Restructure solution layout by module

src/SbomService/StellaOps.SbomService/AGENTS.md

@@ -0,0 +1,15 @@
+# StellaOps.SbomService — Agent Charter
+
+## Mission
+Expose normalized SBOM projections (components, relationships, scopes, entrypoints) that downstream systems such as Cartographer, Policy Engine, and Scheduler consume. Maintain deterministic SBOM versioning, change events, and tenant-aware access patterns.
+
+## Responsibilities
+- Normalize ingest from Scanner outputs/CycloneDX/SPDX artifacts into canonical documents.
+- Provide APIs for SBOM metadata, projections, entrypoint catalogs, and version history.
+- Emit change events when SBOMs are added or updated so Cartographer and overlay workers can react.
+- Enforce Authority scopes/tenancy and deliver observability for SBOM projection latency.
+
+## Expectations
+- SBOM documents remain immutable once published; new versions append only.
+- Keep projections deterministic and schema-validated; include compliance checklists.
+- Update `TASKS.md` whenever status changes and coordinate with Cartographer/Scheduler guilds.

src/SbomService/StellaOps.SbomService/Program.cs

@@ -0,0 +1,17 @@
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Configuration
+    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
+    .AddEnvironmentVariables("SBOM_");
+
+builder.Services.AddOptions();
+builder.Services.AddLogging();
+
+// TODO: register SBOM projection services, repositories, and Authority integration.
+
+var app = builder.Build();
+
+app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));
+app.MapGet("/readyz", () => Results.Ok(new { status = "warming" }));
+
+app.Run();

src/SbomService/StellaOps.SbomService/StellaOps.SbomService.csproj

@@ -0,0 +1,16 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
+  </ItemGroup>
+</Project>

src/SbomService/StellaOps.SbomService/TASKS.md

@@ -0,0 +1,47 @@
+# SBOM Service Task Board — Epic 3: Graph Explorer v1
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | SBOM Service Guild, Cartographer Guild | CONCELIER-GRAPH-21-001 | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement. | Schema validated with fixtures; API documented; integration tests cover CycloneDX/SPDX inputs. |
+> 2025-10-27: Awaiting projection schema from Concelier (`CONCELIER-GRAPH-21-001`) before we can finalize API payloads and fixtures.
+| SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | SBOM Service Guild, Scheduler Guild | SBOM-SERVICE-21-001, SCHED-MODELS-21-001 | Emit change events (`sbom.version.created`) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. | Events published on new SBOMs; consumer harness validated; replay scripts documented. |
+> 2025-10-27: Blocked until `SBOM-SERVICE-21-001` defines projection schema and endpoints.
+| SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | Entrypoint API live; overrides persisted; docs updated; tests cover fallback logic. |
+> 2025-10-27: Depends on base projection schema (`SBOM-SERVICE-21-001`) which is blocked.
+| SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | SBOM Service Guild, Observability Guild | SBOM-SERVICE-21-001 | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. | Metrics/traces exposed; dashboards updated; alert thresholds defined. |
+> 2025-10-27: Projection pipeline not in place yet; will follow once `SBOM-SERVICE-21-001` unblocks.
+
+## Policy Engine + Editor v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-SERVICE-23-001 | TODO | SBOM Service Guild, Policy Guild | SBOM-SERVICE-21-001 | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. | Projection schema updated; fixtures expanded; policy runtime tests consume new fields. |
+| SBOM-SERVICE-23-002 | TODO | SBOM Service Guild, Platform Events Guild | SBOM-SERVICE-23-001 | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. | Events published with tests; evaluator receives updates; docs updated. |
+
+## StellaOps Console (Sprint 23)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-CONSOLE-23-001 | TODO | SBOM Service Guild, Cartographer Guild | SBOM-SERVICE-21-001, SBOM-SERVICE-21-003 | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | API deployed with contract tests, latency ≤ 200 ms P95 on seeded fixtures, docs updated, integration tests confirm parity with underlying projections. |
+| SBOM-CONSOLE-23-002 | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001, SBOM-SERVICE-21-002 | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. | Endpoints documented, caching headers validated, integration tests cover search use cases, telemetry metrics exported. |
+
+## Graph & Vuln Explorer v1
+
+> 2025-10-26 update — Cartographer service (`CARTO-GRAPH-21-001..009`) now owns graph construction/overlays. SBOM Service continues to expose projections and change events via `SBOM-SERVICE-21-00x`.
+
+## Vulnerability Explorer (Sprint 29)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-VULN-29-001 | TODO | SBOM Service Guild | SBOM-SERVICE-21-001 | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | Evidence payloads extended; change events published with tests; documentation updated. |
+| SBOM-VULN-29-002 | TODO | SBOM Service Guild, Findings Ledger Guild | SBOM-VULN-29-001, LEDGER-29-002 | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. | Feed operational with dedupe keys; integration tests confirm candidate generation; metrics added. |
+
+## Advisory AI (Sprint 31)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-AIAI-31-001 | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | Endpoints live with caching; perf targets met; tests cover ecosystems. |
+| SBOM-AIAI-31-002 | TODO | SBOM Service Guild, Observability Guild | SBOM-AIAI-31-001 | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. | Metrics/traces live; dashboards approved. |
+
+## Orchestrator Dashboard
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SBOM-ORCH-32-001 | TODO | SBOM Service Guild | ORCH-SVC-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SDK integration tested with orchestrator; artifact hashes persisted; metrics include sbom ingest job lifecycle. |
+| SBOM-ORCH-33-001 | TODO | SBOM Service Guild | SBOM-ORCH-32-001, ORCH-SVC-33-001, ORCH-SVC-33-002 | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. | Backpressure metrics exported; pause/resume E2E tests pass; error classes mapped to orchestrator codes. |
+| SBOM-ORCH-34-001 | TODO | SBOM Service Guild | SBOM-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. | Backfill operations verified with no duplicate artifacts; watermark status persisted; coverage metrics published. |