule:** Edits must run lint, simulate, and shadow+coverage gates before promotion; UI enforces attachment of results on submission.
This guide walks through the Console Policy Editor: authoring, validation, simulation, approvals, and offline workflow.
## 1. Workspace
- **Left rail:** policy list, versions, status (draft/submitted/approved/active/archived), shadow flag badge.
- **Editor pane:** YAML/SPL with schema validation, syntax highlighting, auto-format; shows IR hash after successful lint.
- **Metadata panel:** description, tags, AOC indicator, attestation status.
- **Attachments panel:** lint report, simulate diff, coverage results; mandatory before submission.
## 2. Validation
- Live lint via compiler service; blocks save on fatal errors.
- Schema assist: hover shows field descriptions; unknown fields flagged as warnings.
- Determinism check: twin-run diff runs on save; failures block submission.
## 3. Simulation
- Quick simulate: select fixtures (SBOM/VEX bundles) → runs in shadow mode; results shown inline with deltas vs previous version.
- Batch simulate: enqueue via orchestrator; results stored as attachments; required freshness <24h for submission.
## 4. Submission & approvals
- Submit requires: lint OK, simulate attachment, coverage results, shadow enabled.
- Reviewers comment inline; blocking comments must be resolved before approval.
- Approvers must enter reason/ticket; Authority enforces two-person rule when configured.
## 5. Promotion & activation
- Publish & sign: produces DSSE attestation over IR hash + approval metadata; Rekor mirror when online.
- Activate: selects approved version; records input cursors; triggers run if requested.
- Rollback: pick prior approved version; requires reason.
## 6. Offline workflow
- Load policy pack + attachments from Offline Kit; editor runs local lint/simulate with sealed inputs.
- Submit/approve offline records events locally; sync to Authority when reconnected.
## 7. Shortcuts & a11y
- Keyboard: `Ctrl+S` save, `Ctrl+Shift+L` lint, `Ctrl+Shift+R` simulate.
- Screen reader labels on editor, results table, and buttons; focus order follows workflow.
## 8. Troubleshooting
- Lint failures: open Problems tab; fix schema/unknown fields.
- Simulate stale: rerun quick simulate; ensure fixtures match policy inputs.
- Attestation mismatch: regenerate IR (auto) and retry publish; check Authority scopes.
## References
- `docs/policy/dsl.md`
- `docs/policy/spl-v1.md`
- `docs/policy/lifecycle.md`
- `docs/policy/runtime.md`

51
docs/policy/governance.md Normal file
View File

@@ -0,0 +1,51 @@
# Policy Governance
> **Imposed rule:** Publish/Promote actions require reason + ticket metadata and DSSE attestation; two-person approval is recommended and enforced where configured by Authority.
This guide defines roles, scopes, approvals, signing, and exception handling for Stella policies.
## 1. Roles & scopes
- Author: `policy:author`, `policy:simulate`
- Reviewer: `policy:review`, `policy:simulate`
- Approver: `policy:approve`, `policy:audit`
- Operator: `policy:operate`, `policy:activate`, `policy:run`
- Publisher: `policy:publish`, `policy:promote`
- Auditor: `policy:audit`
Authority policy can map org roles to scopes; two-person rule can be enabled per tenant for publish/promote.
## 2. Approval workflow
1) Author drafts with shadow + coverage fixtures; runs lint/simulate/test.
2) Submit with attachments (lint, simulate, coverage, reason/ticket optional at this stage).
3) Reviewers comment/resolve; approver checks gates (shadow, coverage, determinism).
4) Publisher runs `stella policy publish --reason --ticket --sign`; attestation stored and optionally mirrored to Rekor.
5) Operator activates version; audit events recorded.
## 3. Signing & attestation
- DSSE payload includes IR hash, policyId/version, reason, ticket, approvals, shadow/coverage evidence refs.
- Rekor mirror when online; offline deployments store bundle + checkpoint for later replay.
- Evidence Locker stores DSSE + run inputs/outputs for audit.
## 4. Exceptions & waivers
- Use SPL rules with explicit scope and `because` rationale; no perpetual suppressions.
- Waivers must include expiration and owner; DSSE attested if exported.
- AOC: Aggregation-Only Contract requires waiver scope to avoid cross-tenant data; UI/CLI enforce tenant scoping.
## 5. Compliance checklist
- [ ] Two-person rule enforced (Authority config) for publish/promote.
- [ ] Reason and ticket captured on publish; stored in attestation metadata.
- [ ] Shadow + coverage gates passed and attached.
- [ ] IR hash recorded; attestation verified before activation.
- [ ] Waivers have expiry, owner, `because`, and scope.
- [ ] Offline replay path documented for the policy pack.
## 6. Audit & observability
- Timeline events: `policy.submitted`, `policy.approved`, `policy.published`, `policy.promoted`, `policy.activated`, `policy.archived`.
- Metrics: `policy_publish_total`, `policy_promote_total`, `policy_attestation_verify_failures`, `policy_shadow_runs_total`.
- Logs: include `policyId`, `version`, `attestation_ref`, `reason`, `ticket`, `shadow`.
## References
- `docs/policy/overview.md`
- `docs/policy/lifecycle.md`
- `docs/policy/spl-v1.md`
- `docs/policy/runtime.md`

38
docs/policy/lifecycle.md
View File

@@ -3,17 +3,19 @@
> **Audience:** Policy authors, reviewers, security approvers, release engineers.
> **Scope:** End-to-end flow for `stella-dsl@1` policies from draft through archival, including CLI/Console touch-points, Authority scopes, audit artefacts, and offline considerations.
This guide explains how a policy progresses through StellaOps, which roles are involved, and the artefacts produced at every step. Pair it with the [Policy Engine Overview](overview.md), [DSL reference](dsl.md), and upcoming run documentation to ensure consistent authoring and rollout.
This guide explains how a policy progresses through StellaOps, which roles are involved, and the artefacts produced at every step. Pair it with the [Policy Engine Overview](overview.md), [DSL reference](dsl.md), and upcoming run documentation to ensure consistent authoring and rollout.
> **Imposed rule:** New or significantly changed policies must run in **shadow mode** with coverage fixtures before activation. Promotions are blocked until shadow + coverage gates pass.
---
## 1·Protocol Summary
- Policies are **immutable versions** attached to a stable `policy_id`.
- Lifecycle states: `draft → submitted → approved → active → archived`.
- Every transition requires explicit Authority scopes and produces structured events + storage artefacts (`policies`, `policy_runs`, audit log collections).
- Simulation and CI gating happen **before** approvals can be granted.
- Activation triggers (runs, bundle exports, CLI `promote`) operate on the **latest approved** version per tenant.
- Policies are **immutable versions** attached to a stable `policy_id`.
- Lifecycle states: `draft → submitted → approved → active → archived`.
- Every transition requires explicit Authority scopes and produces structured events + storage artefacts (`policies`, `policy_runs`, audit log collections).
- Simulation and CI gating happen **before** approvals can be granted.
- Activation triggers (runs, bundle exports, CLI `promote`) operate on the **latest approved** version per tenant.
- Shadow mode runs capture findings without enforcement; shadow exit requires coverage + twin-run determinism checks.
```mermaid
stateDiagram-v2
@@ -53,7 +55,9 @@ stateDiagram-v2
- **Tools:** Console editor, `stella policy edit`, policy DSL files.
- **Actions:**
- Author DSL leveraging [stella-dsl@1](dsl.md).
- Run `stella policy lint` and `stella policy simulate --sbom <fixtures>` locally.
- Run `stella policy lint` and `stella policy simulate --sbom <fixtures>` locally.
- Add/refresh coverage fixtures under `tests/policy/<policyId>/cases/*.json`; run `stella policy test`.
- Keep `settings.shadow = true` until coverage + shadow gates pass.
- Attach rationale metadata (`metadata.description`, tags).
- **Artefacts:**
- `policies` document with `status=draft`, `version=n`, `provenance.created_by`.
@@ -67,7 +71,8 @@ stateDiagram-v2
- **Who:** Authors (`policy:author`).
- **Tools:** Console “Submit for review” button, `stella policy submit <policyId> --reviewers ...`.
- **Actions:**
- Provide review notes and required simulations (CLI uploads attachments).
- Provide review notes and required simulations (CLI uploads attachments).
- Attach coverage results (shadow mode + `stella policy test`).
- Choose reviewer groups; Authority records them in submission metadata.
- **Artefacts:**
- Policy document transitions to `status=submitted`, capturing `submitted_by`, `submitted_at`, reviewer list, simulation digest references.
@@ -96,7 +101,8 @@ stateDiagram-v2
- **Who:** Approvers (`policy:approve`).
- **Tools:** Console Approve”, CLI `stella policy approve <id> --version n --note "rationale"`.
- **Actions:**
- Confirm compliance checks (see §6) all green.
- Confirm compliance checks (see §6) all green.
- Verify shadow gate + coverage suite passed in CI.
- Provide approval note (mandatory string captured in audit trail).
- **Artefacts:**
- Policy `status=approved`, `approved_by`, `approved_at`, `approval_note`.
@@ -190,12 +196,14 @@ All CLI commands emit structured JSON by default; use `--format table` for human
## 6 · Compliance Gates
| Gate | Stage | Enforced by | Requirement |
|------|-------|-------------|-------------|
| **DSL lint** | Draft Submit | CLI/CI | `stella policy lint` successful within 24h. |
| **Simulation evidence** | Submit | CLI/Console | Attach diff from `stella policy simulate` covering baseline SBOM set. |
| **Reviewer quorum** | Submit Approve | Authority | Minimum approver/reviewer count configurable per tenant. |
| **Determinism CI** | Approve | DevOps job | Twin run diff passes (`DEVOPS-POLICY-20-003`). |
| Gate | Stage | Enforced by | Requirement |
|------|-------|-------------|-------------|
| **DSL lint** | Draft Submit | CLI/CI | `stella policy lint` successful within 24h. |
| **Simulation evidence** | Submit | CLI/Console | Attach diff from `stella policy simulate` covering baseline SBOM set. |
| **Shadow run** | Submit Approve | Policy Engine / CI | Shadow mode enabled (`settings.shadow=true`) with findings recorded; must execute once per change. |
| **Coverage suite** | Submit Approve | CI (`stella policy test`) | Coverage fixtures present and passing; artefact attached to submission. |
| **Reviewer quorum** | Submit Approve | Authority | Minimum approver/reviewer count configurable per tenant. |
| **Determinism CI** | Approve | DevOps job | Twin run diff passes (`DEVOPS-POLICY-20-003`). |
| **Attestation metadata** | Approve Publish | Authority / CLI | `policy:publish` executed with reason & ticket metadata; DSSE attestation verified. |
| **Activation health** | Publish/Promote Activate | Policy Engine | Last run status succeeded; orchestrator queue healthy. |
| **Export validation** | Archive | Offline Kit | DSSE-signed policy pack generated for long-term retention. |

227
docs/policy/overview.md
View File

@@ -1,173 +1,54 @@
# Policy Engine Overview
> **Goal:** Evaluate organisation policies deterministically against scanner SBOMs, Concelier advisories, and Excititor VEX evidence, then publish effective findings that downstream services can trust.
This document introduces the v2 Policy Engine: how the service fits into StellaOps, the artefacts it produces, the contracts it honours, and the guardrails that keep policy decisions reproducible across air-gapped and connected deployments.
---
## 1·Role in the Platform
- **Purpose:** Compose policy verdicts by reconciling SBOM inventory, advisory metadata, VEX statements, and organisation rules.
- **Form factor:** Dedicated `.NET 10` Minimal API host (`StellaOps.Policy.Engine`) plus worker orchestration. Policies are defined in `stella-dsl@1` packs compiled to an intermediate representation (IR) with a stable SHA-256 digest.
- **Tenancy:** All workloads run under Authority-enforced scopes (`policy:*`, `findings:read`, `effective:write`). Only the Policy Engine identity may materialise effective findings collections.
- **Consumption:** Findings ledger, Console, CLI, and Notify read the published `effective_finding_{policyId}` materialisations and policy run ledger (`policy_runs`).
- **Offline parity:** Bundled policies import/export alongside advisories and VEX. In sealed mode the engine degrades gracefully, annotating explanations whenever cached signals replace live lookups.
---
## 2·High-Level Architecture
```mermaid
flowchart LR
subgraph Inputs
A[Scanner SBOMs<br/>Inventory & Usage]
B[Concelier Advisories<br/>Canonical linksets]
C[Excititor VEX<br/>Consensus status]
D[Policy Packs<br/>stella-dsl@1]
end
subgraph PolicyEngine["StellaOps.Policy.Engine"]
P1[DSL Compiler<br/>IR + Digest]
P2[Joiners<br/>SBOM ↔ Advisory ↔ VEX]
P3[Deterministic Evaluator<br/>Rule hits + scoring]
P4[Materialisers<br/>effective findings]
P5[Run Orchestrator<br/>Full & incremental]
end
subgraph Outputs
O1[Effective Findings Collections]
O2[Explain Traces<br/>Rule hit lineage]
O3[Metrics & Traces<br/>policy_run_seconds,<br/>rules_fired_total]
O4[Simulation/Preview Feeds<br/>CLI & Studio]
end
A --> P2
B --> P2
C --> P2
D --> P1 --> P3
P2 --> P3 --> P4 --> O1
P3 --> O2
P5 --> P3
P3 --> O3
P3 --> O4
```
---
## 3·Core Concepts
| Concept | Description |
|---------|-------------|
| **Policy Pack** | Versioned bundle of DSL documents, metadata, and checksum manifest. Packs import/export via CLI and Offline Kit bundles. |
| **Policy Digest** | SHA-256 of the canonical IR; used for caching, explain trace attribution, and audit proofs. |
| **Effective Findings** | Append-only Mongo collections (`effective_finding_{policyId}`) storing the latest verdict per finding, plus history sidecars. |
| **Policy Run** | Execution record persisted in `policy_runs` capturing inputs, run mode, timings, and determinism hash. |
| **Explain Trace** | Structured tree showing rule matches, data provenance, and scoring components for UI/CLI explain features. |
| **Simulation** | Dry-run evaluation that compares a candidate pack against the active pack and produces verdict diffs without persisting results. |
| **Incident Mode** | Elevated sampling/trace capture toggled automatically when SLOs breach; emits events for Notifier and Timeline Indexer. |
---
## 4·Inputs & Pre-processing
### 4.1 SBOM Inventory
- **Source:** Scanner.WebService publishes inventory/usage SBOMs plus BOM-Index (roaring bitmap) metadata.
- **Consumption:** Policy joiners use the index to expand candidate components quickly, keeping evaluation under the `<5s` warm path budget.
- **Schema:** CycloneDX Protobuf + JSON views; Policy Engine reads canonical projections via shared SBOM adapters.
### 4.2 Advisory Corpus
- **Source:** Concelier exports canonical advisories with deterministic identifiers, linksets, and equivalence tables.
- **Contract:** Policy Engine only consumes raw `content.raw`, `identifiers`, and `linkset` fields per Aggregation-Only Contract (AOC); derived precedence remains a policy concern.
### 4.3 VEX Evidence
- **Source:** Excititor consensus service resolves OpenVEX / CSAF statements, preserving conflicts.
- **Usage:** Policy rules can require specific VEX vendors or justification codes; evaluator records when cached evidence substitutes for live statements (sealed mode).
### 4.4 Policy Packs
- Authored in Policy Studio or CLI, validated against the `stella-dsl@1` schema.
- Compiler performs canonicalisation (ordering, defaulting) before emitting IR and digest.
- Packs bundle scoring profiles, allowlist metadata, and optional reachability weighting tables.
---
## 5·Evaluation Flow
1. **Run selection** Orchestrator accepts `full`, `incremental`, or `simulate` jobs. Incremental runs listen to change streams from Concelier, Excititor, and SBOM imports to scope re-evaluation.
2. **Input staging** Candidates fetched in deterministic batches; identity graph from Concelier strengthens PURL lookups.
3. **Rule execution** Evaluator walks rules in lexical order (first-match wins). Actions available: `block`, `ignore`, `warn`, `defer`, `escalate`, `requireVex`, each supporting quieting semantics where permitted.
4. **Scoring** `PolicyScoringConfig` applies severity, trust, reachability weights plus penalties (`warnPenalty`, `ignorePenalty`, `quietPenalty`).
5. **Verdict and explain** Engine constructs `PolicyVerdict` records with inputs, quiet flags, unknown confidence bands, and provenance markers; explain trees capture rule lineage.
6. **Materialisation** Effective findings collections are upserted append-only, stamped with run identifier, policy digest, and tenant.
7. **Publishing** Completed run writes to `policy_runs`, emits metrics (`policy_run_seconds`, `rules_fired_total`, `vex_overrides_total`), and raises events for Console/Notify subscribers.
---
## 6·Run Modes
| Mode | Trigger | Scope | Persistence | Typical Use |
|------|---------|-------|-------------|-------------|
| **Full** | Manual CLI (`stella policy run`), scheduled nightly, or emergency rebaseline | Entire tenant | Writes effective findings and run record | After policy publish or major advisory/VEX import |
| **Incremental** | Change-stream queue driven by Concelier/Excititor/SBOM deltas | Only affected artefacts | Writes effective findings and run record | Continuous upkeep; ensures SLA ≤5min from source change |
| **Simulate** | CLI/Studio preview, CI pipelines | Candidate subset (diff against baseline) | No materialisation; produces explain & diff payloads | Policy authoring, CI regression suites |
All modes are cancellation-aware and checkpoint progress for replay in case of deployment restarts.
---
## 7·Outputs & Integrations
- **APIs** Minimal API exposes policy CRUD, run orchestration, explain fetches, and cursor-based listing of effective findings (see `/docs/api/policy.md` once published).
- **CLI** `stella policy simulate/run/show` commands surface JSON verdicts, exit codes, and diff summaries suitable for CI gating.
- **Console / Policy Studio** UI reads explain traces, policy metadata, approval workflow status, and simulation diffs to guide reviewers.
- **Findings Ledger** Effective findings feed downstream export, Notify, and risk scoring jobs.
- **Air-gap bundles** Offline Kit includes policy packs, scoring configs, and explain indexes; export commands generate DSSE-signed bundles for transfer.
---
## 8·Determinism & Guardrails
- **Deterministic inputs** All joins rely on canonical linksets and equivalence tables; batches are sorted, and random/wall-clock APIs are blocked by static analysis plus runtime guards (`ERR_POL_004`).
- **Stable outputs** Canonical JSON serializers sort keys; digests recorded in run metadata enable reproducible diffs across machines.
- **Idempotent writes** Materialisers upsert using `{policyId, findingId, tenant}` keys and retain prior versions with append-only history.
- **Sandboxing** Policy evaluation executes in-process with timeouts; restart-only plug-ins guarantee no runtime DLL injection.
- **Compliance proof** Every run stores digest of inputs (policy, SBOM batch, advisory snapshot) so auditors can replay decisions offline.
---
## 9·Security, Tenancy & Offline Notes
- **Authority scopes:** Gateway enforces `policy:read`, `policy:write`, `policy:simulate`, `policy:runs`, `findings:read`, `effective:write`. Service identities must present DPoP-bound tokens.
- **Tenant isolation:** Collections partition by tenant identifier; cross-tenant queries require explicit admin scopes and return audit warnings.
- **Sealed mode:** In air-gapped deployments the engine surfaces `sealed=true` hints in explain traces, warning about cached EPSS/KEV data and suggesting bundle refreshes (see `docs/airgap/airgap-mode.md`).
- **Observability:** Structured logs carry correlation IDs matching orchestrator job IDs; metrics integrate with OpenTelemetry exporters; sampled rule-hit logs redact policy secrets.
- **Incident response:** Incident mode can be forced via API, boosting trace retention and notifying Notifier through `policy.incident.activated` events.
---
## 10·Working with Policy Packs
1. **Author** in Policy Studio or edit DSL files locally. Validate with `stella policy lint`.
2. **Simulate** against golden SBOM fixtures (`stella policy simulate --sbom fixtures/*.json`). Inspect explain traces for unexpected overrides.
3. **Publish** via API or CLI; Authority enforces review/approval workflows (`draft → review → approve → rollout`).
4. **Monitor** the subsequent incremental runs; if determinism diff fails in CI, roll back pack while investigating digests.
5. **Bundle** packs for offline sites with `stella policy bundle export` and distribute via Offline Kit.
---
## 11·Compliance Checklist
- [ ] **Scopes enforced:** Confirm gateway policy requires `policy:*` and `effective:write` scopes for all mutating endpoints.
- [ ] **Determinism guard active:** Static analyzer blocks clock/RNG usage; CI determinism job diffing repeated runs passes.
- [ ] **Materialisation audit:** Effective findings collections use append-only writers and retain history per policy run.
- [ ] **Explain availability:** UI/CLI expose explain traces for every verdict; sealed-mode warnings display when cached evidence is used.
- [ ] **Offline parity:** Policy bundles (import/export) tested in sealed environment; air-gap degradations documented for operators.
- [ ] **Observability wired:** Metrics (`policy_run_seconds`, `rules_fired_total`, `vex_overrides_total`) and sampled rule hit logs emit to the shared telemetry pipeline with correlation IDs.
- [ ] **Documentation synced:** API (`/docs/api/policy.md`), DSL grammar (`/docs/policy/dsl.md`), lifecycle (`/docs/policy/lifecycle.md`), and run modes (`/docs/policy/runs.md`) cross-link back to this overview.
---
*Last updated: 2025-10-26 (Sprint 20).*
# Policy System Overview
> **Imposed rule:** Policies that change reachability or trust weighting must enter shadow mode first and ship coverage fixtures; promotion is blocked until shadow + coverage gates pass (see `docs/policy/lifecycle.md`).
This overview orients authors, reviewers, and operators to the Stella Policy system: the SPL language, lifecycle, evidence inputs, and how policies are enforced online and in air-gapped sites.
## 1. What the Policy System Does
- Combines SBOM facts, advisories (Concelier), VEX claims (Excititor), reachability signals (Graphs + runtime), trust/entropy signals, and operator metadata to produce deterministic findings.
- Produces explainable outputs: every verdict carries rule, rationale (`because`), inputs, and evidence hashes.
- Works online or offline: policies, inputs, and outputs are content-addressed and can be replayed with no network.
## 2. Layers
- **SPL (Stella Policy Language):** declarative rules (`stella-dsl@1`) with profiles, maps, and rule blocks; no loops or network calls.
- **Compiler:** canonicalises SPL, emits IR + hash; used by CLI, Console, and CI. Canonical hashes feed attestation and replay.
- **Engine:** evaluates IR against SBOM/VEX/reachability signals; outputs effective findings and explains every rule fire.
- **Attestation:** optional DSSE over policy IR and approval metadata; Rekor mirror when online.
- **Distribution:** policy packs are versioned, tenant-scoped, and promoted via Authority scopes; Offline Kit includes packs + attestations.
## 3. Inputs & Signals
- SBOM inventory/usage (Scanner), advisories (Concelier), VEX (Excititor), reachability graphs/runtime (Signals), trust/entropy/uncertainty scores, secret-leak findings, environment metadata, and tenant policy defaults.
- Signals dictionary (normalised): `trust_score`, `reachability.state/score`, `entropy_penalty`, `uncertainty.level`, `runtime_hits`.
- All inputs must be content-addressed; missing fields evaluate to `unknown`/null and must be handled explicitly.
## 4. Lifecycle (summary)
1. Draft in SPL with shadow mode on and coverage fixtures (`stella policy test`).
2. Submit with lint/simulate + coverage artefacts attached.
3. Review/approve with Authority scopes; determinism and shadow gates enforced in CI.
4. Publish/attest (DSSE + optional Rekor); promote to environments; activate runs.
5. Archive or roll back with audit trail preserved.
## 5. Governance & Roles
- Scopes: `policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:publish`, `policy:activate`, `policy:audit`.
- Two-person rule recommended for publish/promote; enforced by Authority per tenant.
- AOC: Aggregation-Only Contract applies to regulated tenants—UI/CLI must respect AOC flags on policies and evidence.
## 6. Review Checklist (fast path)
- Lint + simulate outputs attached and fresh (<24h).
- Shadow mode enabled; coverage fixtures passing; twin-run determinism check green.
- `because` present on every status/severity change; suppressions scoped.
- Inputs handled explicitly when `unknown` (reachability/runtime missing).
- Attestation metadata ready (reason, ticket, IR hash) if publish is requested.
- AOC impact noted; air-gap replay steps documented if applicable.
## 7. Air-gap / Offline Notes
- Policy packs, attestations, and coverage fixtures ship in Offline Kits; no live feed calls allowed during evaluation.
- CLI `stella policy simulate --sealed` enforces no-network; policy runs must use frozen SBOM/advisory/VEX bundles and reachability graphs.
- Attestations and hashes recorded in Evidence Locker; Timeline events emitted on publish/activate.
## 8. Key References
- `docs/policy/dsl.md` (language)
- `docs/policy/lifecycle.md` (process, gates)
- `docs/policy/architecture.md` (engine internals)
- `docs/modules/policy/implementation_plan.md`
- `docs/policy/governance.md` (once published)

65
docs/policy/runtime.md Normal file
View File

@@ -0,0 +1,65 @@
# Policy Runtime & Evaluation
> **Imposed rule:** Runtime evaluations must use frozen inputs (SBOM, advisories, VEX, reachability, signals) and emit explain traces plus DSSE/attestation metadata; no live feed calls during evaluation.
This document describes how SPL policies are compiled, cached, and executed, and how results are surfaced via APIs, CLI, UI, and observability.
## 1. Components
- **Compiler**: converts SPL (`stella-dsl@1`) into canonical IR JSON, hashes it, and validates lint/coverage. Produces IR cache used by Engine.
- **Engine**: deterministic evaluator that consumes IR + inputs (SBOM, advisory, VEX, signals) and emits findings + explain traces.
- **Caches**:
- IR cache keyed by `policyId`/`version`/IR hash.
- Input cursors (SBOM/advisory/VEX snapshots, reachability graphs) to guarantee replay.
- Explain trace cache for recently queried runs (TTL, tenant-scoped).
- **Attestation**: optional DSSE over IR hash + approval metadata; Rekor mirror when online; stored alongside run outputs in Evidence Locker.
## 2. Execution flow
1. Resolve active policy version for tenant (or specified version for simulate).
2. Load IR from cache; verify hash matches attested value if provided.
3. Fetch frozen inputs via cursors: SBOM digest, advisory snapshot id, VEX set, reachability graph hash, signals bundle.
4. Evaluate rules in priority order; record explain entries (rule, because, inputs, signals).
5. Persist findings, explain traces, and run metadata (`runId`, `policyVersion`, hashes) to storage.
6. Emit events: `policy.run.started`, `policy.run.completed`, `policy.run.failed`; optionally `policy.run.shadow` when settings.shadow=true.
## 3. Caching & determinism
- IR cache warmed at publish; invalidated on new policy version.
- Input cursors are mandatory; if missing, run is blocked (returns `inputs_unfrozen`).
- Explain trace storage keeps deterministic ordering; capped by tenant quotas.
- Shadow mode runs record findings but mark `enforced=false`; promotion blocked until shadow+coverage gates pass.
## 4. APIs & CLI
- API: `POST /policies/{id}/simulate`, `POST /policies/{id}/run`, `GET /policy-runs/{runId}` (findings + explain), `GET /policies/{id}/versions/{v}` (IR, hash, attestation refs).
- CLI: `stella policy simulate`, `stella policy run`, `stella policy explain <runId> --format json|table`, `stella policy export --run <runId> --offline`.
- Headers: `X-Stella-Tenant`, `X-Stella-Shadow` (optional), `If-None-Match` for IR cache revalidation.
## 5. Observability & SLOs
- Metrics: `policy_runs_total{status}`, `policy_run_duration_seconds`, `policy_explain_cache_hits`, `policy_inputs_unfrozen_total`, `policy_shadow_runs_total`.
- Logs include `policyId`, `version`, `runId`, `tenant`, `shadow`, `input_cursor` hashes.
- Traces: span per run with events for rule evaluation batches; attributes include counts of rules fired and unknowns encountered.
- SLOs (suggested):
- p95 policy run latency < 2s for simulate, < 10s for full run.
- Error budget: <0.5% failed runs per rolling 7d.
- Explain cache hit rate >80% for repeated queries.
## 6. Failure modes & handling
- **Inputs unfrozen**: return 409 with required cursors; emit `policy.inputs_unfrozen` event.
- **Hash mismatch**: IR hash differs from attested; block run and emit `policy.ir_hash_mismatch` alert.
- **Unknown signals**: if required signals missing, downgrade to `unknown` and optionally set `status=under_investigation`; flag in explain trace.
- **Exceeded quotas**: explain storage or run count caps → 429 with `Retry-After`; run not executed.
## 7. Offline / air-gap
- All inputs fetched from Offline Kit bundles; no network during evaluate.
- CLI `stella policy run --sealed --bundle <path>` loads IR, inputs, and signals from bundle; writes outputs + attestation-ready manifest.
- Runs produce DSSE-ready payloads (`policy.run@1`) that can be signed later when connectivity is restored.
## 8. Data model (high level)
- `policy_runs`: `runId`, `policyId`, `version`, `tenant`, `shadow`, `input_cursors`, `ir_hash`, `attestation_ref`, `started_at`, `completed_at`, `status`, `stats` (rules fired, explains, unknowns), `storage_refs` (findings, explains).
- `policy_findings`: flattened findings with references to explain entries.
- `policy_explains`: rule-level explain traces with inputs, signals, because text.
## 9. References
- `docs/policy/dsl.md`
- `docs/policy/lifecycle.md`
- `docs/policy/architecture.md`
- `docs/policy/overview.md`
- `docs/reachability/DELIVERY_GUIDE.md`

116
docs/policy/spl-v1.md Normal file
View File

@@ -0,0 +1,116 @@
# Stella Policy Language (SPL) v1
> **Status:** Draft (2025-11)
> **Imposed rule:** SPL packs must pass lint, simulate, shadow, and coverage gates before activation; IR hashes must be attested when published.
This document defines the SPL v1 language: syntax, semantics, JSON schema, and examples used by the Policy Engine.
## 1. Syntax summary
- File-level directive: `policy "<name>" syntax "stella-dsl@1" { ... }`
- Blocks: `metadata`, `profile <name> {}`, `settings {}`, `rule <name> [priority n] { when ... then ... because "..." }`
- No loops, no network/clock access; pure, deterministic evaluation.
## 2. JSON Schema (canonical IR)
```jsonc
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Stella Policy Language v1",
"type": "object",
"required": ["policyId", "syntax", "rules"],
"properties": {
"policyId": {"type": "string"},
"syntax": {"const": "stella-dsl@1"},
"metadata": {"type": "object"},
"settings": {
"type": "object",
"properties": {
"shadow": {"type": "boolean"},
"default_status": {"type": "string"}
}
},
"profiles": {
"type": "object",
"additionalProperties": {
"type": "object",
"properties": {
"maps": {"type": "object"},
"env": {"type": "object"},
"scalars": {"type": "object"}
}
}
},
"rules": {
"type": "array",
"items": {
"type": "object",
"required": ["name", "when", "then"],
"properties": {
"name": {"type": "string"},
"priority": {"type": "integer", "minimum": 0},
"when": {"type": "object"},
"then": {"type": "array"},
"else": {"type": "array"},
"because": {"type": "string"}
}
}
}
}
}
```
Notes:
- The compiler emits canonical IR JSON sorted by keys; hashing uses this canonical form.
- `when` and actions are expressed as AST nodes; see engine schema for exact shape.
## 3. Built-in functions (v1)
- `normalize_cvss`, `cvss`, `severity_band`, `risk_score`, `reach_state`, `exists`, `coalesce`, `percent_of`, `lowercase`.
- VEX helpers: `vex.any`, `vex.all`, `vex.latest`.
- Secrets helpers: `secret.hasFinding`, `secret.match.count`, `secret.bundle.version`, `secret.mask.applied`, `secret.path.allowlist`.
- Signals: access via `signals.trust_score`, `signals.reachability.state/score`, `signals.entropy_penalty`, `signals.uncertainty.level`, `signals.runtime_hits`.
## 4. Data namespaces
- `sbom`, `advisory`, `vex`, `run`, `env`, `telemetry`, `signals`, `secret`, `profile.*`.
- Missing fields evaluate to `null/unknown`; comparisons must handle `unknown` explicitly.
## 5. Examples
### 5.1 Reachability-aware gate
```dsl
rule reachability_gate priority 20 {
when signals.reachability.state == "reachable" and signals.reachability.score >= 0.6
then status := "affected"
because "Runtime/graph evidence shows reachable code path";
}
```
### 5.2 Trust/entropy penalty
```dsl
rule trust_entropy_penalty priority 30 {
when signals.trust_score < 0.4 or signals.entropy_penalty > 0.2
then severity := severity_band("critical")
because "Low trust score or high entropy";
}
```
### 5.3 Shadow mode on
```dsl
settings {
shadow = true
}
```
## 6. Authoring workflow (quick)
1. Write/update SPL with shadow enabled; add coverage fixtures.
2. Run `stella policy lint`, `stella policy simulate`, and `stella policy test`.
3. Attach artefacts to submission; ensure determinism twin-run passes in CI.
4. Publish with DSSE attestation (IR hash + metadata) and promote to environments.
## 7. Compatibility
- SPL v1 aligns with `stella-dsl@1` grammar. Future SPL versions will be additive; declare `syntax` explicitly.
## 8. References
- `docs/policy/dsl.md`
- `docs/policy/lifecycle.md`
- `docs/policy/architecture.md`
- `docs/policy/overview.md`

41
docs/policy/ui-integration.md Normal file
View File

@@ -0,0 +1,41 @@
# Policy UI Integration for Graph/Vuln
Status: Draft (2025-11-26) — aligns with POLICY-ENGINE-30-001..003 and Graph API overlays.
## Goals
- Explain how UI surfaces (Console, Vuln Explorer) consume policy/VEX overlays from Graph.
- Clarify cache usage, simulator contracts, and explain traces.
## Data sources
- Policy overlays (`policy.overlay.v1`) produced by Policy Engine (POLICY-ENGINE-30-001).
- VEX overlays (`openvex.v1`) from Concelier/Excititor pipelines.
- Graph API emits overlays per node (see `docs/api/graph.md`) with deterministic IDs and optional `explainTrace` sampling.
## Cache rules
- UI should respect overlay cache TTL (510 minutes). Cache key: tenant + nodeId + overlay kind.
- On cache miss, fallback to Graph API which will populate cache; avoid fan-out calls per tile.
- When policy overlay contract version changes, invalidate cache via version tag (e.g., `policy.overlay.v1``v2`).
## Requests
- Graph API: `includeOverlays=true` on `/graph/query` or `/graph/paths` to receive overlay payloads inline.
- Budget: ensure `budget.tiles` leaves room for overlays; UI may need to request higher budgets when overlays are critical to UX.
- Simulator: when running policy simulator, attach `X-Stella-Simulator: true` header (once enabled) to route to simulator instance; cache should be bypassed for simulator runs.
## UI rendering guidance
- Show policy status badge (e.g., `warn`, `deny`, `allow`) with ruleId and severity.
- If `explainTrace` present, render as expandable list; only one sampled node per query may include trace.
- VEX overlays: render status (`not_affected`, `affected`) and justification; show issued timestamp and source.
- Overlay provenance: display `overlayId`, version, and source engine version if present.
## Error handling
- If Graph returns `GRAPH_BUDGET_EXCEEDED`, prompt user to reduce scope or increase budgets; do not silently drop overlays.
- On overlay cache miss + upstream failure, surface a non-blocking warning and proceed with node data.
## Events & notifications
- Subscribe to `policy.overlay.updated` (future) or re-poll every 10 minutes to refresh overlays in UI.
- When VEX status changes, UI should refresh impacted nodes/edges and reflect new status badges.
## References
- Policy overlay contract: `docs/modules/policy/prep/2025-11-22-policy-engine-30-001-prep.md`
- Graph API overlays: `docs/api/graph.md`, `docs/modules/graph/architecture-index.md`
- Concelier/Excititor overlays: `docs/modules/excititor/vex_observations.md`

2
docs/reachability/DELIVERY_GUIDE.md
View File

@@ -139,7 +139,7 @@ Each sprint is two weeks; refer to `docs/implplan/SPRINT_0401_0001_0001_reachabi
- Place developer-facing updates here (`docs/reachability`).
- [Function-level evidence guide](function-level-evidence.md) captures the Nov2025 advisory scope, task references, and schema expectations; keep it in lockstep with sprint status.
- [Reachability runtime runbook](../runbooks/reachability-runtime.md) now documents ingestion, CAS staging, air-gap handling, and troubleshooting—link every runtime feature PR to this guide.
- [Reachability runtime runbook](../runbooks/reachability-runtime.md) documents ingestion, CAS staging, air-gap handling, and troubleshooting—link every runtime feature PR to this guide.
- [VEX Evidence Playbook](../benchmarks/vex-evidence-playbook.md) defines the bench repo layout, artifact shapes, verifier tooling, and metrics; keep it updated when Policy/Signer/CLI features land.
- [Reachability lattice](lattice.md) describes the confidence states, evidence/mitigation kinds, scoring policy, event graph schema, and VEX gates; update it when lattices or probes change.
- [PURL-resolved edges spec](purl-resolved-edges.md) defines the purl + symbol-digest annotation rules for graphs and SBOM joins.

13
docs/release/promotion-attestations.md
View File

@@ -1,6 +1,6 @@
# Promotion-Time Attestations for StellaOps
> **Status:** Draft sprint 186/202/203 coordination
> **Status:** Stable (2025-11)
> **Owners:** Signing Guild · Provenance Guild · DevEx/CLI Guild · Export Center Guild
## 1. Purpose
@@ -24,7 +24,9 @@ Capture the full promotion-time evidence image digest, SBOM/VEX artifacts, R
"to": "prod",
"actor": "ci/gitlab-runner",
"timestamp": "2025-11-10T12:34:56Z",
"pipeline": "https://git.example.com/acme/api/-/pipelines/12345"
"pipeline": "https://git.example.com/acme/api/-/pipelines/12345",
"ticket": "JIRA-1234",
"notes": "risk accepted by ops"
},
"rekor": {
"uuid": "REKOR_ENTRY_UUID",
@@ -40,6 +42,10 @@ Capture the full promotion-time evidence image digest, SBOM/VEX artifacts, R
"signedNote": "BASE64_NOTE"
}
}
},
"attestation": {
"bundle_sha256": "sha256:…",
"witness": "optional-transparency-witness-signature"
}
}
```
@@ -57,6 +63,7 @@ The Provenance Guild implements the predicate builder (task `PROV-OBS-53-003`).
5. Build `attestation.json` using the template above and current promotion metadata.
6. Call Signer to produce a DSSE bundle (`cosign attest` or `stella promotion attest`).
7. Store the bundle alongside `attestation.json` and add both to Offline/Replay kits.
8. Emit Timeline + Evidence Locker entries with bundle digest.
### 3.2 Signer responsibilities (`SIGN-CORE-186-004/005/006`)
@@ -106,6 +113,6 @@ Artifacts are content-addressed via CAS and mirrored into Offline kits (`docs/re
| CLI commands | `CLI-PROMO-70-001/002` | TODO |
| Authority verifier | `AUTH-VERIFY-186-007` | TODO |
| Export packaging | `EXPORT-OBS-54-002` | TODO |
| Documentation | `DOCS-PROMO-70-001` | TODO |
| Documentation | `DOCS-PROMO-70-001` | DONE (2025-11-26) |
When all tasks are completed this document should be updated with status links and sample payloads.

8
docs/release/templates/determinism-score.md Normal file
View File

@@ -0,0 +1,8 @@
# Release Notes snippet — Scanner Determinism
- **Determinism score:** {{overall_score}} (threshold {{overall_min}}); per-image summary:
- {{image_digest}} → score {{score}} ({{identical}}/{{runs}} identical)
- {{next_image_digest}} → score {{score}} ({{identical}}/{{runs}} identical)
- **Inputs:** policy {{policy_sha}}, feeds {{feeds_sha}}, scanner {{scanner_sha}}, platform {{platform}}.
- **Evidence:** attached `determinism.json` + artefact hashes (DSSE-signed, offline-ready).
- **Actions:** rerun harness with `stella detscore run --bundle determinism.json` if score < threshold; block promotion until pass.

140
docs/runbooks/reachability-runtime.md
View File

@@ -1,95 +1,63 @@
# Runbook: Runtime Reachability Facts (Zastava → Signals)
# Reachability Runtime Ingestion Runbook
## Goal
Stream runtime symbol evidence from Zastava Observer to Signals in NDJSON batches that align with the runtime/static union schema, stay deterministic, and are replayable.
> **Imposed rule:** Runtime traces must never bypass CAS/DSSE verification; ingest only CAS-addressed NDJSON with hashes logged to Timeline and Evidence Locker.
## Endpoints
- Signals structured ingest: `POST /signals/runtime-facts`
- Signals NDJSON ingest: `POST /signals/runtime-facts/ndjson`
- Headers: `Content-Encoding: gzip` (optional), `Content-Type: application/x-ndjson`
- Query/header metadata: `callgraphId` (required), `scanId|imageDigest|component+version`, optional `source`
This runbook guides operators through ingesting runtime reachability evidence (EntryTrace, probes, Signals ingestion) and wiring it into the reachability evidence chain.
## NDJSON event shape (one per line)
```json
{
"symbolId": "pkg:python/django.views:View.as_view",
"codeId": "buildid-abc123",
"purl": "pkg:pypi/django@4.2.7",
"loaderBase": "0x7f23c01000",
"processId": 214,
"processName": "uwsgi",
"containerId": "c123",
"socketAddress": "10.0.0.5:8443",
"hitCount": 3,
"observedAt": "2025-11-26T12:00:00Z",
"metadata": { "pid": "214" }
}
```
## 1. Prerequisites
- Services: `Signals` API, `Zastava Observer` (or other probes), `Evidence Locker`, optional `Attestor` for DSSE.
- Reachability schema: `docs/reachability/function-level-evidence.md`, `docs/reachability/evidence-schema.md`.
- CAS: configured bucket/path for `cas://reachability/runtime/*` and `.../graphs/*`.
- Time sync: AirGap Time anchor if sealed; otherwise NTP with drift <200ms.
Required: `symbolId`, `hitCount`; `callgraphId` is provided via query/header metadata. Optional fields shown for correlation.
## 2. Ingestion workflow (online)
1) **Capture traces** from Observer/probes NDJSON (`runtime-trace.ndjson.gz`) with `symbol_id`, `purl`, `timestamp`, `pid`, `container`, `count`.
2) **Stage to CAS**: upload file, record `sha256`, store at `cas://reachability/runtime/<sha256>`.
3) **Optionally sign**: wrap CAS digest in DSSE (`stella attest runtime --bundle runtime.dsse.json`).
4) **Ingest** via Signals API:
```sh
curl -H "X-Stella-Tenant: acme" \
-H "Content-Type: application/x-ndjson" \
--data-binary @runtime-trace.ndjson.gz \
"https://signals.example/api/v1/runtime-facts?graph_hash=<graph>"
```
Headers returned: `Content-SHA256`, `X-Graph-Hash`, `X-Ingest-Id`.
5) **Emit timeline**: ensure Timeline event `reach.runtime.ingested` with CAS digest and ingest id.
6) **Verify**: run `stella graph verify --runtime runtime-trace.ndjson.gz --graph <graph_hash>` to confirm edges mapped.
## Batch rules
- NDJSON MUST NOT be empty; empty streams are rejected.
- Compress with gzip when large; maintain stable line ordering.
- Use UTC timestamps (ISO-8601 `observedAt`).
- Avoid PII; redact process/user info before send.
## 3. Ingestion workflow (air-gap)
1) Receive runtime bundle containing `runtime-trace.ndjson.gz`, `manifest.json` (hashes), optional DSSE.
2) Validate hashes against manifest; if present, verify DSSE bundle.
3) Import into CAS path `cas://reachability/runtime/<sha256>` using offline loader.
4) Run Signals offline ingest tool:
```sh
signals-offline ingest-runtime \
--tenant acme \
--graph-hash <graph_hash> \
--runtime runtime-trace.ndjson.gz \
--manifest manifest.json
```
5) Export ingest receipt and add to Evidence Locker; update Timeline when reconnected.
## CAS alignment
- When runtime trace bundles are produced, store under `cas://runtime_traces/<hh>/<sha>.tar.zst` and include `meta.json` with analysisId.
- Pass the same `analysisId` in `X-Analysis-Id` (if present) when uploading union bundles so replay manifests can link graphs+traces.
## 4. Checks & alerts
- **Drift**: block ingest if time anchor age > configured budget; surface `staleness_seconds`.
- **Hash mismatch**: fail ingest; write `runtime.ingest.failed` event with reason.
- **Orphan traces**: if no matching `graph_hash`, queue for retry and alert `reachability.orphan_traces` counter.
## Errors & remediation
- `400 callgraphId is required` → set `callgraphId` header/query.
- `400 runtime fact stream was empty` → ensure NDJSON has events.
- `400 Subject must include scanId/imageDigest/component+version` → populate subject metadata.
## 5. Troubleshooting
- **400 Bad Request**: validate NDJSON schema; run `scripts/reachability/validate_runtime_trace.py`.
- **Hash mismatch**: recompute `sha256sum runtime-trace.ndjson.gz`; compare to manifest.
- **Missing symbols**: ensure symbol manifest ingested (see `docs/specs/symbols/SYMBOL_MANIFEST_v1.md`); rerun `stella graph verify`.
- **High drift**: refresh time anchor (AirGap Time service) or resync NTP; retry ingest.
## Determinism checklist
- Stable ordering of NDJSON lines.
- No host-dependent paths; only IDs/digests.
- Fixed gzip level if used (suggest 6) to aid reproducibility.
## 6. Artefact checklist
- `runtime-trace.ndjson.gz` (or `.json`), `sha256` recorded.
- Optional `runtime.dsse.json` DSSE bundle.
- Ingest receipt (ingest id, graph hash, CAS digest, tenant).
- Timeline event `reach.runtime.ingested` and Evidence Locker record (bundle + receipt).
## Zastava Observer setup (runtime sampler)
- **Sampling mode:** deterministic EntryTrace sampler; default 1:1 (no drop) for pilot. Enable rate/CPU guard: `Sampler:MaxEventsPerSecond` (default 500), `Sampler:MaxCpuPercent` (default 35). When rates are exceeded, emit `sampler.dropped` counters with drop reason `rate_limit`/`cpu_guard`.
- **Symbol capture:** enable build-id collection (`SymbolCapture:CollectBuildIds=true`) and loader base addresses (`SymbolCapture:EmitLoaderBase=true`) to match static graphs.
- **Batching:** buffer up to 1,000 events or 2s, whichever comes first (`Ingest:BatchSize`, `Ingest:FlushIntervalMs`). Batches are sorted by `observedAt` before send to keep deterministic order.
- **Transport:** NDJSON POST to Signals `/signals/runtime-facts/ndjson` with headers `X-Callgraph-Id`, optional `X-Analysis-Id`. Set `Content-Encoding: gzip` when batches exceed 64KiB.
- **CAS traces (optional):** if EntryTrace raw traces are persisted, package as `cas://runtime_traces/<hh>/<sha>.tar.zst` with `meta.json` containing `analysisId`, `nodeCount`, `edgeCount`, `traceVersion`. Include the CAS URI in `metadata.casUri` on each NDJSON event.
- **Security/offline:** disable egress by default; allowlist only the Signals host. TLS must be enabled; supply client certs per platform runbook if required. No PID/user names are emitted—only digests/IDs.
### Example appsettings (Observer)
```json
{
"Sampler": {
"MaxEventsPerSecond": 500,
"MaxCpuPercent": 35
},
"SymbolCapture": {
"CollectBuildIds": true,
"EmitLoaderBase": true
},
"Ingest": {
"BatchSize": 1000,
"FlushIntervalMs": 2000,
"Endpoint": "https://signals.local/signals/runtime-facts/ndjson",
"Headers": {
"X-Callgraph-Id": "cg-123"
}
}
}
```
### Operational steps
1) Enable EntryTrace sampler in Zastava Observer with the config above; verify `sampler.dropped` stays at 0 during pilot.
2) Run a 5-minute capture and send NDJSON to a staging Signals instance using the smoke test; confirm 202 and CAS pointers recorded.
3) Correlate runtime facts to static graphs by callgraphId in Signals; ensure counts match sampler totals.
4) Promote config to prod/offline bundle; freeze config hashes for replay.
## Smoke test
```bash
cat events.ndjson | gzip -c | \
curl -X POST "https://signals.local/signals/runtime-facts/ndjson?callgraphId=cg-123&component=web&version=1.0.0" \
-H "Content-Type: application/x-ndjson" \
-H "Content-Encoding: gzip" \
--data-binary @-
```
Expect 202 Accepted with SubjectKey in response; Signals will recompute reachability and emit `signals.fact.updated@v1`.
## 7. References
- `docs/reachability/DELIVERY_GUIDE.md`
- `docs/reachability/function-level-evidence.md`
- `docs/reachability/evidence-schema.md`
- `docs/specs/symbols/SYMBOL_MANIFEST_v1.md`

38
docs/security/export-hardening.md Normal file
View File

@@ -0,0 +1,38 @@
# Export Hardening Guide
Status: Draft (2025-11-26) — DOCS-EXPORT-37-004.
## Scope
Protect export flows (Export Center, Graph exports, SBOM exports) in online and air-gapped deployments.
## RBAC & tenancy
- Enforce `export:*` scopes per service:
- Graph: `graph:export`
- Export Center: `export:read`, `export:write`
- SBOM: `sbom:export`
- Require `X-Stella-Tenant` on every export request; deny if missing/mismatched.
- Default deny cross-tenant access even for admins.
## Encryption & integrity
- All exports must include SHA256 (and size) headers; prefer DSSE manifest for multi-file bundles.
- When storing or staging bundles, encrypt at rest (KMS or sealed disk); in air-gap, keep CMK/KEK offline-ready.
- For downloadable endpoints, set `X-Content-SHA256`; clients must verify hash before use.
## Redaction & minimization
- Default exclude secrets, tokens, and credentials from exports; add allowlist only when required.
- For policy/VEX overlays, strip explain traces unless explicitly requested.
- Include only tenant-scoped data; avoid global caches in exported bundles.
## Network & paths
- Disallow direct external URLs in exports; use content-addressed blobs or gateway download paths.
- In air-gap mode, block egress during export and rely on local object storage.
- Set `Content-Security-Policy: sandbox` for HTML/PNG exports where applicable.
## Imposed rule reminder
- Follow platform “imposed rule” banner: **No external distribution without cryptographic integrity + tenant proof.**
- Every export must be reproducible: document source snapshot IDs, overlay versions, tool version, and hash.
## Runbook (abridged)
- If hash mismatch: stop distribution, regenerate export, open incident with bundle hash and source snapshot IDs.
- If RBAC failure spike: check gateway policy and scope mappings; verify tenant header presence in clients.
- Air-gap: verify bundle catalog signatures before ingest; reject if trust root mismatches.

80
docs/specs/symbols/SYMBOL_MANIFEST_v1.md Normal file
View File

@@ -0,0 +1,80 @@
# SYMBOL_MANIFEST v1
> **Imposed rule:** Symbol bundles must be content-addressed and tenant-scoped; every manifest entry must include the originating image digest and build-id to prevent cross-tenant leakage.
This document specifies the manifest format for distributing native debug symbols (ELF, PDB, dSYM) within StellaOps Offline Kits and symbol servers.
## 1. Use cases
- Offline debugging: GDB/LLDB/WinDBG pointing at local symbol server or file tree.
- Reachability analysis: map call stacks and function addresses to packages for scanner reachability overlays.
- Forensics: correlate runtime crash dumps to signed builds.
## 2. File layout
```
symbols/
manifest.json # SYMBOL_MANIFEST v1 (this spec)
manifest.json.sha256 # sha256 of manifest.json
/.build-id/aa/bbbbb.debug # ELF split DWARF
/.build-id/cc/ddddd.sym # PE/PDB (optional)
/mach-o/<uuid>.dSYM # Apple dSYM bundle (optional)
```
## 3. Manifest schema (JSON)
Top-level fields:
```jsonc
{
"schema": "SYMBOL_MANIFEST/v1",
"generated_at": "2025-11-26T12:00:00Z",
"generator": "stella symbol pack 1.0.0",
"tenant": "acme",
"entries": [
{
"image_digest": "sha256:...", // source image
"component": "openssl", // optional package/name
"build_id": "abcdef1234567890", // GNU build-id or PE GUID
"file": ".build-id/ab/cdef.debug", // relative path inside bundle
"format": "elf-debug" , // elf-debug | pdb | dsym
"arch": "linux/amd64", // GOARCH-style
"size": 123456, // bytes
"sha256": "sha256:...", // file digest
"source": {
"kind": "ci" | "vendor" | "runtime-capture",
"pipeline": "https://ci.example/pipeline/123", // optional
"attestation": "sha256:..." // DSSE bundle digest (optional)
}
}
]
}
```
Constraints:
- `schema` must be exactly `SYMBOL_MANIFEST/v1`.
- Entries sorted by `build_id` then `file` to keep deterministic ordering.
- `tenant` required; manifests are not shareable across tenants.
## 4. Validation
- Verify `manifest.json.sha256` matches `manifest.json`.
- For each entry, hash the referenced file and compare to `sha256`.
- Ensure `build_id` path matches file location (for ELF: `/.build-id/<aa>/<rest>.debug`).
- When attestation is present, validate the DSSE bundle before serving symbols.
## 5. Transport
- OCI artifact (recommended): media type `application/vnd.stella.symbols.manifest.v1+json`; symbols packed as a tar layer with manifest at root.
- File archive: deterministic `tar.gz` with POSIX `ustar`, sorted entries, UTC mtimes set to `0`.
- Export Center mirrors symbol bundles alongside SBOM/attestation bundles for air-gapped installs.
## 6. Tenant controls
- Symbol server enforces tenant header `X-Stella-Tenant`; manifests without matching tenant are rejected.
- Offline bundles carry tenant in manifest; Console warns if loading mismatched tenant.
## 7. Versioning
- Future versions add optional fields; parsers must ignore unknown fields.
- Breaking changes will bump to `SYMBOL_MANIFEST/v2`.
## 8. References
- `docs/24_OFFLINE_KIT.md` (debug store expectations)
- `docs/benchmarks/signals/bench-determinism.md`
- `docs/modules/scanner/architecture.md` (reachability + symbol linkage)

35
docs/specs/symbols/api.md Normal file
View File

@@ -0,0 +1,35 @@
# Symbol Server API
> **Imposed rule:** All API responses must include tenant scoping and content digests; cross-tenant symbol access is forbidden.
Base path: `/api/v1/symbols` (service: Symbol Server / Export Center plugin).
## Endpoints
- `GET /manifest` returns `SYMBOL_MANIFEST/v1` for the tenant.
- Headers: `X-Stella-Tenant` (required)
- Query: `image_digest` (optional filter), `build_id` (exact match)
- `GET /files/{path}` stream a symbol file by relative path in manifest.
- Headers: `X-Stella-Tenant`
- Responds with `Content-SHA256` header and ETag; 404 if tenant mismatch.
- `POST /ingest` upload a symbol bundle (tar or OCI artifact) and manifest.
- Headers: `X-Stella-Tenant`, `X-Stella-Attestation` (optional DSSE digest)
- Validates manifest checksum, entry digests, and tenant.
- `GET /health` readiness/liveness.
## Error model
- Problem+JSON; include `tenant`, `correlation_id`, and `policy` fields when access is denied.
- Rate limits: `429` with `Retry-After`; deterministic budget per tenant.
## Security
- Auth via Authority-issued JWT; enforce `symbols:read`/`symbols:write` scopes.
- Tenant check on every request; manifest tenant must equal header.
- Optional DSSE attestation digest header is recorded and surfaced in `/manifest` under `source.attestation`.
## Caching & offline
- Console/CLI cache manifest + files in CAS; revalidate via `If-None-Match` on `GET /manifest`.
- Offline kits mount symbol bundle read-only; API client can be pointed at `file://` CAS handler for air-gapped use.
## Observability
- Emit counters per tenant: `symbol_manifest_requests`, `symbol_file_bytes_served`, `symbol_ingest_failures`.
- Logs include `build_id`, `image_digest`, `tenant`, `attested` flag.

39
docs/specs/symbols/bundle-guide.md Normal file
View File

@@ -0,0 +1,39 @@
# Symbol Bundle Guide
This guide explains how to package, validate, and distribute symbol bundles that comply with `SYMBOL_MANIFEST/v1`.
## 1. Packaging steps
1. Gather debug artifacts (ELF `.debug`, PDB, dSYM) for the target release.
2. Compute `sha256` for each file and record size/arch/format.
3. Build `manifest.json` as per `SYMBOL_MANIFEST_v1.md`; sort entries by `build_id`, then `file`.
4. Write `manifest.json.sha256` with the hex digest of `manifest.json`.
5. Create a deterministic tarball:
- POSIX ustar
- Sorted file order
- `mtime=0`, `uid=gid=0`, `uname=guname=root`
- Compression: gzip `-n` to avoid timestamps
6. Optional: wrap as OCI artifact with media type `application/vnd.stella.symbols.manifest.v1+json`.
## 2. Validation checklist
- [ ] `manifest.json` hashes to `manifest.json.sha256`.
- [ ] Each file hash matches manifest entry.
- [ ] Build-id path structure is correct (ELF `.build-id/aa/<rest>.debug`).
- [ ] Tenant in manifest matches upload tenant.
- [ ] Tarball ordering is lexicographic and mtimes are zeroed.
## 3. Ingestion (API)
- POST the tar/OCI blob to `/api/v1/symbols/ingest` with header `X-Stella-Tenant`.
- Server recomputes digests; rejects mismatches or tenant mismatch.
- Optional DSSE attestation digest recorded in manifest for downstream verification.
## 4. Reachability integration
- Scanner attaches `build_id` and source image digest to reachability edges; Graph API can fetch symbol manifests to render function names in overlays.
- When symbols are missing, UI shows “symbol lookup unavailable” badge; import the matching manifest to enable function-level overlays.
## 5. Offline kits
- Place `symbols/` directory (manifest + files) at the kit root; include tarball and manifest digest.
- `debug-manifest.json` in Offline Kit should link to symbol manifest for cross-reference.
## 6. Tenant controls & audit
- Symbol server enforces tenant; exports are tagged with tenant in manifest and tar annotations.
- Emit Timeline events on ingest with bundle digest and tenant; attach DSSE attestation if present.

47
docs/ui/sbom-graph-explorer.md Normal file
View File

@@ -0,0 +1,47 @@
# SBOM Graph Explorer
> **Imposed rule:** Saved views and exports must include the overlay + filter set that produced them; do not distribute stripped exports.
The SBOM Graph Explorer lets operators traverse components, dependencies, and reachability overlays with deterministic filters suitable for online and air-gapped consoles.
## Views & overlays
- **Inventory vs Usage overlays:** toggle to see declared packages (inventory) or runtime-observed packages (usage). Overlays are rendered as chips; colors align with graph legend.
- **Reachability overlay:** highlights components reachable from entrypoints; respects cached reachability results from Graph API. Disabled when `reachability_source` is stale (>24h) to avoid misleading badges.
- **Policy overlay:** displays allow/deny/review verdicts from Policy Engine; shows cache epoch and simulator marker when viewing staged policy.
- **VEX overlay:** marks components covered by active VEX claims (Excititor); conflict states (pending/contested) surface as striped badges.
## Filters
- **Package facets:** ecosystem, name (supports substring and PURL), version, license, and supplier.
- **Reachability facets:** entrypoint, call depth, and evidence source (static/runtime/edge bundle).
- **Risk facets:** severity band, EPSS bucket, KEV flag, exploitability score.
- **Time facets:** last-seen (usage), last-scan (inventory) to surface staleness.
- Filters are additive; results are deterministically sorted by component PURL, then version.
## Saved views
- Saved views capture query, overlays, column set, sort, and tenant. They are stored per tenant and tagged with `graph_cache_epoch` to detect stale caches.
- Export saved view: downloads NDJSON with `view_id`, `filters`, `overlays`, `results[]`, and SHA-256 manifest. Works offline; includes attestations if available.
- Restoring a view warns when cache epoch differs; users can refresh overlays before applying.
## Interactions
- **Graph canvas:** zoom/pan; node tooltip shows PURL, reachability, licenses, and open issues count. Double-click expands neighbors; capped by `ui.graph.maxNodes` to keep performance deterministic.
- **Table panel:** synchronized with canvas selection; supports column picker and keyboard navigation (arrow keys, Enter to open drawer).
- **Details drawer:** shows component metadata, provenance (source SBOM digest + Rekor UUID if attested), and outgoing/incoming edges with reachability evidence.
- **Search bar:** accepts PURL, package name, or CVE; CVE search auto-filters to affected components via vulnerability overlay.
## Accessibility
- Full keyboard navigation: Tab/Shift+Tab moves between canvas, filters, table, drawer. Canvas focus ring is visible at 3:1 contrast.
- Screen reader labels include overlay state (e.g., “node: openssl 3.0.12, reachable, vex-contested”).
- High-contrast mode uses solid fills; motion reduced when `prefers-reduced-motion` is set.
## Air-gap & caching
- Works with offline Graph API bundles; overlays and filters use cached results when `graph_cache_epoch` matches. Exports include cache epoch to keep audits deterministic.
- Prefers client-side cache for back/forward navigation; cache invalidates on tenant switch or overlay version change.
## AOC visibility
- Aggregation-Only Contract surfaces in the header when viewing regulated tenants; UI disables ad-hoc joins and shows “AOC enforced” badge. Exports include `aoc=true` flag.
## Related docs
- `docs/api/graph.md`
- `docs/modules/graph/architecture-index.md`
- `docs/policy/ui-integration.md`
- `docs/modules/cli/guides/graph-and-vuln.md`

51
docs/ui/vulnerability-explorer.md Normal file
View File

@@ -0,0 +1,51 @@
# Vulnerability Explorer
> **Imposed rule:** Any exported or shared view must include the data sources and overlays applied (VEX, policy, reachability) to avoid out-of-context remediation decisions.
The Vulnerability Explorer provides deterministic tables and grouping to triage, explain, and act on vulns across SBOM graph data and VEX claims.
## Table anatomy
- Default columns: CVE/alias, package (PURL), version, severity, exploitability (EPSS/KEV), reachability, VEX status, fix version, policy verdict, last seen.
- Sorting: primary by severity (desc), secondary by exploitability score, tertiary by PURL; ties broken by CVE.
- Pagination: server-driven with stable cursors; page size defaults to 50, override via `?limit=`.
## Grouping & pivots
- Group by **package**, **CVE**, **image**, or **tenant**. Each group shows counts by severity and VEX disposition.
- “Why am I seeing this?” drawer explains grouping rules and shows upstream data sources for the group.
- Export follows the active grouping; NDJSON includes `group_key`, `items[]`, and overlay metadata.
## Filters
- **Severity**: critical/high/medium/low/none.
- **Exploitability**: KEV flag, EPSS bucket, exploit maturity.
- **Reachability**: reachable, conditionally reachable, unreachable, unknown.
- **VEX**: affected, not_affected, under_investigation, disputed, contested.
- **Fix availability**: has fix, no fix, downgrade available.
- **Policy verdict**: allow, review, deny, staged verdicts (simulator).
- **Staleness**: SBOM age, advisory feed age, VEX claim age.
## Why drawer
- Provides a structured explanation showing: data sources (SBOM digest, overlay epochs), policy inputs, VEX claims contributing to the verdict, and reachability evidence. Includes correlation IDs for API traces.
- Always shows tenant and `graph_cache_epoch` to keep exports/audits reproducible.
## Fix suggestions
- Per-row “Fix” chip suggests the nearest patched version and source (vendor vs upstream), plus link to remediation doc if provided by advisory.
- Bulk fix export produces an actions file: `{purl, vuln, recommended_version, source, rationale}` with SHA-256 manifest.
- UI warns when fixes rely on contested VEX claims or stale advisories.
## Actions & triage
- Multi-select with bulk actions: create ticket, generate VEX waiver request, export SBOM diff, or open policy simulator with selected rows.
- Policy simulator opens with current overlays and generates a simulated verdict for the selection; results can be saved as a “staged policy” view.
## Accessibility
- Keyboard shortcuts: `g` to toggle grouping, `f` to focus filters, `w` to open Why drawer on selected row, `/` to focus search.
- Screen reader labels announce VEX and reachability state; focus order matches visual order; table rows support row headers.
## Air-gap posture
- All exports include overlays and cache epochs; offline bundles can be loaded via `Import view` to replay triage without network.
- No live CVE enrichment calls from the UI; it relies solely on backend-provided overlays.
## Related docs
- `docs/ui/sbom-graph-explorer.md`
- `docs/api/graph.md`
- `docs/api/vuln.md`
- `docs/modules/graph/architecture-index.md`

BIN
ops/offline-kit/__pycache__/build_offline_kit.cpython-312.pyc
View File

Binary file not shown.

35
ops/offline-kit/build_offline_kit.py
View File

@@ -288,8 +288,8 @@ def package_telemetry_bundle(staging_dir: Path) -> None:
shutil.copy2(sha_path, telemetry_dir / sha_path.name)
def scan_files(staging_dir: Path, exclude: Optional[set[str]] = None) -> list[OrderedDict[str, Any]]:
entries: list[OrderedDict[str, Any]] = []
def scan_files(staging_dir: Path, exclude: Optional[set[str]] = None) -> list[OrderedDict[str, Any]]:
entries: list[OrderedDict[str, Any]] = []
exclude = exclude or set()
for path in sorted(staging_dir.rglob("*")):
if not path.is_file():
@@ -309,6 +309,24 @@ def scan_files(staging_dir: Path, exclude: Optional[set[str]] = None) -> list[Or
return entries
def summarize_counts(staging_dir: Path) -> Mapping[str, int]:
def count_files(rel: str) -> int:
root = staging_dir / rel
if not root.exists():
return 0
return sum(1 for path in root.rglob("*") if path.is_file())
return {
"cli": count_files("cli"),
"taskPacksDocs": count_files("docs/task-packs"),
"containers": count_files("containers"),
"orchestrator": count_files("orchestrator"),
"exportCenter": count_files("export-center"),
"notifier": count_files("notifier"),
"surfaceSecrets": count_files("surface-secrets"),
}
def copy_container_bundles(release_dir: Path, staging_dir: Path) -> None:
"""Copy container air-gap bundles if present in the release directory."""
candidates = [release_dir / "containers", release_dir / "images"]
@@ -473,8 +491,8 @@ def build_offline_kit(args: argparse.Namespace) -> MutableMapping[str, Any]:
if manifest_sig:
signature_paths["manifestSignature"] = str(manifest_sig)
metadata = OrderedDict(
(
metadata = OrderedDict(
(
("bundleId", args.bundle_id or f"{args.version}-{args.channel}-{utc_now_iso()}"),
("bundleName", bundle_path.name),
("bundleSha256", bundle_sha_prefixed),
@@ -483,10 +501,11 @@ def build_offline_kit(args: argparse.Namespace) -> MutableMapping[str, Any]:
("manifestSha256", f"sha256:{offline_manifest_sha}"),
("manifestSize", offline_manifest_path.stat().st_size),
("channel", args.channel),
("version", args.version),
("capturedAt", utc_now_iso()),
)
)
("version", args.version),
("capturedAt", utc_now_iso()),
("counts", summarize_counts(staging_dir)),
)
)
if sig:
metadata["bundleSignatureName"] = Path(sig).name

15
ops/offline-kit/test_build_offline_kit.py
View File

@@ -305,10 +305,17 @@ class OfflineKitBuilderTests(unittest.TestCase):
self.assertTrue(any(item["name"].startswith("sboms/") for item in artifacts))
self.assertTrue(any(item["name"].startswith("cli/") for item in artifacts))
metadata_path = Path(result["metadataPath"])
data = json.loads(metadata_path.read_text(encoding="utf-8"))
self.assertTrue(data["bundleSha256"].startswith("sha256:"))
self.assertTrue(data["manifestSha256"].startswith("sha256:"))
metadata_path = Path(result["metadataPath"])
data = json.loads(metadata_path.read_text(encoding="utf-8"))
self.assertTrue(data["bundleSha256"].startswith("sha256:"))
self.assertTrue(data["manifestSha256"].startswith("sha256:"))
counts = data["counts"]
self.assertGreaterEqual(counts["cli"], 1)
self.assertGreaterEqual(counts["containers"], 1)
self.assertGreaterEqual(counts["orchestrator"], 2)
self.assertGreaterEqual(counts["exportCenter"], 1)
self.assertGreaterEqual(counts["notifier"], 1)
self.assertGreaterEqual(counts["surfaceSecrets"], 1)
with tarfile.open(bundle_path, "r:gz") as tar:
members = tar.getnames()

BIN
out/telemetry/telemetry-offline-bundle.tar.gz
View File

Binary file not shown.

2
out/telemetry/telemetry-offline-bundle.tar.gz.sha256
View File

@@ -1 +1 @@
dc3938d79d4e0b9a77e92dc6660391f36230b8d16c9b24b7164b6a1e6723666b telemetry-offline-bundle.tar.gz
2d3e03f4b43fd5f221fb4a22d0b538831c99bfe4040c13cb081189408b5c3815 telemetry-offline-bundle.tar.gz

14
scripts/tests/run-policy-cli-tests.ps1 Normal file
View File

@@ -0,0 +1,14 @@
$ErrorActionPreference = "Stop"
# Runs PolicyValidationCliTests using the minimal policy-only solution with graph build disabled.
$Root = Split-Path -Parent (Split-Path -Parent $PSCommandPath)
Set-Location $Root
$env:DOTNET_DISABLE_BUILTIN_GRAPH = "1"
$solution = "src/Policy/StellaOps.Policy.only.sln"
dotnet restore $solution -v minimal
dotnet build src/Policy/__Tests/StellaOps.Policy.Tests/StellaOps.Policy.Tests.csproj -c Release --no-restore /p:BuildProjectReferences=false
dotnet test $solution -c Release --no-build --filter FullyQualifiedName~PolicyValidationCliTests

15
scripts/tests/run-policy-cli-tests.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -euo pipefail
# Run PolicyValidationCliTests with a minimal solution and graph-build disabled.
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
cd "$ROOT"
export DOTNET_DISABLE_BUILTIN_GRAPH=1
SOLUTION="src/Policy/StellaOps.Policy.only.sln"
dotnet restore "$SOLUTION" -v minimal
dotnet build src/Policy/__Tests/StellaOps.Policy.Tests/StellaOps.Policy.Tests.csproj -c Release --no-restore /p:BuildProjectReferences=false
dotnet test "$SOLUTION" -c Release --no-build --filter FullyQualifiedName~PolicyValidationCliTests

37
src/AirGap/StellaOps.AirGap.Controller/Auth/HeaderScopeAuthenticationHandler.cs Normal file
View File

@@ -0,0 +1,37 @@
using System.Security.Claims;
using System.Text.Encodings.Web;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Options;
namespace StellaOps.AirGap.Controller.Auth;
public sealed class HeaderScopeAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public const string SchemeName = "HeaderScope";
#pragma warning disable CS0618 // ISystemClock obsolete; base ctor signature still requires it on this TF.
public HeaderScopeAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock) : base(options, logger, encoder, clock)
{
}
#pragma warning restore CS0618
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
// Accept any request; scopes are read from `scope` header (space-separated)
var claims = new List<Claim> { new(ClaimTypes.NameIdentifier, "anonymous") };
if (Request.Headers.TryGetValue("scope", out var scopeHeader))
{
claims.Add(new("scope", scopeHeader.ToString()));
}
var identity = new ClaimsIdentity(claims, SchemeName);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, SchemeName);
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}

37
src/AirGap/StellaOps.AirGap.Controller/DependencyInjection/AirGapControllerServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,37 @@
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using MongoDB.Driver;
using StellaOps.AirGap.Controller.Options;
using StellaOps.AirGap.Controller.Services;
using StellaOps.AirGap.Controller.Stores;
using StellaOps.AirGap.Time.Services;
namespace StellaOps.AirGap.Controller.DependencyInjection;
public static class AirGapControllerServiceCollectionExtensions
{
public static IServiceCollection AddAirGapController(this IServiceCollection services, IConfiguration configuration)
{
services.Configure<AirGapControllerMongoOptions>(configuration.GetSection("AirGap:Mongo"));
services.AddSingleton<StalenessCalculator>();
services.AddSingleton<AirGapStateService>();
services.AddSingleton<IAirGapStateStore>(sp =>
{
var opts = sp.GetRequiredService<IOptions<AirGapControllerMongoOptions>>().Value;
if (string.IsNullOrWhiteSpace(opts.ConnectionString))
{
return new InMemoryAirGapStateStore();
}
var mongoClient = new MongoClient(opts.ConnectionString);
var database = mongoClient.GetDatabase(string.IsNullOrWhiteSpace(opts.Database) ? "stellaops_airgap" : opts.Database);
var collection = MongoAirGapStateStore.EnsureCollection(database);
return new MongoAirGapStateStore(collection);
});
return services;
}
}

18
src/AirGap/StellaOps.AirGap.Controller/Domain/AirGapState.cs Normal file
View File

@@ -0,0 +1,18 @@
using StellaOps.AirGap.Time.Models;
namespace StellaOps.AirGap.Controller.Domain;
public sealed record AirGapState
{
public const string SingletonId = "singleton";
public string Id { get; init; } = SingletonId;
public string TenantId { get; init; } = "default";
public bool Sealed { get; init; }
= false;
public string? PolicyHash { get; init; }
= null;
public TimeAnchor TimeAnchor { get; init; } = TimeAnchor.Unknown;
public DateTimeOffset LastTransitionAt { get; init; } = DateTimeOffset.MinValue;
public StalenessBudget StalenessBudget { get; init; } = StalenessBudget.Default;
}

108
src/AirGap/StellaOps.AirGap.Controller/Endpoints/AirGapEndpoints.cs Normal file
View File

@@ -0,0 +1,108 @@
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using StellaOps.AirGap.Controller.Endpoints.Contracts;
using StellaOps.AirGap.Controller.Services;
using StellaOps.AirGap.Time.Models;
using StellaOps.AirGap.Time.Services;
namespace StellaOps.AirGap.Controller.Endpoints;
internal static class AirGapEndpoints
{
private const string StatusScope = "airgap:status:read";
private const string SealScope = "airgap:seal";
public static RouteGroupBuilder MapAirGapEndpoints(this IEndpointRouteBuilder app)
{
var group = app.MapGroup("/system/airgap")
.RequireAuthorization();
group.MapGet("/status", HandleStatus)
.RequireScope(StatusScope)
.WithName("AirGapStatus");
group.MapPost("/seal", HandleSeal)
.RequireScope(SealScope)
.WithName("AirGapSeal");
group.MapPost("/unseal", HandleUnseal)
.RequireScope(SealScope)
.WithName("AirGapUnseal");
return group;
}
private static async Task<IResult> HandleStatus(
ClaimsPrincipal user,
AirGapStateService service,
TimeProvider timeProvider,
HttpContext httpContext,
CancellationToken cancellationToken)
{
var tenantId = ResolveTenant(httpContext);
var status = await service.GetStatusAsync(tenantId, timeProvider.GetUtcNow(), cancellationToken);
return Results.Ok(AirGapStatusResponse.FromStatus(status));
}
private static async Task<IResult> HandleSeal(
SealRequest request,
ClaimsPrincipal user,
AirGapStateService service,
StalenessCalculator stalenessCalculator,
TimeProvider timeProvider,
HttpContext httpContext,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(request.PolicyHash))
{
return Results.BadRequest(new { error = "policy_hash_required" });
}
var tenantId = ResolveTenant(httpContext);
var anchor = request.TimeAnchor ?? TimeAnchor.Unknown;
var budget = request.StalenessBudget ?? StalenessBudget.Default;
var now = timeProvider.GetUtcNow();
var state = await service.SealAsync(tenantId, request.PolicyHash!, anchor, budget, now, cancellationToken);
var status = new AirGapStatus(state, stalenessCalculator.Evaluate(anchor, budget, now), now);
return Results.Ok(AirGapStatusResponse.FromStatus(status));
}
private static async Task<IResult> HandleUnseal(
ClaimsPrincipal user,
AirGapStateService service,
TimeProvider timeProvider,
HttpContext httpContext,
CancellationToken cancellationToken)
{
var tenantId = ResolveTenant(httpContext);
var state = await service.UnsealAsync(tenantId, timeProvider.GetUtcNow(), cancellationToken);
var status = new AirGapStatus(state, StalenessEvaluation.Unknown, timeProvider.GetUtcNow());
return Results.Ok(AirGapStatusResponse.FromStatus(status));
}
private static string ResolveTenant(HttpContext httpContext)
{
if (httpContext.Request.Headers.TryGetValue("x-tenant-id", out var tenantHeader) && !string.IsNullOrWhiteSpace(tenantHeader))
{
return tenantHeader.ToString();
}
return "default";
}
}
internal static class AuthorizationExtensions
{
public static RouteHandlerBuilder RequireScope(this RouteHandlerBuilder builder, string requiredScope)
{
return builder.RequireAuthorization(policy =>
{
policy.RequireAssertion(ctx =>
{
var scopes = ctx.User.FindFirstValue("scope") ?? ctx.User.FindFirstValue("scp") ?? string.Empty;
return scopes.Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
.Contains(requiredScope, StringComparer.OrdinalIgnoreCase);
});
});
}
}

25
src/AirGap/StellaOps.AirGap.Controller/Endpoints/Contracts/AirGapStatusResponse.cs Normal file
View File

@@ -0,0 +1,25 @@
using StellaOps.AirGap.Controller.Domain;
using StellaOps.AirGap.Controller.Services;
using StellaOps.AirGap.Time.Models;
namespace StellaOps.AirGap.Controller.Endpoints.Contracts;
public sealed record AirGapStatusResponse(
string TenantId,
bool Sealed,
string? PolicyHash,
TimeAnchor TimeAnchor,
StalenessEvaluation Staleness,
DateTimeOffset LastTransitionAt,
DateTimeOffset EvaluatedAt)
{
public static AirGapStatusResponse FromStatus(AirGapStatus status) =>
new(
status.State.TenantId,
status.State.Sealed,
status.State.PolicyHash,
status.State.TimeAnchor,
status.Staleness,
status.State.LastTransitionAt,
status.EvaluatedAt);
}

14
src/AirGap/StellaOps.AirGap.Controller/Endpoints/Contracts/SealRequest.cs Normal file
View File

@@ -0,0 +1,14 @@
using System.ComponentModel.DataAnnotations;
using StellaOps.AirGap.Time.Models;
namespace StellaOps.AirGap.Controller.Endpoints.Contracts;
public sealed class SealRequest
{
[Required]
public string? PolicyHash { get; set; }
public TimeAnchor? TimeAnchor { get; set; }
public StalenessBudget? StalenessBudget { get; set; }
}

22
src/AirGap/StellaOps.AirGap.Controller/Options/AirGapControllerMongoOptions.cs Normal file
View File

@@ -0,0 +1,22 @@
namespace StellaOps.AirGap.Controller.Options;
/// <summary>
/// Mongo configuration for the air-gap controller state store.
/// </summary>
public sealed class AirGapControllerMongoOptions
{
/// <summary>
/// Mongo connection string; when missing, the controller falls back to the in-memory store.
/// </summary>
public string? ConnectionString { get; set; }
/// <summary>
/// Database name. Default: "stellaops_airgap".
/// </summary>
public string Database { get; set; } = "stellaops_airgap";
/// <summary>
/// Collection name for state documents. Default: "airgap_state".
/// </summary>
public string Collection { get; set; } = "airgap_state";
}

25
src/AirGap/StellaOps.AirGap.Controller/Program.cs Normal file
View File

@@ -0,0 +1,25 @@
using Microsoft.AspNetCore.Authentication;
using StellaOps.AirGap.Controller.Auth;
using StellaOps.AirGap.Controller.DependencyInjection;
using StellaOps.AirGap.Controller.Endpoints;
using StellaOps.AirGap.Time.Services;
using StellaOps.AirGap.Time.Models;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(HeaderScopeAuthenticationHandler.SchemeName)
.AddScheme<AuthenticationSchemeOptions, HeaderScopeAuthenticationHandler>(HeaderScopeAuthenticationHandler.SchemeName, _ => { });
builder.Services.AddAuthorization();
builder.Services.AddSingleton<TimeProvider>(TimeProvider.System);
builder.Services.AddAirGapController(builder.Configuration);
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapAirGapEndpoints();
app.Run();
public partial class Program { }

70
src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStateService.cs Normal file
View File

@@ -0,0 +1,70 @@
using StellaOps.AirGap.Controller.Domain;
using StellaOps.AirGap.Controller.Stores;
using StellaOps.AirGap.Time.Models;
using StellaOps.AirGap.Time.Services;
namespace StellaOps.AirGap.Controller.Services;
public sealed class AirGapStateService
{
private readonly IAirGapStateStore _store;
private readonly StalenessCalculator _stalenessCalculator;
public AirGapStateService(IAirGapStateStore store, StalenessCalculator stalenessCalculator)
{
_store = store;
_stalenessCalculator = stalenessCalculator;
}
public async Task<AirGapState> SealAsync(
string tenantId,
string policyHash,
TimeAnchor timeAnchor,
StalenessBudget budget,
DateTimeOffset nowUtc,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(policyHash);
budget.Validate();
var newState = new AirGapState
{
TenantId = tenantId,
Sealed = true,
PolicyHash = policyHash,
TimeAnchor = timeAnchor,
StalenessBudget = budget,
LastTransitionAt = nowUtc
};
await _store.SetAsync(newState, cancellationToken);
return newState;
}
public async Task<AirGapState> UnsealAsync(
string tenantId,
DateTimeOffset nowUtc,
CancellationToken cancellationToken = default)
{
var current = await _store.GetAsync(tenantId, cancellationToken);
var newState = current with
{
Sealed = false,
LastTransitionAt = nowUtc
};
await _store.SetAsync(newState, cancellationToken);
return newState;
}
public async Task<AirGapStatus> GetStatusAsync(
string tenantId,
DateTimeOffset nowUtc,
CancellationToken cancellationToken = default)
{
var state = await _store.GetAsync(tenantId, cancellationToken);
var staleness = _stalenessCalculator.Evaluate(state.TimeAnchor, state.StalenessBudget, nowUtc);
return new AirGapStatus(state, staleness, nowUtc);
}
}
public sealed record AirGapStatus(AirGapState State, StalenessEvaluation Staleness, DateTimeOffset EvaluatedAt);

14
src/AirGap/StellaOps.AirGap.Controller/StellaOps.AirGap.Controller.csproj Normal file
View File

@@ -0,0 +1,14 @@
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<RootNamespace>StellaOps.AirGap.Controller</RootNamespace>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="MongoDB.Driver" Version="3.5.0" />
</ItemGroup>
</Project>

9
src/AirGap/StellaOps.AirGap.Controller/Stores/IAirGapStateStore.cs Normal file
View File

@@ -0,0 +1,9 @@
using StellaOps.AirGap.Controller.Domain;
namespace StellaOps.AirGap.Controller.Stores;
public interface IAirGapStateStore
{
Task<AirGapState> GetAsync(string tenantId, CancellationToken cancellationToken = default);
Task SetAsync(AirGapState state, CancellationToken cancellationToken = default);
}

26
src/AirGap/StellaOps.AirGap.Controller/Stores/InMemoryAirGapStateStore.cs Normal file
View File

@@ -0,0 +1,26 @@
using StellaOps.AirGap.Controller.Domain;
namespace StellaOps.AirGap.Controller.Stores;
public sealed class InMemoryAirGapStateStore : IAirGapStateStore
{
private readonly Dictionary<string, AirGapState> _states = new(StringComparer.Ordinal);
public Task<AirGapState> GetAsync(string tenantId, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
if (_states.TryGetValue(tenantId, out var state))
{
return Task.FromResult(state);
}
return Task.FromResult(new AirGapState { TenantId = tenantId });
}
public Task SetAsync(AirGapState state, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
_states[state.TenantId] = state;
return Task.CompletedTask;
}
}

156
src/AirGap/StellaOps.AirGap.Controller/Stores/MongoAirGapStateStore.cs Normal file
View File

@@ -0,0 +1,156 @@
using MongoDB.Bson;
using MongoDB.Bson.Serialization.Attributes;
using MongoDB.Driver;
using StellaOps.AirGap.Controller.Domain;
using StellaOps.AirGap.Time.Models;
namespace StellaOps.AirGap.Controller.Stores;
/// <summary>
/// Mongo-backed air-gap state store; single document per tenant.
/// </summary>
internal sealed class MongoAirGapStateStore : IAirGapStateStore
{
private readonly IMongoCollection<AirGapStateDocument> _collection;
public MongoAirGapStateStore(IMongoCollection<AirGapStateDocument> collection)
{
_collection = collection;
}
public async Task<AirGapState> GetAsync(string tenantId, CancellationToken cancellationToken = default)
{
var filter = Builders<AirGapStateDocument>.Filter.And(
Builders<AirGapStateDocument>.Filter.Eq(x => x.TenantId, tenantId),
Builders<AirGapStateDocument>.Filter.Eq(x => x.Id, AirGapState.SingletonId));
var doc = await _collection.Find(filter).FirstOrDefaultAsync(cancellationToken).ConfigureAwait(false);
return doc?.ToDomain() ?? new AirGapState { TenantId = tenantId };
}
public async Task SetAsync(AirGapState state, CancellationToken cancellationToken = default)
{
var doc = AirGapStateDocument.FromDomain(state);
var filter = Builders<AirGapStateDocument>.Filter.And(
Builders<AirGapStateDocument>.Filter.Eq(x => x.TenantId, state.TenantId),
Builders<AirGapStateDocument>.Filter.Eq(x => x.Id, AirGapState.SingletonId));
var options = new ReplaceOptions { IsUpsert = true };
await _collection.ReplaceOneAsync(filter, doc, options, cancellationToken).ConfigureAwait(false);
}
internal static IMongoCollection<AirGapStateDocument> EnsureCollection(IMongoDatabase database)
{
var collectionName = "airgap_state";
var exists = database.ListCollectionNames().ToList().Contains(collectionName);
if (!exists)
{
database.CreateCollection(collectionName);
}
var collection = database.GetCollection<AirGapStateDocument>(collectionName);
var keys = Builders<AirGapStateDocument>.IndexKeys
.Ascending(x => x.TenantId)
.Ascending(x => x.Id);
var model = new CreateIndexModel<AirGapStateDocument>(keys, new CreateIndexOptions { Unique = true });
collection.Indexes.CreateOne(model);
return collection;
}
}
internal sealed class AirGapStateDocument
{
[BsonId]
public string Id { get; init; } = AirGapState.SingletonId;
[BsonElement("tenant_id")]
public string TenantId { get; init; } = "default";
[BsonElement("sealed")]
public bool Sealed { get; init; }
= false;
[BsonElement("policy_hash")]
public string? PolicyHash { get; init; }
= null;
[BsonElement("time_anchor")]
public AirGapTimeAnchorDocument TimeAnchor { get; init; } = new();
[BsonElement("staleness_budget")]
public StalenessBudgetDocument StalenessBudget { get; init; } = new();
[BsonElement("last_transition_at")]
public DateTimeOffset LastTransitionAt { get; init; }
= DateTimeOffset.MinValue;
public AirGapState ToDomain() => new()
{
TenantId = TenantId,
Sealed = Sealed,
PolicyHash = PolicyHash,
TimeAnchor = TimeAnchor.ToDomain(),
StalenessBudget = StalenessBudget.ToDomain(),
LastTransitionAt = LastTransitionAt
};
public static AirGapStateDocument FromDomain(AirGapState state) => new()
{
TenantId = state.TenantId,
Sealed = state.Sealed,
PolicyHash = state.PolicyHash,
TimeAnchor = AirGapTimeAnchorDocument.FromDomain(state.TimeAnchor),
StalenessBudget = StalenessBudgetDocument.FromDomain(state.StalenessBudget),
LastTransitionAt = state.LastTransitionAt
};
}
internal sealed class AirGapTimeAnchorDocument
{
[BsonElement("anchor_time")]
public DateTimeOffset AnchorTime { get; init; }
= DateTimeOffset.MinValue;
[BsonElement("source")]
public string Source { get; init; } = "unknown";
[BsonElement("format")]
public string Format { get; init; } = "unknown";
[BsonElement("signature_fp")]
public string SignatureFingerprint { get; init; } = string.Empty;
[BsonElement("token_digest")]
public string TokenDigest { get; init; } = string.Empty;
public StellaOps.AirGap.Time.Models.TimeAnchor ToDomain() =>
new(AnchorTime, Source, Format, SignatureFingerprint, TokenDigest);
public static AirGapTimeAnchorDocument FromDomain(StellaOps.AirGap.Time.Models.TimeAnchor anchor) => new()
{
AnchorTime = anchor.AnchorTime,
Source = anchor.Source,
Format = anchor.Format,
SignatureFingerprint = anchor.SignatureFingerprint,
TokenDigest = anchor.TokenDigest
};
}
internal sealed class StalenessBudgetDocument
{
[BsonElement("warning_seconds")]
public long WarningSeconds { get; init; } = StalenessBudget.Default.WarningSeconds;
[BsonElement("breach_seconds")]
public long BreachSeconds { get; init; } = StalenessBudget.Default.BreachSeconds;
public StalenessBudget ToDomain() => new(WarningSeconds, BreachSeconds);
public static StalenessBudgetDocument FromDomain(StalenessBudget budget) => new()
{
WarningSeconds = budget.WarningSeconds,
BreachSeconds = budget.BreachSeconds
};
}

6
src/AirGap/TASKS.md
View File

@@ -6,11 +6,11 @@
| PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | DONE | Unblocked by importer scaffold/trust-root contract. | 2025-11-20 |
| PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | DONE | Shares importer scaffold + validation envelopes. | 2025-11-20 |
| PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | DONE | Time anchor parser scaffold; doc at `docs/airgap/time-anchor-scaffold.md`. | 2025-11-20 |
| PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | DOING | Controller scaffold draft at `docs/airgap/controller-scaffold.md`; awaiting Authority scopes decision. | 2025-11-20 |
| PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | DOING | Uses same scaffold doc; pending DevOps alignment on deployment skeleton. | 2025-11-20 |
| PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | DONE | Controller scaffold drafted; controller project created with seal/unseal/state endpoints per doc. | 2025-11-26 |
| PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | DONE | Scaffold applied to status/seal endpoints; deployment skeleton present. | 2025-11-26 |
| PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | DONE | Diagnostics doc at `docs/airgap/sealed-startup-diagnostics.md`. | 2025-11-20 |
| PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | DONE | Telemetry/timeline hooks defined in `docs/airgap/sealed-startup-diagnostics.md`. | 2025-11-20 |
| PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | DOING | Staleness/time-anchor fields specified; awaiting Time Guild token decision. | 2025-11-20 |
| PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | DONE | Staleness/time-anchor fields wired in controller response; pending Time Guild token refinements. | 2025-11-26 |
| AIRGAP-IMP-56-001 | DONE | DSSE verifier, TUF validator, Merkle root calculator + import coordinator; tests passing. | 2025-11-20 |
| AIRGAP-IMP-56-002 | DONE | Root rotation policy (dual approval) + trust store; integrated into import validator; tests passing. | 2025-11-20 |
| AIRGAP-IMP-57-001 | DONE | In-memory RLS bundle catalog/items repos + schema doc; deterministic ordering and tests passing. | 2025-11-20 |

18
src/Api/StellaOps.Api.OpenApi/_shared/responses/defaults.yaml
View File

@@ -4,10 +4,24 @@ responses:
content:
application/json:
schema:
$ref: '../schemas/common.yaml#/schemas/ErrorEnvelope'
type: object
required: [code, message]
properties:
code:
type: string
message:
type: string
traceId:
type: string
HealthResponse:
description: Health envelope
content:
application/json:
schema:
$ref: '../schemas/common.yaml#/schemas/HealthEnvelope'
type: object
required: [status, service]
properties:
status:
type: string
service:
type: string

143
src/Api/StellaOps.Api.OpenApi/authority/openapi.yaml
View File

@@ -1,21 +1,26 @@
openapi: 3.1.0
info:
title: StellaOps Authority Authentication API
summary: Token issuance, introspection, revocation, and key discovery endpoints exposed by the Authority service.
description: |
The Authority service issues OAuth 2.1 access tokens for StellaOps components, enforcing tenant and scope
restrictions configured per client. This specification describes the authentication surface only; domain APIs
are documented by their owning services.
version: 0.1.0
info:
title: StellaOps Authority Authentication API
summary: Token issuance, introspection, revocation, and key discovery endpoints exposed by the Authority service.
description: |
The Authority service issues OAuth 2.1 access tokens for StellaOps components, enforcing tenant and scope
restrictions configured per client. This specification describes the authentication surface only; domain APIs
are documented by their owning services.
version: 0.1.1
contact:
name: StellaOps API Guild
email: api@stella-ops.local
jsonSchemaDialect: https://json-schema.org/draft/2020-12/schema
servers:
- url: https://authority.stellaops.local
description: Example Authority deployment
tags:
- name: Authentication
description: OAuth 2.1 token exchange, introspection, and revocation flows.
- name: Keys
description: JSON Web Key Set discovery.
tags:
- name: Authentication
description: OAuth 2.1 token exchange, introspection, and revocation flows.
- name: Keys
description: JSON Web Key Set discovery.
- name: Meta
description: Service metadata
components:
securitySchemes:
ClientSecretBasic:
@@ -442,11 +447,11 @@ components:
$ref: '#/components/schemas/Jwk'
required:
- keys
Jwk:
type: object
description: Public key material for token signature validation.
properties:
kid:
Jwk:
type: object
description: Public key material for token signature validation.
properties:
kid:
type: string
description: Key identifier.
kty:
@@ -467,19 +472,44 @@ components:
y:
type: string
description: Y coordinate for EC keys.
status:
type: string
description: Operational status metadata for the key (e.g., `active`, `retiring`).
status:
type: string
description: Operational status metadata for the key (e.g., `active`, `retiring`).
AuthorizationCodeGrantRequest:
type: object
description: Form-encoded payload for authorization code exchange.
required:
- grant_type
- code
- redirect_uri
- code_verifier
properties:
grant_type:
type: string
const: authorization_code
client_id:
type: string
client_secret:
type: string
description: Optional when HTTP Basic auth is used.
code:
type: string
redirect_uri:
type: string
format: uri
code_verifier:
type: string
paths:
/token:
post:
tags:
- Authentication
summary: Exchange credentials for tokens
description: |
Issues OAuth 2.1 bearer tokens for StellaOps clients. Supports password, client credentials,
authorization-code, device, and refresh token grants. Confidential clients must authenticate using
HTTP Basic auth or `client_secret` form fields.
/token:
post:
tags:
- Authentication
summary: Exchange credentials for tokens
description: |
Issues OAuth 2.1 bearer tokens for StellaOps clients. Supports password, client credentials,
authorization-code, device, and refresh token grants. Confidential clients must authenticate using
HTTP Basic auth or `client_secret` form fields.
operationId: authorityTokenExchange
security:
- ClientSecretBasic: []
- {}
@@ -487,11 +517,12 @@ paths:
required: true
content:
application/x-www-form-urlencoded:
schema:
oneOf:
- $ref: '#/components/schemas/PasswordGrantRequest'
- $ref: '#/components/schemas/ClientCredentialsGrantRequest'
- $ref: '#/components/schemas/RefreshTokenGrantRequest'
schema:
oneOf:
- $ref: '#/components/schemas/PasswordGrantRequest'
- $ref: '#/components/schemas/ClientCredentialsGrantRequest'
- $ref: '#/components/schemas/RefreshTokenGrantRequest'
- $ref: '#/components/schemas/AuthorizationCodeGrantRequest'
encoding:
authority_provider:
style: form
@@ -591,13 +622,15 @@ paths:
value:
error: invalid_client
error_description: Client authentication failed.
/revoke:
post:
tags:
- Authentication
summary: Revoke an access or refresh token
security:
- ClientSecretBasic: []
/revoke:
post:
tags:
- Authentication
summary: Revoke an access or refresh token
description: Revokes an access or refresh token; idempotent.
operationId: authorityRevokeToken
security:
- ClientSecretBasic: []
requestBody:
required: true
content:
@@ -637,12 +670,13 @@ paths:
value:
error: invalid_client
error_description: Client authentication failed.
/introspect:
post:
tags:
- Authentication
summary: Introspect token state
description: Returns the active status and claims for a given token. Requires a privileged client.
/introspect:
post:
tags:
- Authentication
summary: Introspect token state
description: Returns the active status and claims for a given token. Requires a privileged client.
operationId: authorityIntrospectToken
security:
- ClientSecretBasic: []
requestBody:
@@ -712,12 +746,13 @@ paths:
value:
error: invalid_client
error_description: Client authentication failed.
/jwks:
get:
tags:
- Keys
summary: Retrieve signing keys
description: Returns the JSON Web Key Set used to validate Authority-issued tokens.
/jwks:
get:
tags:
- Keys
summary: Retrieve signing keys
description: Returns the JSON Web Key Set used to validate Authority-issued tokens.
operationId: authorityGetJwks
responses:
'200':
description: JWKS document.

2517
src/Api/StellaOps.Api.OpenApi/baselines/stella-baseline.yaml
View File

File diff suppressed because it is too large Load Diff

45
src/Api/StellaOps.Api.OpenApi/compose.mjs
View File

@@ -38,8 +38,24 @@ function mergeSpecs(services) {
title: 'StellaOps Aggregate API',
version: '0.0.1',
description: 'Composed OpenAPI from per-service specs. This file is generated by compose.mjs.',
contact: {
name: 'StellaOps API Guild',
email: 'api@stella-ops.local',
},
},
servers: [],
tags: [
{ name: 'Authentication', description: 'OAuth 2.1 token exchange, introspection, and revocation flows.' },
{ name: 'Keys', description: 'JSON Web Key Set discovery.' },
{ name: 'Health', description: 'Liveness endpoints' },
{ name: 'Meta', description: 'Readiness/metadata endpoints' },
{ name: 'Bundles', description: 'Export bundle access' },
{ name: 'Graphs', description: 'Graph build status and traversal APIs' },
{ name: 'Jobs', description: 'Job submission and status APIs' },
{ name: 'Evaluation', description: 'Policy evaluation APIs' },
{ name: 'Policies', description: 'Policy management APIs' },
{ name: 'Queues', description: 'Queue metrics APIs' },
],
paths: {},
components: { schemas: {}, parameters: {}, securitySchemes: {}, responses: {} },
};
@@ -58,6 +74,15 @@ function mergeSpecs(services) {
}
}
// tags
if (Array.isArray(doc.tags)) {
for (const tag of doc.tags) {
if (!aggregate.tags.some((t) => t.name === tag.name)) {
aggregate.tags.push(tag);
}
}
}
// paths
for (const [p, pathItem] of Object.entries(doc.paths || {})) {
const namespacedPath = normalizePath(`/${name}${p}`);
@@ -83,6 +108,14 @@ function mergeSpecs(services) {
}
aggregate.components.schemas[key] = rewriteRefs(schemaDef, name);
}
// security schemes (non-namespaced)
const securitySchemes = doc.components?.securitySchemes || {};
for (const [schemeName, schemeDef] of Object.entries(securitySchemes)) {
if (!aggregate.components.securitySchemes[schemeName]) {
aggregate.components.securitySchemes[schemeName] = schemeDef;
}
}
}
// de-duplicate servers
@@ -127,7 +160,7 @@ function sortPathItem(pathItem) {
}
function writeAggregate(doc) {
const str = yaml.stringify(doc, { sortMapEntries: true });
const str = yaml.stringify(doc, { sortMapEntries: false });
fs.writeFileSync(OUTPUT, str, 'utf8');
console.log(`[stella-compose] wrote aggregate spec to ${OUTPUT}`);
}
@@ -161,6 +194,16 @@ function normalizeRef(refValue, serviceName) {
return `#/components/schemas/${name}`;
}
if (refValue.startsWith('../_shared/responses/')) {
const name = refValue.split('#/responses/')[1];
return `#/components/responses/${name}`;
}
if (refValue.startsWith('../_shared/parameters/')) {
const name = refValue.split('#/parameters/')[1];
return `#/components/parameters/${name}`;
}
const prefix = '#/components/schemas/';
if (refValue.startsWith(prefix)) {
const name = refValue.slice(prefix.length);

61
src/Api/StellaOps.Api.OpenApi/export-center/openapi.yaml
View File

@@ -1,9 +1,18 @@
openapi: 3.1.0
info:
title: StellaOps Export Center API (stub)
version: 0.0.1
description: Health and metadata scaffold for Export Center; replace with real contracts
as authored.
version: 0.0.2
description: Health and metadata scaffold for Export Center; bundle list/manifest examples added.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
tags:
- name: Health
description: Liveness endpoints
- name: Meta
description: Readiness/metadata endpoints
- name: Bundles
description: Export bundle access
servers:
- url: https://export.stellaops.local
description: Example Export Center endpoint
@@ -13,6 +22,8 @@ paths:
tags:
- Health
summary: Liveness probe
description: Returns OK when Export Center is reachable.
operationId: exportHealth
responses:
'200':
description: Service is up
@@ -40,6 +51,8 @@ paths:
summary: Service health
tags:
- Meta
description: Readiness probe for Export Center dependencies.
operationId: exportHealthz
responses:
'200':
description: Service healthy
@@ -58,19 +71,21 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
$ref: '../_shared/schemas/common.yaml#/schemas/ErrorEnvelope'
examples:
unavailable:
summary: Unhealthy response
value:
code: service_unavailable
message: mirror bundle backlog exceeds SLA
traceId: 3
traceId: "3"
/bundles/{bundleId}:
get:
tags:
- Bundles
summary: Download export bundle by id
operationId: exportGetBundle
description: Streams an export bundle archive.
parameters:
- name: bundleId
in: path
@@ -78,6 +93,9 @@ paths:
schema:
type: string
example: bundle-2025-11-18-001
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
'200':
description: Bundle stream
@@ -87,12 +105,15 @@ paths:
download:
summary: Zip payload
value: binary data
checksumMismatch:
summary: Expected sha256 mismatch example
value: binary data
'404':
description: Bundle not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
$ref: '../_shared/schemas/common.yaml#/schemas/ErrorEnvelope'
examples:
notFound:
summary: Bundle missing
@@ -105,10 +126,15 @@ paths:
tags:
- Bundles
summary: List export bundles
operationId: exportListBundles
description: Returns paginated export bundles for the tenant.
parameters:
- $ref: '../_shared/parameters/tenant.yaml#/parameters/TenantParam'
- $ref: '../_shared/parameters/paging.yaml#/parameters/LimitParam'
- $ref: '../_shared/parameters/paging.yaml#/parameters/CursorParam'
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
'200':
description: Bundle page
@@ -132,10 +158,12 @@ paths:
createdAt: '2025-11-18T12:00:00Z'
status: ready
sizeBytes: 1048576
sha256: sha256:abc123
- bundleId: bundle-2025-11-18-000
createdAt: '2025-11-18T10:00:00Z'
status: ready
sizeBytes: 2048
sha256: sha256:def456
metadata:
hasMore: true
nextCursor: eyJyIjoiMjAyNS0xMS0xOC0wMDIifQ
@@ -157,12 +185,17 @@ paths:
tags:
- Bundles
summary: Fetch bundle manifest metadata
description: Returns manifest metadata for a bundle id.
operationId: exportGetBundleManifest
parameters:
- name: bundleId
in: path
required: true
schema:
type: string
security:
- OAuthClientCredentials: []
- BearerAuth: []
responses:
'200':
description: Manifest metadata
@@ -179,6 +212,8 @@ paths:
digest: sha256:abc123
- type: vex
digest: sha256:def456
sizeBytes: 1048576
sha256: sha256:fedcba
createdAt: '2025-11-18T12:00:00Z'
'404':
description: Bundle not found
@@ -187,6 +222,18 @@ paths:
schema:
$ref: '../_shared/schemas/common.yaml#/schemas/ErrorEnvelope'
components:
securitySchemes:
OAuthClientCredentials:
type: oauth2
description: OAuth 2.1 client credentials flow scoped per service.
flows:
clientCredentials:
tokenUrl: /token
scopes: {}
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
BundleSummary:
type: object
@@ -233,5 +280,3 @@ components:
format: date-time
HealthResponse:
$ref: ../_shared/schemas/common.yaml#/schemas/HealthEnvelope
Error:
$ref: ../_shared/schemas/common.yaml#/schemas/ErrorEnvelope

61
src/Api/StellaOps.Api.OpenApi/graph/openapi.yaml
View File

@@ -1,9 +1,16 @@
openapi: 3.1.0
info:
title: StellaOps Graph API (stub)
version: 0.0.1
description: Health and dataset status scaffold for Graph service; replace with
full contract as authored.
version: 0.0.2
description: Health and dataset status scaffold for Graph service; added status/nodes examples with tenant context.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
tags:
- name: Meta
description: Service health
- name: Graphs
description: Graph build status and traversal APIs
servers:
- url: https://graph.stellaops.local
description: Example Graph endpoint
@@ -13,6 +20,8 @@ paths:
summary: Service health
tags:
- Meta
description: Readiness probe for Graph API.
operationId: graphHealthz
responses:
'200':
description: Service healthy
@@ -38,12 +47,14 @@ paths:
value:
code: service_unavailable
message: indexer lag exceeds threshold
traceId: 5
traceId: "5"
/graphs/{graphId}/status:
get:
summary: Get graph build status
tags:
- Graphs
operationId: graphGetStatus
description: Returns build status for a graph id.
parameters:
- name: graphId
in: path
@@ -63,7 +74,14 @@ paths:
value:
graphId: graph-01JF0XYZ
status: ready
builtAt: 2025-11-18 12:00:00+00:00
builtAt: 2025-11-18T12:00:00Z
tenant: tenant-alpha
building:
value:
graphId: graph-01JF0BUILD
status: building
builtAt: 2025-11-18T12:05:00Z
tenant: tenant-alpha
'404':
description: Graph not found
content:
@@ -75,6 +93,8 @@ paths:
summary: List graph nodes
tags:
- Graphs
operationId: graphListNodes
description: Lists nodes for a graph with paging.
parameters:
- name: graphId
in: path
@@ -97,12 +117,25 @@ paths:
- id: node-1
kind: artifact
label: registry.stella-ops.local/runtime/api
tenant: tenant-alpha
- id: node-2
kind: policy
label: policy:baseline
tenant: tenant-alpha
metadata:
hasMore: true
nextCursor: eyJuIjoiMjAyNS0xMS0xOCJ9
filtered:
summary: Policy nodes only
value:
nodes:
- id: node-99
kind: policy
label: policy:runtime-allowlist
tenant: tenant-beta
metadata:
hasMore: false
nextCursor: ""
'404':
description: Graph not found
content:
@@ -111,6 +144,24 @@ paths:
$ref: ../_shared/schemas/common.yaml#/schemas/ErrorEnvelope
components:
schemas:
HealthEnvelope:
type: object
properties:
status:
type: string
service:
type: string
required: [status, service]
ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required: [code, message]
GraphStatus:
type: object
required:

118
src/Api/StellaOps.Api.OpenApi/orchestrator/openapi.yaml
View File

@@ -1,9 +1,19 @@
openapi: 3.1.0
info:
title: StellaOps Orchestrator API (stub)
version: 0.0.1
version: 0.0.2
description: Health and job orchestration scaffold for Orchestrator service; replace
with real contracts as contracts are authored.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
tags:
- name: Health
description: Liveness endpoints
- name: Meta
description: Readiness/metadata endpoints
- name: Jobs
description: Job submission and status APIs
servers:
- url: https://orchestrator.stellaops.local
description: Example Orchestrator endpoint
@@ -13,6 +23,8 @@ paths:
tags:
- Health
summary: Liveness probe
description: Returns OK when Orchestrator is reachable.
operationId: orchestratorHealth
responses:
'200':
description: Service is up
@@ -40,6 +52,8 @@ paths:
summary: Service health
tags:
- Meta
description: Readiness probe for orchestrator dependencies.
operationId: orchestratorHealthz
responses:
'200':
description: Service healthy
@@ -65,12 +79,22 @@ paths:
value:
code: service_unavailable
message: outbound queue lag exceeds threshold
traceId: 1
traceId: "1"
/jobs:
post:
tags:
- Jobs
summary: Submit a job to the orchestrator queue
operationId: orchestratorSubmitJob
description: Enqueue a job for asynchronous execution.
parameters:
- in: header
name: Idempotency-Key
description: Optional idempotency key to safely retry job submissions.
required: false
schema:
type: string
maxLength: 128
requestBody:
required: true
content:
@@ -122,6 +146,8 @@ paths:
tags:
- Jobs
summary: List jobs
operationId: orchestratorListJobs
description: Returns jobs for the tenant with optional status filter.
parameters:
- in: query
name: status
@@ -132,6 +158,7 @@ paths:
- running
- failed
- completed
description: Optional status filter
- $ref: ../_shared/parameters/paging.yaml#/parameters/LimitParam
- $ref: ../_shared/parameters/tenant.yaml#/parameters/TenantParam
responses:
@@ -144,22 +171,53 @@ paths:
items:
$ref: '#/components/schemas/JobSummary'
examples:
sample:
default:
summary: Mixed queues
value:
- jobId: job_01JF04ABCD
status: queued
queue: scan
tenant: tenant-alpha
enqueuedAt: '2025-11-18T12:00:00Z'
- jobId: job_01JF04EFGH
status: running
queue: policy-eval
tenant: tenant-alpha
enqueuedAt: '2025-11-18T11:55:00Z'
startedAt: '2025-11-18T11:56:10Z'
queuedOnly:
summary: Filtered by status=queued with page limit
value:
- jobId: job_01JF0500QUE
status: queued
queue: export
tenant: tenant-beta
enqueuedAt: '2025-11-18T12:05:00Z'
- jobId: job_01JF0501QUE
status: queued
queue: scan
tenant: tenant-beta
enqueuedAt: '2025-11-18T12:04:10Z'
'400':
description: Invalid request
content:
application/json:
schema:
$ref: ../_shared/schemas/common.yaml#/schemas/ErrorEnvelope
examples:
invalidStatus:
summary: Bad status filter
value:
code: orch.invalid_request
message: status must be one of queued,running,failed,completed.
traceId: 01JF04ERR1
/jobs/{jobId}:
get:
tags:
- Jobs
summary: Get job status
operationId: orchestratorGetJob
description: Fetch the current status of a job by id.
parameters:
- name: jobId
in: path
@@ -187,7 +245,29 @@ paths:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
components:
securitySchemes:
OAuthClientCredentials:
type: oauth2
description: OAuth 2.1 client credentials flow scoped per service.
flows:
clientCredentials:
tokenUrl: /token
scopes: {}
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required: [code, message]
JobSummary:
type: object
required:
@@ -218,3 +298,35 @@ components:
format: date-time
tenant:
type: string
JobCreateRequest:
type: object
required:
- kind
- payload
properties:
kind:
type: string
description: Job kind identifier.
payload:
type: object
description: Job payload (kind-specific fields).
priority:
type: string
enum: [low, normal, high]
tenant:
type: string
JobCreateResponse:
type: object
required:
- jobId
- status
properties:
jobId:
type: string
status:
type: string
queue:
type: string
enqueuedAt:
type: string
format: date-time

126
src/Api/StellaOps.Api.OpenApi/policy/openapi.yaml
View File

@@ -1,9 +1,20 @@
openapi: 3.1.0
info:
title: StellaOps Policy Engine API (stub)
version: 0.0.1
description: Health + evaluation scaffold for Policy Engine; replace with real contracts
as authored.
version: 0.0.3
description: Health + evaluation scaffold for Policy Engine; examples added for evaluation and list endpoints.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
tags:
- name: Health
description: Liveness endpoints
- name: Meta
description: Readiness/metadata endpoints
- name: Evaluation
description: Policy evaluation APIs
- name: Policies
description: Policy management APIs
servers:
- url: https://policy.stellaops.local
description: Example Policy Engine endpoint
@@ -13,6 +24,8 @@ paths:
tags:
- Health
summary: Liveness probe
description: Returns OK when the Policy Engine is reachable.
operationId: policyHealth
responses:
'200':
description: Service is up
@@ -40,6 +53,8 @@ paths:
summary: Service health
tags:
- Meta
description: Readiness probe for orchestrators.
operationId: policyHealthz
responses:
'200':
description: Service healthy
@@ -65,12 +80,14 @@ paths:
value:
code: service_unavailable
message: projector backlog exceeds SLA
traceId: 2
traceId: "2"
/evaluate:
post:
tags:
- Evaluation
summary: Evaluate policy for an artifact
description: Evaluate the active policy version for an artifact and return allow/deny decision.
operationId: policyEvaluate
requestBody:
required: true
content:
@@ -86,6 +103,7 @@ paths:
inputs:
tenant: acme
branch: main
environment: prod
responses:
'200':
description: Evaluation succeeded
@@ -105,6 +123,20 @@ paths:
latencyMs: 42
obligations:
- record: evidence
deny:
summary: Deny decision with obligations
value:
decision: deny
policyVersion: 2025.10.1
traceId: 01JF040DENY
reasons:
- missing attestation
- vulnerable runtime package
metadata:
latencyMs: 55
obligations:
- quarantine: true
- notify: security-team
schema:
$ref: '#/components/schemas/EvaluationResponse'
'400':
@@ -123,8 +155,94 @@ paths:
security:
- OAuthClientCredentials: []
- BearerAuth: []
/policies:
get:
tags:
- Policies
summary: List policies
description: Returns a paginated list of policy documents filtered by tenant and status.
operationId: policyList
parameters:
- $ref: '../_shared/parameters/tenant.yaml#/parameters/TenantParam'
- $ref: '../_shared/parameters/paging.yaml#/parameters/LimitParam'
- $ref: '../_shared/parameters/paging.yaml#/parameters/CursorParam'
- in: query
name: status
description: Optional status filter (draft, active, retired)
schema:
type: string
enum: [draft, active, retired]
responses:
'200':
description: Policy list page
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyListResponse'
examples:
default:
summary: First page of active policies
value:
items:
- id: pol-1234
name: Critical CVE blocker
status: active
version: 5
tenant: tenant-alpha
updatedAt: 2025-11-20T12:00:00Z
- id: pol-5678
name: Runtime Allowlist
status: active
version: 2
tenant: tenant-alpha
updatedAt: 2025-11-18T09:14:00Z
pageSize: 50
nextPageToken: eyJvZmZzZXQiOiIxMDAifQ==
'400':
$ref: '../_shared/responses/defaults.yaml#/responses/ErrorResponse'
'401':
$ref: '../_shared/responses/defaults.yaml#/responses/ErrorResponse'
components:
securitySchemes:
OAuthClientCredentials:
type: oauth2
description: OAuth 2.1 client credentials flow scoped per service.
flows:
clientCredentials:
tokenUrl: /token
scopes: {}
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
PolicyListResponse:
type: object
required:
- items
properties:
items:
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
status:
type: string
version:
type: integer
tenant:
type: string
updatedAt:
type: string
format: date-time
pageSize:
type: integer
nextPageToken:
type: string
EvaluationRequest:
type: object
required:

48
src/Api/StellaOps.Api.OpenApi/scheduler/openapi.yaml
View File

@@ -1,8 +1,18 @@
openapi: 3.1.0
info:
title: StellaOps Scheduler API (stub)
version: 0.0.1
description: Health and queue status scaffold for Scheduler service; replace with full contract as authored.
version: 0.0.3
description: Health and queue status scaffold for Scheduler service; added queue status examples.
contact:
name: StellaOps API Guild
email: api@stella-ops.local
tags:
- name: Health
description: Liveness endpoints
- name: Meta
description: Readiness/metadata endpoints
- name: Queues
description: Queue metrics APIs
servers:
- url: https://scheduler.stellaops.local
description: Example Scheduler endpoint
@@ -12,6 +22,8 @@ paths:
tags:
- Health
summary: Liveness probe
description: Returns OK when Scheduler is reachable.
operationId: schedulerHealth
responses:
'200':
description: Service is up
@@ -39,6 +51,8 @@ paths:
summary: Service health
tags:
- Meta
description: Readiness probe for queue connectivity.
operationId: schedulerHealthz
responses:
'200':
description: Service healthy
@@ -64,12 +78,14 @@ paths:
value:
code: service_unavailable
message: queue backlog exceeds threshold
traceId: 4
traceId: "4"
/queues/{name}:
get:
tags:
- Queues
summary: Get queue status
description: Returns depth, inflight, and age metrics for a queue.
operationId: schedulerGetQueueStatus
parameters:
- name: name
in: path
@@ -93,6 +109,14 @@ paths:
inflight: 2
oldestAgeSeconds: 45
updatedAt: '2025-11-18T12:00:00Z'
empty:
summary: Empty queue
value:
name: export
depth: 0
inflight: 0
oldestAgeSeconds: 0
updatedAt: '2025-11-18T12:05:00Z'
'404':
description: Queue not found
content:
@@ -108,6 +132,24 @@ paths:
traceId: 01JF04NF2
components:
schemas:
HealthEnvelope:
type: object
properties:
status:
type: string
service:
type: string
required: [status, service]
ErrorEnvelope:
type: object
properties:
code:
type: string
message:
type: string
traceId:
type: string
required: [code, message]
QueueStatus:
type: object
required:

2592
src/Api/StellaOps.Api.OpenApi/stella.yaml
View File

File diff suppressed because it is too large Load Diff

4
src/Api/StellaOps.Api.OpenApi/tasks.md
View File

@@ -4,7 +4,7 @@
| --- | --- | --- |
| OAS-61-001 | DONE | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. |
| OAS-61-002 | DONE (2025-11-18) | Composer (`compose.mjs`) emits `stella.yaml` with namespaced paths/components; CI job validates aggregate stays up to date. |
| OAS-62-001 | DOING | Populate request/response examples for top 50 endpoints, including standard error envelope. |
| OAS-62-002 | TODO | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. |
| OAS-62-001 | DONE (2025-11-26) | Added examples across Authority, Policy, Orchestrator, Scheduler, Export, and Graph stubs covering top flows; standard error envelopes present via shared components. |
| OAS-62-002 | DOING | Added rules for 2xx examples and /jobs Idempotency-Key; extend to pagination/idempotency/naming coverage (current lint is warning-free). |
| OAS-63-001 | TODO | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. |
| OAS-63-002 | DONE (2025-11-24) | Discovery endpoint metadata and schema extensions added; composed spec exports `/.well-known/openapi` entry. |

4
src/Graph/StellaOps.Graph.Api/Services/InMemoryGraphQueryService.cs
View File

@@ -158,9 +158,9 @@ public sealed class InMemoryGraphQueryService : IGraphQueryService
: string.Join(";", request.Filters.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase)
.Select(kvp => $"{kvp.Key}={kvp.Value}"));
var kinds = request.Kinds is null ? string.Empty : string.Join(",", request.Kinds.OrderBy(k => k, StringComparer.OrdinalIgnoreCase));
var kinds = request.Kinds?.OrderBy(k => k, StringComparer.OrdinalIgnoreCase).ToArray() ?? Array.Empty<string>();
var budget = request.Budget is null ? "budget:none" : $"tiles:{request.Budget.Tiles};nodes:{request.Budget.Nodes};edges:{request.Budget.Edges}";
return $"{tenant}|{kinds}|{request.Query}|{limit}|{request.Cursor}|{filters}|edges:{request.IncludeEdges}|stats:{request.IncludeStats}|{budget}|tb:{tileBudget}|nb:{nodeBudget}|eb:{edgeBudget}";
return $"{tenant}|{string.Join(",", kinds)}|{request.Query}|{limit}|{request.Cursor}|{filters}|edges:{request.IncludeEdges}|stats:{request.IncludeStats}|{budget}|tb:{tileBudget}|nb:{nodeBudget}|eb:{edgeBudget}";
}
private static int Score(NodeTile node, GraphQueryRequest request)

4
src/Graph/StellaOps.Graph.Api/Services/InMemoryGraphSearchService.cs
View File

@@ -93,8 +93,8 @@ public sealed class InMemoryGraphSearchService : IGraphSearchService
: string.Join(";", request.Filters.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase)
.Select(kvp => $"{kvp.Key}={kvp.Value}"));
var kinds = request.Kinds is null ? string.Empty : string.Join(",", request.Kinds.OrderBy(k => k, StringComparer.OrdinalIgnoreCase));
return $"{tenant}|{kinds}|{request.Query}|{limit}|{request.Ordering}|{request.Cursor}|{filters}";
var kinds = request.Kinds?.OrderBy(k => k, StringComparer.OrdinalIgnoreCase).ToArray() ?? Array.Empty<string>();
return $"{tenant}|{string.Join(",", kinds)}|{request.Query}|{limit}|{request.Ordering}|{request.Cursor}|{filters}";
}
private static int Score(NodeTile node, GraphSearchRequest request)

2
src/Graph/StellaOps.Graph.Api/Services/InMemoryOverlayService.cs
View File

@@ -44,7 +44,7 @@ namespace StellaOps.Graph.Api.Services;
}
// Always return a fresh copy so we can inject a single explain trace without polluting cache.
var overlays = new Dictionary<string, OverlayPayload>(cachedBase!, StringComparer.Ordinal);
var overlays = new Dictionary<string, OverlayPayload>(cachedBase, StringComparer.Ordinal);
if (sampleExplain && !explainEmitted)
{

101
src/Graph/__Tests/StellaOps.Graph.Api.Tests/QueryServiceTests.cs
View File

@@ -7,11 +7,11 @@ using Xunit;
namespace StellaOps.Graph.Api.Tests;
public class QueryServiceTests
public class QueryServiceTests
{
[Fact]
public async Task QueryAsync_EmitsNodesEdgesStatsAndCursor()
{
[Fact]
public async Task QueryAsync_EmitsNodesEdgesStatsAndCursor()
{
var repo = new InMemoryGraphRepository();
var service = CreateService(repo);
@@ -37,10 +37,10 @@ namespace StellaOps.Graph.Api.Tests;
}
[Fact]
public async Task QueryAsync_ReturnsBudgetExceededError()
{
var repo = new InMemoryGraphRepository();
var service = CreateService(repo);
public async Task QueryAsync_ReturnsBudgetExceededError()
{
var repo = new InMemoryGraphRepository();
var service = CreateService(repo);
var request = new GraphQueryRequest
{
@@ -51,62 +51,63 @@ namespace StellaOps.Graph.Api.Tests;
};
var lines = new List<string>();
await foreach (var line in service.QueryAsync("acme", request))
{
lines.Add(line);
}
Assert.Single(lines);
Assert.Contains("GRAPH_BUDGET_EXCEEDED", lines[0]);
await foreach (var line in service.QueryAsync("acme", request))
{
lines.Add(line);
}
[Fact]
public async Task QueryAsync_IncludesOverlaysAndSamplesExplainOnce()
Assert.Single(lines);
Assert.Contains("GRAPH_BUDGET_EXCEEDED", lines[0]);
}
[Fact]
public async Task QueryAsync_IncludesOverlaysAndSamplesExplainOnce()
{
var repo = new InMemoryGraphRepository(new[]
{
var repo = new InMemoryGraphRepository(new[]
{
new NodeTile { Id = "gn:acme:component:one", Kind = "component", Tenant = "acme" },
new NodeTile { Id = "gn:acme:component:two", Kind = "component", Tenant = "acme" }
}, Array.Empty<EdgeTile>());
new NodeTile { Id = "gn:acme:component:one", Kind = "component", Tenant = "acme" },
new NodeTile { Id = "gn:acme:component:two", Kind = "component", Tenant = "acme" }
}, Array.Empty<EdgeTile>());
var cache = new MemoryCache(new MemoryCacheOptions());
var overlays = new InMemoryOverlayService(cache);
var service = new InMemoryGraphQueryService(repo, cache, overlays);
var request = new GraphQueryRequest
{
Kinds = new[] { "component" },
IncludeOverlays = true,
Limit = 5
};
var cache = new MemoryCache(new MemoryCacheOptions());
var metrics = new GraphMetrics();
var overlays = new InMemoryOverlayService(cache, metrics);
var service = new InMemoryGraphQueryService(repo, cache, overlays, metrics);
var request = new GraphQueryRequest
{
Kinds = new[] { "component" },
IncludeOverlays = true,
Limit = 5
};
var overlayNodes = 0;
var explainCount = 0;
var overlayNodes = 0;
var explainCount = 0;
await foreach (var line in service.QueryAsync("acme", request))
await foreach (var line in service.QueryAsync("acme", request))
{
if (!line.Contains("\"type\":\"node\"")) continue;
using var doc = JsonDocument.Parse(line);
var data = doc.RootElement.GetProperty("data");
if (data.TryGetProperty("overlays", out var overlaysElement) && overlaysElement.ValueKind == JsonValueKind.Object)
{
if (!line.Contains("\"type\":\"node\"")) continue;
using var doc = JsonDocument.Parse(line);
var data = doc.RootElement.GetProperty("data");
if (data.TryGetProperty("overlays", out var overlaysElement) && overlaysElement.ValueKind == JsonValueKind.Object)
overlayNodes++;
foreach (var overlay in overlaysElement.EnumerateObject())
{
overlayNodes++;
foreach (var overlay in overlaysElement.EnumerateObject())
if (overlay.Value.ValueKind != JsonValueKind.Object) continue;
if (overlay.Value.TryGetProperty("data", out var payload) && payload.TryGetProperty("explainTrace", out var trace) && trace.ValueKind == JsonValueKind.Array)
{
if (overlay.Value.ValueKind != JsonValueKind.Object) continue;
if (overlay.Value.TryGetProperty("data", out var payload) && payload.TryGetProperty("explainTrace", out var trace) && trace.ValueKind == JsonValueKind.Array)
{
explainCount++;
}
explainCount++;
}
}
}
Assert.True(overlayNodes >= 1);
Assert.Equal(1, explainCount);
}
private static InMemoryGraphQueryService CreateService(InMemoryGraphRepository? repository = null)
{
Assert.True(overlayNodes >= 1);
Assert.Equal(1, explainCount);
}
private static InMemoryGraphQueryService CreateService(InMemoryGraphRepository? repository = null)
{
var cache = new MemoryCache(new MemoryCacheOptions());
var metrics = new GraphMetrics();
var overlays = new InMemoryOverlayService(cache, metrics);

1
src/Graph/__Tests/StellaOps.Graph.Api.Tests/SearchServiceTests.cs
View File

@@ -139,6 +139,7 @@ public class SearchServiceTests
var nodeCount = lines.Count(l => l.Contains("\"type\":\"node\""));
Assert.True(lines.Count <= 2);
Assert.Contains(lines, l => l.Contains("\"type\":\"cursor\""));
Assert.True(nodeCount <= 2);
}

29
src/Policy/StellaOps.Policy.Engine/Domain/EvidenceSummaryModels.cs Normal file
View File

@@ -0,0 +1,29 @@
using System.Text.Json.Serialization;
namespace StellaOps.Policy.Engine.Domain;
public sealed record EvidenceSummaryRequest(
[property: JsonPropertyName("evidenceHash")] string EvidenceHash,
[property: JsonPropertyName("filePath")] string? FilePath,
[property: JsonPropertyName("digest")] string? Digest,
[property: JsonPropertyName("ingestedAt")] DateTimeOffset? IngestedAt,
[property: JsonPropertyName("connectorId")] string? ConnectorId);
public sealed record EvidenceSummaryResponse(
[property: JsonPropertyName("evidenceHash")] string EvidenceHash,
[property: JsonPropertyName("summary")] EvidenceSummary Summary);
public sealed record EvidenceSummary(
[property: JsonPropertyName("headline")] string Headline,
[property: JsonPropertyName("severity")] string Severity,
[property: JsonPropertyName("locator")] EvidenceLocator Locator,
[property: JsonPropertyName("provenance")] EvidenceProvenance Provenance,
[property: JsonPropertyName("signals")] IReadOnlyList<string> Signals);
public sealed record EvidenceLocator(
[property: JsonPropertyName("filePath")] string FilePath,
[property: JsonPropertyName("digest")] string? Digest);
public sealed record EvidenceProvenance(
[property: JsonPropertyName("ingestedAt")] DateTimeOffset IngestedAt,
[property: JsonPropertyName("connectorId")] string? ConnectorId);

17
src/Policy/StellaOps.Policy.Engine/Domain/PolicyBundleModels.cs Normal file
View File

@@ -0,0 +1,17 @@
using System.Collections.Immutable;
using System.Text.Json.Serialization;
using StellaOps.Policy.Engine.Services;
namespace StellaOps.Policy.Engine.Domain;
public sealed record PolicyBundleRequest(
[property: JsonPropertyName("dsl")] PolicyDslPayload Dsl,
[property: JsonPropertyName("signingKeyId")] string? SigningKeyId);
public sealed record PolicyBundleResponse(
[property: JsonPropertyName("success")] bool Success,
[property: JsonPropertyName("digest")] string? Digest,
[property: JsonPropertyName("signature")] string? Signature,
[property: JsonPropertyName("sizeBytes")] int SizeBytes,
[property: JsonPropertyName("createdAt")] DateTimeOffset? CreatedAt,
[property: JsonPropertyName("diagnostics")] ImmutableArray<PolicyIssue> Diagnostics);

16
src/Policy/StellaOps.Policy.Engine/Domain/PolicyEvaluationModels.cs Normal file
View File

@@ -0,0 +1,16 @@
using System.Text.Json.Serialization;
namespace StellaOps.Policy.Engine.Domain;
public sealed record PolicyEvaluationRequest(
[property: JsonPropertyName("packId")] string PackId,
[property: JsonPropertyName("version")] int Version,
[property: JsonPropertyName("subject")] string Subject);
public sealed record PolicyEvaluationResponse(
[property: JsonPropertyName("packId")] string PackId,
[property: JsonPropertyName("version")] int Version,
[property: JsonPropertyName("digest")] string Digest,
[property: JsonPropertyName("decision")] string Decision,
[property: JsonPropertyName("correlationId")] string CorrelationId,
[property: JsonPropertyName("cached")] bool Cached);

74
src/Policy/StellaOps.Policy.Engine/Domain/PolicyPackRecord.cs
View File

@@ -35,15 +35,17 @@ internal sealed class PolicyPackRecord
=> revisions.IsEmpty ? 1 : revisions.Keys.Max() + 1;
}
internal sealed class PolicyRevisionRecord
{
private readonly ConcurrentDictionary<string, PolicyActivationApproval> approvals = new(StringComparer.OrdinalIgnoreCase);
public PolicyRevisionRecord(int version, bool requiresTwoPerson, PolicyRevisionStatus status, DateTimeOffset createdAt)
{
Version = version;
RequiresTwoPersonApproval = requiresTwoPerson;
Status = status;
internal sealed class PolicyRevisionRecord
{
private readonly ConcurrentDictionary<string, PolicyActivationApproval> approvals = new(StringComparer.OrdinalIgnoreCase);
public PolicyBundleRecord? Bundle { get; private set; }
public PolicyRevisionRecord(int version, bool requiresTwoPerson, PolicyRevisionStatus status, DateTimeOffset createdAt)
{
Version = version;
RequiresTwoPersonApproval = requiresTwoPerson;
Status = status;
CreatedAt = createdAt;
}
@@ -71,31 +73,43 @@ internal sealed class PolicyRevisionRecord
}
}
public PolicyActivationApprovalStatus AddApproval(PolicyActivationApproval approval)
{
if (!approvals.TryAdd(approval.ActorId, approval))
{
return PolicyActivationApprovalStatus.Duplicate;
public PolicyActivationApprovalStatus AddApproval(PolicyActivationApproval approval)
{
if (!approvals.TryAdd(approval.ActorId, approval))
{
return PolicyActivationApprovalStatus.Duplicate;
}
return approvals.Count >= 2
? PolicyActivationApprovalStatus.ThresholdReached
: PolicyActivationApprovalStatus.Pending;
}
}
internal enum PolicyRevisionStatus
{
Draft,
? PolicyActivationApprovalStatus.ThresholdReached
: PolicyActivationApprovalStatus.Pending;
}
public void SetBundle(PolicyBundleRecord bundle)
{
Bundle = bundle ?? throw new ArgumentNullException(nameof(bundle));
}
}
internal enum PolicyRevisionStatus
{
Draft,
Approved,
Active
}
internal sealed record PolicyActivationApproval(string ActorId, DateTimeOffset ApprovedAt, string? Comment);
internal enum PolicyActivationApprovalStatus
{
Pending,
ThresholdReached,
Duplicate
}
internal sealed record PolicyActivationApproval(string ActorId, DateTimeOffset ApprovedAt, string? Comment);
internal enum PolicyActivationApprovalStatus
{
Pending,
ThresholdReached,
Duplicate
}
internal sealed record PolicyBundleRecord(
string Digest,
string Signature,
int Size,
DateTimeOffset CreatedAt,
ImmutableArray<byte> Payload);

31
src/Policy/StellaOps.Policy.Engine/Endpoints/EvidenceSummaryEndpoint.cs Normal file
View File

@@ -0,0 +1,31 @@
using Microsoft.AspNetCore.Mvc;
using StellaOps.Policy.Engine.Domain;
using StellaOps.Policy.Engine.Services;
namespace StellaOps.Policy.Engine.Endpoints;
public static class EvidenceSummaryEndpoint
{
public static IEndpointRouteBuilder MapEvidenceSummaries(this IEndpointRouteBuilder routes)
{
routes.MapPost("/evidence/summary", HandleAsync)
.WithName("PolicyEngine.EvidenceSummary");
return routes;
}
private static IResult HandleAsync(
[FromBody] EvidenceSummaryRequest request,
EvidenceSummaryService service)
{
try
{
var response = service.Summarize(request);
return Results.Ok(response);
}
catch (ArgumentException ex)
{
return Results.Problem(ex.Message, statusCode: StatusCodes.Status400BadRequest);
}
}
}

105
src/Policy/StellaOps.Policy.Engine/Endpoints/PolicyPackEndpoints.cs
View File

@@ -31,6 +31,19 @@ internal static class PolicyPackEndpoints
.Produces<PolicyRevisionDto>(StatusCodes.Status201Created)
.Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest);
group.MapPost("/{packId}/revisions/{version:int}/bundle", CreateBundle)
.WithName("CreatePolicyBundle")
.WithSummary("Compile and sign a policy revision bundle for distribution.")
.Produces<PolicyBundleResponse>(StatusCodes.Status201Created)
.Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest);
group.MapPost("/{packId}/revisions/{version:int}/evaluate", EvaluateRevision)
.WithName("EvaluatePolicyRevision")
.WithSummary("Evaluate a policy revision deterministically with in-memory caching.")
.Produces<PolicyEvaluationResponse>(StatusCodes.Status200OK)
.Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest)
.Produces<ProblemHttpResult>(StatusCodes.Status404NotFound);
group.MapPost("/{packId}/revisions/{version:int}:activate", ActivateRevision)
.WithName("ActivatePolicyRevision")
.WithSummary("Activate an approved policy revision, enforcing two-person approval when required.")
@@ -217,6 +230,98 @@ internal static class PolicyPackEndpoints
};
}
private static async Task<IResult> CreateBundle(
HttpContext context,
[FromRoute] string packId,
[FromRoute] int version,
[FromBody] PolicyBundleRequest request,
PolicyBundleService bundleService,
CancellationToken cancellationToken)
{
var scopeResult = ScopeAuthorization.RequireScope(context, StellaOpsScopes.PolicyEdit);
if (scopeResult is not null)
{
return scopeResult;
}
if (request is null)
{
return Results.BadRequest(new ProblemDetails
{
Title = "Invalid request",
Detail = "Request body is required.",
Status = StatusCodes.Status400BadRequest
});
}
var response = await bundleService.CompileAndStoreAsync(packId, version, request, cancellationToken).ConfigureAwait(false);
if (!response.Success)
{
return Results.BadRequest(response);
}
return Results.Created($"/api/policy/packs/{packId}/revisions/{version}/bundle", response);
}
private static async Task<IResult> EvaluateRevision(
HttpContext context,
[FromRoute] string packId,
[FromRoute] int version,
[FromBody] PolicyEvaluationRequest request,
PolicyRuntimeEvaluator evaluator,
CancellationToken cancellationToken)
{
var scopeResult = ScopeAuthorization.RequireScope(context, StellaOpsScopes.PolicyRead);
if (scopeResult is not null)
{
return scopeResult;
}
if (request is null)
{
return Results.BadRequest(new ProblemDetails
{
Title = "Invalid request",
Detail = "Request body is required.",
Status = StatusCodes.Status400BadRequest
});
}
if (!string.Equals(request.PackId, packId, StringComparison.OrdinalIgnoreCase) || request.Version != version)
{
return Results.BadRequest(new ProblemDetails
{
Title = "Path/body mismatch",
Detail = "packId/version in body must match route parameters.",
Status = StatusCodes.Status400BadRequest
});
}
try
{
var response = await evaluator.EvaluateAsync(request, cancellationToken).ConfigureAwait(false);
return Results.Ok(response);
}
catch (InvalidOperationException)
{
return Results.NotFound(new ProblemDetails
{
Title = "Bundle not found",
Detail = "Policy bundle must be created before evaluation.",
Status = StatusCodes.Status404NotFound
});
}
catch (ArgumentException ex)
{
return Results.BadRequest(new ProblemDetails
{
Title = "Invalid request",
Detail = ex.Message,
Status = StatusCodes.Status400BadRequest
});
}
}
private static string? ResolveActorId(HttpContext context)
{
var user = context.User;

4
src/Policy/StellaOps.Policy.Engine/Program.cs
View File

@@ -119,6 +119,9 @@ builder.Services.AddSingleton<StellaOps.Policy.Engine.Overlay.PathScopeSimulatio
builder.Services.AddSingleton<StellaOps.Policy.Engine.TrustWeighting.TrustWeightingService>();
builder.Services.AddSingleton<StellaOps.Policy.Engine.AdvisoryAI.AdvisoryAiKnobsService>();
builder.Services.AddSingleton<StellaOps.Policy.Engine.BatchContext.BatchContextService>();
builder.Services.AddSingleton<StellaOps.Policy.Engine.Services.EvidenceSummaryService>();
builder.Services.AddSingleton<StellaOps.Policy.Engine.Services.PolicyBundleService>();
builder.Services.AddSingleton<StellaOps.Policy.Engine.Services.PolicyRuntimeEvaluator>();
builder.Services.AddSingleton<IPolicyPackRepository, InMemoryPolicyPackRepository>();
builder.Services.AddSingleton<IOrchestratorJobStore, InMemoryOrchestratorJobStore>();
builder.Services.AddSingleton<OrchestratorJobService>();
@@ -180,6 +183,7 @@ app.MapPolicyCompilation();
app.MapPolicyPacks();
app.MapPathScopeSimulation();
app.MapOverlaySimulation();
app.MapEvidenceSummaries();
app.MapTrustWeighting();
app.MapAdvisoryAiKnobs();
app.MapBatchContext();

96
src/Policy/StellaOps.Policy.Engine/Services/EvidenceSummaryService.cs Normal file
View File

@@ -0,0 +1,96 @@
using System.Security.Cryptography;
using System.Text;
using StellaOps.Policy.Engine.Domain;
namespace StellaOps.Policy.Engine.Services;
/// <summary>
/// Builds deterministic evidence summaries for API/SDK consumers.
/// </summary>
internal sealed class EvidenceSummaryService
{
private readonly TimeProvider _timeProvider;
public EvidenceSummaryService(TimeProvider timeProvider)
{
_timeProvider = timeProvider;
}
public EvidenceSummaryResponse Summarize(EvidenceSummaryRequest request)
{
if (string.IsNullOrWhiteSpace(request.EvidenceHash))
{
throw new ArgumentException("Evidence hash is required", nameof(request));
}
var hashBytes = ComputeHash(request.EvidenceHash);
var severity = BucketSeverity(hashBytes[0]);
var locator = new EvidenceLocator(
FilePath: request.FilePath ?? "unknown",
Digest: request.Digest);
var ingestedAt = request.IngestedAt ?? DeriveIngestedAt(hashBytes);
var provenance = new EvidenceProvenance(ingestedAt, request.ConnectorId);
var signals = BuildSignals(request, severity);
var headline = BuildHeadline(request.EvidenceHash, locator.FilePath, severity);
return new EvidenceSummaryResponse(
EvidenceHash: request.EvidenceHash,
Summary: new EvidenceSummary(
Headline: headline,
Severity: severity,
Locator: locator,
Provenance: provenance,
Signals: signals));
}
private static byte[] ComputeHash(string evidenceHash)
{
var bytes = Encoding.UTF8.GetBytes(evidenceHash);
return SHA256.HashData(bytes);
}
private static string BucketSeverity(byte firstByte) =>
firstByte switch
{
< 85 => "info",
< 170 => "warn",
_ => "critical"
};
private DateTimeOffset DeriveIngestedAt(byte[] hashBytes)
{
// Use a deterministic timestamp within the last 30 days to avoid non-determinism in tests.
var seconds = BitConverter.ToUInt32(hashBytes, 0) % (30u * 24u * 60u * 60u);
var baseline = _timeProvider.GetUtcNow().UtcDateTime.Date; // midnight UTC today
var dt = baseline.AddSeconds(seconds);
return new DateTimeOffset(dt, TimeSpan.Zero);
}
private static IReadOnlyList<string> BuildSignals(EvidenceSummaryRequest request, string severity)
{
var signals = new List<string>(3)
{
$"severity:{severity}"
};
if (!string.IsNullOrWhiteSpace(request.FilePath))
{
signals.Add($"path:{request.FilePath}");
}
if (!string.IsNullOrWhiteSpace(request.ConnectorId))
{
signals.Add($"connector:{request.ConnectorId}");
}
return signals;
}
private static string BuildHeadline(string evidenceHash, string filePath, string severity)
{
var prefix = evidenceHash.Length > 12 ? evidenceHash[..12] : evidenceHash;
return $"{severity.ToUpperInvariant()} evidence {prefix} @ {filePath}";
}
}

8
src/Policy/StellaOps.Policy.Engine/Services/IPolicyPackRepository.cs
View File

@@ -12,8 +12,12 @@ internal interface IPolicyPackRepository
Task<PolicyRevisionRecord?> GetRevisionAsync(string packId, int version, CancellationToken cancellationToken);
Task<PolicyActivationResult> RecordActivationAsync(string packId, int version, string actorId, DateTimeOffset timestamp, string? comment, CancellationToken cancellationToken);
}
Task<PolicyActivationResult> RecordActivationAsync(string packId, int version, string actorId, DateTimeOffset timestamp, string? comment, CancellationToken cancellationToken);
Task<PolicyBundleRecord> StoreBundleAsync(string packId, int version, PolicyBundleRecord bundle, CancellationToken cancellationToken);
Task<PolicyBundleRecord?> GetBundleAsync(string packId, int version, CancellationToken cancellationToken);
}
internal sealed record PolicyActivationResult(PolicyActivationResultStatus Status, PolicyRevisionRecord? Revision);

53
src/Policy/StellaOps.Policy.Engine/Services/InMemoryPolicyPackRepository.cs
View File

@@ -49,11 +49,11 @@ internal sealed class InMemoryPolicyPackRepository : IPolicyPackRepository
return Task.FromResult(pack.TryGetRevision(version, out var revision) ? revision : null);
}
public Task<PolicyActivationResult> RecordActivationAsync(string packId, int version, string actorId, DateTimeOffset timestamp, string? comment, CancellationToken cancellationToken)
{
if (!packs.TryGetValue(packId, out var pack))
{
return Task.FromResult(new PolicyActivationResult(PolicyActivationResultStatus.PackNotFound, null));
public Task<PolicyActivationResult> RecordActivationAsync(string packId, int version, string actorId, DateTimeOffset timestamp, string? comment, CancellationToken cancellationToken)
{
if (!packs.TryGetValue(packId, out var pack))
{
return Task.FromResult(new PolicyActivationResult(PolicyActivationResultStatus.PackNotFound, null));
}
if (!pack.TryGetRevision(version, out var revision))
@@ -83,11 +83,38 @@ internal sealed class InMemoryPolicyPackRepository : IPolicyPackRepository
ActivateRevision(revision, timestamp),
_ => throw new InvalidOperationException("Unknown activation approval status.")
});
}
private static PolicyActivationResult ActivateRevision(PolicyRevisionRecord revision, DateTimeOffset timestamp)
{
revision.SetStatus(PolicyRevisionStatus.Active, timestamp);
return new PolicyActivationResult(PolicyActivationResultStatus.Activated, revision);
}
}
}
private static PolicyActivationResult ActivateRevision(PolicyRevisionRecord revision, DateTimeOffset timestamp)
{
revision.SetStatus(PolicyRevisionStatus.Active, timestamp);
return new PolicyActivationResult(PolicyActivationResultStatus.Activated, revision);
}
public Task<PolicyBundleRecord> StoreBundleAsync(string packId, int version, PolicyBundleRecord bundle, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(bundle);
var pack = packs.GetOrAdd(packId, id => new PolicyPackRecord(id, null, DateTimeOffset.UtcNow));
var revision = pack.GetOrAddRevision(version > 0 ? version : pack.GetNextVersion(),
v => new PolicyRevisionRecord(v, requiresTwoPerson: false, status: PolicyRevisionStatus.Draft, DateTimeOffset.UtcNow));
revision.SetBundle(bundle);
return Task.FromResult(bundle);
}
public Task<PolicyBundleRecord?> GetBundleAsync(string packId, int version, CancellationToken cancellationToken)
{
if (!packs.TryGetValue(packId, out var pack))
{
return Task.FromResult<PolicyBundleRecord?>(null);
}
if (!pack.TryGetRevision(version, out var revision))
{
return Task.FromResult<PolicyBundleRecord?>(null);
}
return Task.FromResult(revision.Bundle);
}
}

Some files were not shown because too many files have changed in this diff Show More