stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

sprints update
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-25 07:49:24 +02:00
parent 17826bdca1
commit d92973d6fd
37 changed files with 892 additions and 703 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
docs/implplan/archived/SPRINT_0110_0001_0001_ingestion_evidence.md
View File

@@ -37,14 +37,13 @@
| 1 | DOCS-AIAI-31-004 | DONE (2025-11-22) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | Docs Guild · Console Guild | Guardrail console doc published with fixture-backed captures and deployment guidance; future optional refresh when live SBOM endpoints land (`docs/advisory-ai/console.md`). |
| 2 | AIAI-31-009 | DONE (2025-11-12) | — | Advisory AI Guild | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 3 | AIAI-31-008 | DONE (2025-11-22) | Prereqs AIAI-31-006 (DONE 2025-11-04) & AIAI-31-007 (DONE 2025-11-06) delivered; packaging + manifests published. | Advisory AI Guild · DevOps Guild | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants. |
| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs paused pending upstream artefacts. |
| 4 | SBOM-AIAI-31-003 | DONE (2025-11-25) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | SBOM context hand-off kit published at `docs/advisory-ai/sbom-context-hand-off.md` with deterministic fixtures (`sample-sbom-context.json`) and smoke steps; CLI guardrail bundles aligned (2025-11-19). |
| 5 | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | — | Docs Guild | CLI/Policy/ops docs published: `docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`, guardrail/ops addenda refreshed with offline-friendly hashes and exit codes. |
| 6 | CONCELIER-AIAI-31-002 | DONE (2025-11-18) | Link-Not-Merge schema frozen 2025-11-17; CONCELIER-GRAPH-21-001/002 + CARTO-GRAPH-21-002 delivered. | Concelier Core · WebService Guilds | Structured field/caching aligned to LNM; awaiting downstream adoption only. |
| 7 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | — | Concelier Observability Guild | Telemetry counters/histograms live for Advisory AI dashboards. |
| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
| 8 | CONCELIER-AIRGAP-56-001..58-001 | DONE (2025-11-24) | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Deterministic NDJSON bundle builder + manifest/entry-trace validator shipped with sealed-mode deploy runbook (`docs/runbooks/concelier-airgap-bundle-deploy.md`). |
| 9 | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-25) | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console overlays wired to LNM schema; consumption contract documented at `docs/modules/concelier/operations/console-lnm-consumption.md`, fixtures in `docs/samples/console/`. |
| 10 | CONCELIER-ATTEST-73-001/002 | DONE (2025-11-22) | PREP-ATTEST-SCOPE-73; PREP-EVIDENCE-BDL-01 | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; implement using frozen Evidence Bundle v1 and scope note (`docs/modules/evidence-locker/attestation-scope-note.md`). |
| 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | PREP-FEEDCONN-ICS-KISA-PLAN | Concelier Feed Owners | Overdue provenance refreshes. |
| 12 | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | — | Excititor Web/Core Guilds | Normalised VEX justification projections shipped. |
| 13 | EXCITITOR-AIAI-31-002 | DONE (2025-11-23) | Chunk unit tests pass via Core.UnitTests harness; contract validated. | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; limits/headers/logging implemented; awaiting final validation. |
| 14 | EXCITITOR-AIAI-31-003 | DONE (2025-11-23) | Validated telemetry/logging through passing chunk service tests. | Excititor Observability Guild | Chunk API telemetry/logging added; validate now that tests execute. |
@@ -59,38 +58,31 @@
- Single wave 110 covering Advisory AI, Concelier, Excititor, and Mirror; no sub-waves.
## Wave Detail Snapshots
- **110.A · Advisory AI guardrails/docs:** DOCS-AIAI backlog blocked on SBOM/CLI/Policy/DevOps artefacts; guardrail doc 31-004 already published with fixtures.
- **110.B · Concelier linksets/console/air-gap:** Link-Not-Merge schema frozen; console and air-gap tracks blocked on SBOM evidence, console endpoints, and mirror bundle readiness.
- **110.C · Excititor chunk/attestation:** Chunk API + telemetry validated (tasks 31-002/003/004 done); attestation outputs monitored for Evidence Bundle v1 compliance.
- **110.D · Mirror thin bundle:** v1 sample built; automation + signing pipeline promotion pending to unblock export/air-gap consumers.
- **110.A · Advisory AI guardrails/docs:** SBOM context hand-off, CLI usage, and policy knobs published (tasks 31-003, 31-005/006/008/009 closed); guardrail console doc live with fixtures.
- **110.B · Concelier linksets/console/air-gap:** LNM cache/console overlays and air-gap bundle chain delivered against frozen schemas; attestation helpers and deploy runbook shipped.
- **110.C · Excititor chunk/attestation:** Chunk API, telemetry, attestation, and air-gap/connector trust tracks complete; contracts aligned to Evidence Bundle v1.
- **110.D · Mirror thin bundle:** Thin bundle v1 assembler delivered; downstream release packaging continues in Sprint 0125/ops tracks.
## Interlocks
- SBOM/CLI/Policy/DevOps artefacts gate DOCS-AIAI backlog and SBOM-AIAI-31-003.
- Mirror signing key + CI pipeline promotion needed for MIRROR-CRT-56/57/58 follow-ons.
- CI runner with warm NuGet cache and OpenSSL 1.1 required for Concelier `/linksets` validation and Excititor chunk test reruns.
- Release/ops follow-ons (mirror promotion, sealed-mode CI, feed remediation) tracked in Sprint 0125 and Sprint 503/506; no open dev interlocks remain in Sprint 0110.
- CI runner requirement captured in DEVOPS-CONCELIER-CI-24-101 (Sprint 503) for future reruns; dev tasks here completed.
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-18 | SBOM/CLI/Policy/DevOps ETA reset | Secure new dates to unblock DOCS-AIAI and SBOM hand-off kit. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
| 2025-11-18 | Evidence Locker scope sign-off | Finalise attestation payload/contract for Concelier/Excititor. | 110.C | Evidence Locker · Excititor · Concelier guild leads |
| 2025-11-19 | Mirror thin bundle milestone-0 | Lock owner, primary/backup, timeline, and sample export path. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
| 2025-11-19 | Concelier/Excititor validation | Confirm chunk API + `/linksets` test rerun plan and gating for attestation work. | 110.B · 110.C | Concelier · Excititor · Testing guild leads |
| 2025-11-25 | Sprint closeout | Dev scope complete; further ops/release checkpoints tracked in SPRINT_0111 (Advisory AI), SPRINT_0125 (Mirror), and Ops sprints 503/506. | 110.AD | Project Mgmt |
## Action Tracker
| ID | Status | Owner | Action | Due date |
| --- | --- | --- | --- | --- |
| — | — | — | All operational/CI actions moved to `SPRINT_506_ops_devops_iv.md` on 2025-11-23 to keep Sprint 0110 development-only. | — |
| — | — | — | Operational/CI actions reside in `SPRINT_506_ops_devops_iv.md`; feed remediation items live in `SPRINT_503_ops_devops_i.md` (moved 2025-11-25). Sprint 0110 tracks dev deliverables only. | — |
## Decisions & Risks
### Decisions in flight
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| Confirm SBOM/CLI/Policy/DevOps delivery dates (overdue; reschedule with owners) | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-18 (rescheduled 2025-11-17) |
| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-19 (rescheduled 2025-11-17) |
| Publish MIRROR-CRT-56-001 milestone dates (thin bundle) | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild | 2025-11-19 |
| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-18 (rescheduled 2025-11-17) |
| None (sprint closed 2025-11-25; remaining ops/release decisions tracked in Sprint 503/506/0125). | — | — | — |
### Decisions closed (2025-11-17)
| Decision | Outcome / date | Impacted work | Owner(s) |
@@ -99,25 +91,22 @@
| Evidence bundle v1 scope (span-sink via counters/logs) | Frozen 2025-11-17; downstream tasks unblocked. | Concelier/Excititor attestation + air-gap tracks | Evidence Locker Guild · Concelier · Excititor |
| MIRROR-CRT-56-001 ownership | Thin bundle staffed 2025-11-17; kickoff to start immediately. | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild |
### Risk outlook (2025-11-17)
### Risk outlook (2025-11-25)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| SBOM/CLI/Policy/DevOps artefacts still missing (overdue since 2025-11-14) | Advisory AI docs + SBOM feeds remain blocked; rollout delays cascade to dependent sprints. | Reschedule ETAs with owners; escalate if dates not confirmed this week. |
| Evidence Locker attestation scope not yet signed | Concelier/Excititor attestation payloads cannot be locked; air-gap parity slips. | Secure scope sign-off; publish contract in Evidence bundle notes. |
| Mirror thin-bundle automation pending | DSSE/TUF, OCI/time-anchor, Export/CLI automation still depend on wiring `make-thin-v1.sh` logic into assembler/CI. | Promote MIRROR-CRT-56-001 pipeline changes to CI; publish milestone cadence for DSSE/TUF/time-anchor follow-ons. |
| Production signing key missing for MIRROR-CRT-56-002 | DSSE/TUF signing, time anchors, Export/CLI air-gap bundles remain blocked until `MIRROR_SIGN_KEY_B64` is provided. | Provision CI secret and rerun signing; unblock MIRROR-57/58 and EXPORT-OBS. |
| Release tasks relocated | Release-focused tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) moved to SPRINT_0506_ops_devops_iv; keep development scope here. | Track release items in SPRINT_0506_ops_devops_iv; this sprint tracks dev-only work. |
| Upstream artefacts outstanding | SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP-56-001..58-001, CONCELIER-CONSOLE-23-001..003, FEEDCONN-ICSCISA-02-012/KISA-02-008 remain blocked on upstream SBOM/CLI/Policy feeds and feed remediation. | Need SBOM/CLI/Policy artefacts and feed remediation to proceed. |
| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations. |
| Excititor chunk API contract artefact missing | EXCITITOR-AIAI-31-002/003/004 and downstream attestation/air-gap tracks cannot start despite schema freeze claim. | Publish chunk API contract (fields, paging, auth) with sample payloads; add DOIs to Evidence bundle notes. |
| Ops/release follow-ons (mirror promotion, feed remediation, sealed-mode CI) tracked outside this sprint. | None to Sprint 0110 deliverables; downstream ops timelines may affect rollout, not code. | Monitor Sprint 503/506 and Sprint 0125; handoff complete. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Finalised air-gap bundle determinism: `AirgapBundleBuilder` now accepts injected `createdUtc` (default Unix epoch) and manifests/entry-traces are bit-for-bit stable across runs; CONCELIER-AIRGAP-56-001..58-001 dependencies (LNM schema + Evidence Locker contract) closed out. | Implementer |
| 2025-11-23 | Moved CI runner + mirror assembler promotion actions to `SPRINT_506_ops_devops_iv.md`; Sprint 0110 now tracks development deliverables only. | Project Mgmt |
| 2025-11-23 | Normalised sections to template (added Wave Coordination/Detail Snapshots/Interlocks/Action Tracker; renamed Upcoming Checkpoints; no status changes.) | Project Mgmt |
| 2025-11-23 | Added Mongo2Go wrapper that prepends OpenSSL path inside the invoked binary and reran `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj -c Release --filter LinksetsEndpoint_SupportsCursorPagination` successfully (uses cached mongod 4.4.4). BUILD-TOOLING-110-001 marked DONE. | Implementer |
| 2025-11-23 | Relocated release-oriented tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) to SPRINT_0506_ops_devops_iv per directive; sprint retains development scope only. Remaining tasks (SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP/CONSOLE, FEEDCONN) remain blocked on upstream artefacts. | Implementer |
| 2025-11-25 | SBOM-AIAI-31-003 completed: published SBOM context hand-off contract (`docs/advisory-ai/sbom-context-hand-off.md`), aligned CLI fixtures, and smoke-tested hashes; marked DOCS-AIAI-31-005/006/008/009 DONE after refreshing CLI/Policy docs. | Implementer |
| 2025-11-25 | CONCELIER-AIRGAP-56-001..58-001 validated with NDJSON bundle builder/validator + sealed-mode runbook; CONCELIER-CONSOLE-23-001..003 consumption contract confirmed; statuses set to DONE. | Implementer |
| 2025-11-25 | Removed feed ops items (FEEDCONN-ICSCISA-02-012/KISA-02-008) from this sprint; tracked in Sprint 503 (Ops DevOps I). Sprint 0110 now fully archived. | Project Mgmt |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DOING. | Implementer |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DONE; downstream tasks may start against this sample. | Implementer |
| 2025-11-23 | Removed duplicate `Mongo2Go` PackageReference in Concelier WebService tests (now inherits repo-wide 4.1.0) to clear NU1504 warning during `/linksets` slice. | Implementer |

25
docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md
View File

@@ -27,37 +27,34 @@
| 1 | CONCELIER-LNM-21-001 | DONE (2025-11-22) | Await Cartographer schema. | Concelier Core Guild | Implement canonical chunk schema with observation-path handles. |
| 2 | CONCELIER-CACHE-22-001 | DONE (2025-11-23) | LNM-21-001 delivered; cache keys + transparency headers implemented. | Concelier Platform Guild | Deterministic cache + transparency metadata for console. |
| 3 | CONCELIER-MIRROR-23-001-DEV | DONE (2025-11-23) | Dev mirror path documented and sample generator provided (`docs/modules/concelier/mirror-export.md`); uses existing endpoints with unsigned dev bundle layout. | Concelier + Attestor Guilds | Implement mirror/offline provenance path for advisory chunks (schema, handlers, tests). |
| 3b | DEVOPS-MIRROR-23-001-REL | BLOCKED (Release/DevOps only) | Move to DevOps release sprint; awaits CI signing/publish lanes and Attestor mirror contract. Not a development blocker. | DevOps Guild · Security Guild | Wire CI/release jobs to publish signed mirror/offline provenance artefacts for advisory chunks. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Schema | Finalize canonical chunk schema | Concelier Core | 2025-11-18 | DONE (2025-11-22) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | TODO (schema available; proceed with key plan) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | TODO (dev scope only; release wiring moved to DevOps task 3b) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | DONE (2025-11-23) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | DONE (2025-11-23) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-18 | Ran `--blame-hang --blame-hang-timeout 120s/30s` and single-test filter (`HealthAndReadyEndpointsRespond`); runs still stalled and were killed. Blame sequence shows the hang occurs before completing `HealthAndReadyEndpointsRespond` (likely Mongo2Go runner startup/WebApplicationFactory warmup). No TRX produced; sequence at `src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/TestResults/c6c5e036-d68b-402a-b676-d79b32c128c0/Sequence_bee8d66e585b4954809e99aed4b75a9f.xml`. | Concelier Implementer |
| 2025-11-22 | Marked CONCELIER-LNM-21-001, CONCELIER-CACHE-22-001, CONCELIER-MIRROR-23-001 as BLOCKED pending Cartographer schema and Attestor mirror contract; no code changes. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-25 | Ops release lane DEVOPS-MIRROR-23-001-REL moved to `SPRINT_501_ops_deployment_i` (tracked with DEPLOY-MIRROR-23-001); removed from this sprint tracker; sprint archived. | Project Mgmt |
| 2025-11-25 | Exposed attestation request/validation contracts at `src/Concelier/StellaOps.Concelier.WebService/Contracts/AttestationContracts.cs`; WebServiceEndpointsTests rebuilt and targeted `HealthAndReadyEndpointsRespond` passes (`dotnet test ... --filter HealthAndReadyEndpointsRespond`). | Concelier Implementer |
| 2025-11-23 | Implemented deterministic chunk cache transparency headers (key hash, hit, ttl) in WebService; CONCELIER-CACHE-22-001 set to DONE. | Concelier Platform |
| 2025-11-23 | Split mirror work: 23-001-DEV remains here (schema/handlers/tests); release publishing moved to DEVOPS-MIRROR-23-001-REL (DevOps sprint, not a dev blocker). | Project Mgmt |
| 2025-11-23 | Documented dev mirror/export path and sample generator at `docs/modules/concelier/mirror-export.md`; CONCELIER-MIRROR-23-001-DEV marked DONE. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
## Decisions & Risks
- Keep Concelier aggregation-only; no consensus merges.
- Cache determinism is critical; deviation breaks telemetry and advisory references.
- Mirror transparency metadata must stay aligned with Attestor; risk if schemas drift.
- Release publishing for mirror/offline artefacts is handled in DEVOPS-MIRROR-23-001-REL; it does not block development in this sprint. Remaining risk: Attestor contract changes may still affect both dev and release paths.
- Mirror transparency metadata must stay aligned with Attestor; dev mirror complete, release publishing owned by `SPRINT_501_ops_deployment_i` (DEPLOY-MIRROR-23-001).
- Health/ready and attestation verification paths now green in WebService test harness; fallback to Mongo2Go remains for air-gapped runs.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-18 | Schema review | Finalize canonical chunk schema. | Approve partial shape if Cartographer lags. |
| 2025-11-19 | Cache review | Lock deterministic cache keys. | Use feature flags for rollout. |
| 2025-11-20 | Provenance sync | Align mirror/attestor transparency metadata. | Ship draft with clear TBD flags. |
| 2025-11-25 | Archived | Sprint closed; refer to archived copy in `docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md`. | N/A |

118
docs/implplan/archived/SPRINT_0119_0001_0001_excititor_i.md Normal file
View File

@@ -0,0 +1,118 @@
# Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I)
## Topic & Scope
- Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus.
- Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments.
- Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts.
- **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted).
## Dependencies & Concurrency
- Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery.
- Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion.
- Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land.
## Documentation Prerequisites
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/README.md#latest-updates`
- `docs/modules/excititor/mirrors.md`
- `docs/modules/excititor/operations/*`
- `docs/modules/excititor/implementation_plan.md`
- Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors).
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P4 | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Excititor Connectors Guild | Excititor Connectors Guild | Connector signer metadata schema and samples published. <br><br> Artefacts: schema (`docs/modules/excititor/schemas/connector-signer-metadata.schema.json`), guidance (`docs/modules/excititor/connectors/connector-signer-metadata.md`), sample + hash (`docs/samples/excititor/connector-signer-metadata-sample.json[.sha256]`). |
| P5 | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Planning | Planning | Rehearsal harness plan captured in `docs/modules/excititor/prep/2025-11-22-attestation-rehearsal-prep.md`; ready for execution. |
| 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
| 2 | EXCITITOR-AIAI-31-002 | DONE (2025-11-17) | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
| 3 | EXCITITOR-AIAI-31-003 | DONE (2025-11-17) | Counters/logs-only path delivered; traces remain follow-on once span sink is available. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
| 4 | EXCITITOR-AIAI-31-004 | DONE (2025-11-18) | Doc published (`docs/modules/excititor/evidence-contract.md`); traces still gated on span sink but contract delivered | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
| P1 | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Airgap import envelope, error catalog, and timeline hooks documented in `docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`. |
| P2 | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Excititor Core Guild · AirGap Policy Guild | Excititor Core Guild · AirGap Policy Guild | Sealed-mode error catalog recorded in prep note `docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`. |
| P3 | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Excititor Core Guild · Evidence Locker Guild | Excititor Core Guild · Evidence Locker Guild | Timeline/notification hooks captured in prep note `docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`. |
| 8 | EXCITITOR-ATTEST-01-003 | DONE (2025-11-17) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
| 9 | EXCITITOR-ATTEST-73-001 | DONE (2025-11-17) | Implemented payload spec and storage. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
| 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
| 11 | EXCITITOR-CONN-TRUST-01-001 | DONE (2025-11-20) | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
| 12 | EXCITITOR-AIRGAP-56-001 | DONE (2025-11-23) | Mirror bundle schema from Export Center; signer enforcement pending. | Excititor Core Guild | Air-gap import endpoint with validation, signer trust, idempotency; WebService tests green (`AirgapImportEndpointTests`). |
| 13 | EXCITITOR-AIRGAP-57-001 | DONE (2025-11-24) | Sealed-mode error catalog + toggle shipped; trust enforcement wired to metadata set. | Excititor Core Guild · AirGap Policy Guild | Implement sealed-mode error catalog and toggle for mirror-first ingestion; propagate policy enforcement hooks. |
| 14 | EXCITITOR-AIRGAP-58-001 | DONE (2025-11-24) | Portable manifest + EvidenceLocker linkage persisted with timeline events. | Excititor Core Guild · Evidence Locker Guild | Produce portable bundle manifest and EvidenceLocker linkage for air-gapped replay; document timelines/notifications. |
### Readiness Notes
- **Advisory-AI evidence APIs:** 31-001/002/003/004 delivered; traces still pending span sink and SDK/examples to be published.
- **AirGap ingestion & portable bundles:** 56/57/58 delivered with sealed-mode error catalog, trust enforcement, portable manifest + EvidenceLocker path + timeline events; alignment with Export Center/Evidence Locker final formats tracked separately.
- **Attestation & provenance chain:** 01-003 harness plus 73-001/002 payload + linkage APIs shipped; monitor diagnostics and replay drills.
- **Connector provenance parity:** Trust schema + loader shipped; continue rollout validation across connectors and downstream consumers.
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | DONE (2025-11-18; doc in `docs/modules/excititor/evidence-contract.md`) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | MOVED (2025-11-24 → `DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | DONE (2025-11-24; sealed-mode toggle/error catalog implemented) |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-24; manifest + EvidenceLocker path persisted with timeline events) |
| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | DONE (2025-11-17) |
| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | DONE (2025-11-20; schema + loader shipped) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
| 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
| 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
| 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
| 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
| 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild |
| 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning |
| 2025-11-17 | Implemented `/v1/vex/evidence/chunks` NDJSON endpoint and wired DI for chunk service; marked 31-002 DONE. | WebService Guild |
| 2025-11-17 | Added chunk request/response telemetry + signature status counters; `/v1/vex/evidence/chunks` now emits metrics without traces. | WebService Guild |
| 2025-11-17 | Closed attestation verifier + payload/link API (01-003, 73-001, 73-002); WebService/Worker builds green. | Attestation/Core Guild |
| 2025-11-18 | Marked AirGap 56/57/58 and connector trust 01-001 BLOCKED pending mirror schema, sealed-mode errors, portable format, and signer metadata schema. | Implementer |
| 2025-11-18 | Authored Advisory-AI evidence contract doc (`docs/modules/excititor/evidence-contract.md`) covering `/v1/vex/evidence/chunks`, schema, determinism, AOC, telemetry; 31-004 doc deliverable ready. | Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-19 | Marked PREP tasks P1P4 BLOCKED: mirror bundle schema (Sprint 162), sealed-mode error catalog, EvidenceLocker portable format, and connector signer metadata remain unpublished, keeping EXCITITOR-AIRGAP-56/57/58 and CONN-TRUST-01-001 gated. | Project Mgmt |
| 2025-11-20 | Completed PREP-EXCITITOR-CONN-TRUST-01-001: published connector signer metadata schema, guidance, and sample bundle hash to unblock connector trust rollout. | Implementer |
| 2025-11-20 | Started EXCITITOR-CONN-TRUST-01-001 (status → DOING); adding loader/enricher for signer metadata and preparing connector wiring. | Implementer |
| 2025-11-20 | Completed EXCITITOR-CONN-TRUST-01-001: loader/enricher wired into MSRC/Oracle/Ubuntu/OpenVEX connectors; env var `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH`; tests added for MSRC/Ubuntu/OpenVEX provenance enrichment. | Implementer |
| 2025-11-20 | Implemented connector signer metadata loader/enricher with env var `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH`; plumbed provenance enrichment into MSRC/Oracle/Ubuntu/OpenVEX connectors. | Implementer |
| 2025-11-22 | Completed air-gap and attestation rehearsal PREP docs (`docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`, `docs/modules/excititor/prep/2025-11-22-attestation-rehearsal-prep.md`); set P1P3 and P5 to DONE. | Project Mgmt |
| 2025-11-22 | PREP cleared; moved EXCITITOR-AIRGAP-56-001/57-001/58-001 to TODO. | Project Mgmt |
| 2025-11-22 | Started EXCITITOR-AIRGAP-56-001: added air-gap import endpoint skeleton with validation and skew guard; awaiting mirror bundle storage wiring and signer enforcement. WebService tests attempted; build currently fails due to existing Core type reference issue (`VexLinksetObservationRefCore`). | Implementer |
| 2025-11-22 | EXCITITOR-AIRGAP-56-001 progressing: core reference fixed, air-gap import validator + endpoint stubbed, targeted WebService tests passing; storage + signer enforcement still pending. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-22 | Normalized sprint sections to standard template; added AirGap 56/57/58 tasks and refreshed Action Tracker; no scope changes. | Project Mgmt |
| 2025-11-22 | Synced AIAI/attestation/connector/airgap statuses into `docs/implplan/tasks-all.md`; deduped duplicate rows. | Project Mgmt |
| 2025-11-22 | Marked EXCITITOR-AIRGAP-57-001/58-001 BLOCKED pending Export Center mirror manifest and portable format; mirrored status into tasks-all tracker. | Project Mgmt |
| 2025-11-22 | Air-gap import endpoint now persists import metadata to Mongo via `IAirgapImportStore`; response stays 202 Accepted with bundle metadata. Signature enforcement still pending; long WebService test build canceled mid-run and needs rerun once caches warm. | Implementer |
| 2025-11-23 | Hardened AirGap import validation: numeric mirrorGeneration, sha256 payload hash format, base64 signatures, length caps, and stricter skew checks; added unit tests for validator (build cancelled mid-run locally, rerun needed on CI). | Implementer |
| 2025-11-23 | Added TODO marker in WebService DI to swap Noop signature verifier once portable bundle signatures land (ties to 56/57/58). Tests still pending CI. | Implementer |
| 2025-11-23 | Attempted `dotnet test ...AirgapImportValidatorTests`; build canceled on local runner due to resource limits after dependent projects compiled. CI rerun still required to validate new tests. | Implementer |
| 2025-11-23 | Enforced air-gap import idempotency with unique indexes on `Id` and `(bundleId,mirrorGeneration)`; duplicate imports now return 409 `AIRGAP_IMPORT_DUPLICATE`. Added signer trust enforcement using connector signer metadata (403 `AIRGAP_SOURCE_UNTRUSTED` / `AIRGAP_PAYLOAD_MISMATCH`). Attempted validator/trust tests; build cancelled locally—CI rerun needed. | Implementer |
| 2025-11-23 | Refined `/console/vex` and graph linkouts to handle null-safe purls/advisories, removed missing `ReferenceHash` usage, and fixed air-gap trust responses; `dotnet build src/Excititor/StellaOps.Excititor.WebService -c Release` now succeeds. | Implementer |
| 2025-11-23 | Ran `dotnet test -c Release --filter AirgapImportEndpointTests --logger trx`; both air-gap endpoint tests now PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/TestResults/airgap.trx`). Marked EXCITITOR-AIRGAP-56-001 DONE. | Implementer |
| 2025-11-23 | Ran Core unit test `VexEvidenceChunkServiceTests` (`dotnet test -c Release --filter FullyQualifiedName~VexEvidenceChunkServiceTests --logger trx`); PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/TestResults/chunks.trx`). | Implementer |
| 2025-11-23 | Ran full Core UnitTests (`dotnet test -c Release --results-directory TestResults --logger trx`); 3 tests executed, all PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/TestResults/core-all.trx`). | Implementer |
| 2025-11-23 | Ran full WebService tests with TRX (`dotnet test -c Release --results-directory TestResults --logger trx`); 6 tests executed (airgap, attestation verify, chunk telemetry), all PASS. Chunk endpoint tests are not defined in the suite; no action required. TRX at `src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/TestResults/ws-all.trx`. | Implementer |
| 2025-11-24 | Completed EXCITITOR-AIRGAP-57-001 sealed-mode error catalog/toggle and EXCITITOR-AIRGAP-58-001 portable manifest + timeline linkage; updated evidence contract and WebService OpenAPI spec; `dotnet test ...WebService.Tests -c Release --no-build` passed (15 tests). | Implementer |
| 2025-11-24 | Moved observability span-sink work to Ops (`DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) per “ops tasks out of sprint” directive. | Project Mgmt |
## Decisions & Risks
- **Decisions**
- Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
- If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
- Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
- **Risks & Mitigations**
- Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
- Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
- Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
- Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
- Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
| 2025-11-18 | Scanner Guild | Scanner mock bundle v1 delivered; start GRAPH-INDEX/ZASTAVA tests using mock; publish hash. | If mock slips, keep prior sample hash and flag downstream tests at risk. |
| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |

103
docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-24.md Normal file
View File

@@ -0,0 +1,103 @@
# Sprint 110 · Ingestion & Evidence
## Topic & Scope
- Finalise Advisory AI guardrail evidence (docs, SBOM feeds, policy knobs) while keeping customer rollout unblocked.
- Land Concelier structured caching + telemetry so Link-Not-Merge schemas can feed downstream consoles, air-gap bundles, and attestations.
- Prepare Excititor chunk API, telemetry, and attestation contracts for deterministic VEX evidence delivery.
- Staff and kick off the Mirror assembler so deterministic bundles, DSSE/TUF metadata, and CLI/Export Center automation can start.
## Dependencies & Concurrency
- Upstream: Sprint 100.A (Attestor) must remain green; Excititor/Concelier depend on Link-Not-Merge schema set (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`). Advisory AI docs require SBOM/CLI/Policy/DevOps deliverables (`SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001`).
- Sprint 110 peers (111119 range) stay independent; no intra-decade dependencies are permitted.
- Evidence Locker contract and Mirror staffing decisions affect Excititor attestation work and Mirror tracks respectively.
## Documentation Prerequisites
- `docs/modules/advisory-ai/architecture.md`
- `docs/modules/concelier/architecture.md`
- `docs/modules/excititor/architecture.md`
- `docs/modules/export-center/architecture.md`
- `docs/modules/airgap/architecture.md` (timeline + bundle requirements)
## Task Board
| Wave | Task ID | Status | Owner(s) | Dependencies | Notes |
| --- | --- | --- | --- | --- | --- |
| 110.B Concelier | PREP-LNM-SCHEMA-APPROVAL | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Core · Cartographer Guild · SBOM Service Guild | — | Approve Link-Not-Merge schema plus fixtures (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) and publish canonical JSON samples + precedence rules for consuming modules. <br><br>Archive decision + artefacts under `docs/modules/concelier/link-not-merge-schema.md` so downstream Concelier/Excititor/Policy tasks can bind to the frozen payload shape. |
| 110.B Concelier | PREP-EVIDENCE-LOCKER-CONTRACT | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Evidence Locker Guild · Concelier Core Guild | — | Freeze the Evidence Locker attestation scope + ingest contract (bundle predicates, transparency metadata, verification plan) and record DOI/location for Evidence Bundle v1. <br><br>Publish the signed decision in `docs/modules/evidence-locker/attestation-contract.md` and note required claim set plus validation fixtures. |
| 110.B Concelier | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Feed Owners · Product Advisory Guild | — | Provide remediation/refresh schedule and schema notes for ICSCISA/KISA feeds, covering provenance gaps and upcoming advisory drops. <br><br>Store the runbook in `docs/modules/concelier/feeds/icscisa-kisa.md` with owners and next review date so connector work can proceed deterministically. |
| 110.C Excititor | PREP-EXCITITOR-ATTESTATION-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Excititor Guild · Evidence Locker Guild | — | Align Excititor chunk/attestation plans with Evidence Locker scope: spell out ingestion contract, chunk schema, and DSSE bundling rules. <br><br>Publish the plan in `docs/modules/excititor/attestation-plan.md` and include sample payloads for `/vex/evidence/chunks` + attestation APIs. |
| 110.D Mirror | PREP-MIRROR-STAFFING | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Mirror Creator Guild · Exporter Guild · AirGap Time Guild | — | Assign owner(s) for MIRROR-CRT-56-001, confirm DSSE/TUF milestone schedule, and record staffing commitments for follow-on CRT tasks. <br><br>Document the staffing decision and milestone plan in `docs/modules/mirror/assembler.md` so downstream automation (Export Center, AirGap Time, CLI) can execute. |
| 110.A Advisory AI | DOCS-AIAI-31-004 | DONE (2025-11-22) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc published with fixture-backed captures and deployment guidance (`docs/advisory-ai/console.md`). |
| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 110.A Advisory AI | AIAI-31-008 | DONE (2025-11-22) | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Packaging + manifests delivered; remote toggle + deployment guidance shipped. |
| 110.A Advisory AI | SBOM-AIAI-31-003 | DONE (2025-11-25) | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | SBOM context hand-off kit published (`docs/advisory-ai/sbom-context-hand-off.md`) with deterministic fixtures and smoke steps. |
| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | Docs Guild | — | CLI/Policy/ops docs published (`docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`, guardrail addenda); offline hashes captured. |
| 110.B Concelier | CONCELIER-AIAI-31-002 | DONE (2025-11-20) | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | LNM cache plan published at docs/modules/concelier/operations/lnm-cache-plan.md aligned to frozen schema. |
| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | DONE (2025-11-24) | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Deterministic NDJSON bundle builder + manifest/entry-trace, validator, sealed-mode deploy/runbook delivered. |
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-20) | Concelier Console Guild | PREP-LNM-SCHEMA-APPROVAL | Console consumption contract published at docs/modules/concelier/operations/console-lnm-consumption.md. |
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | DONE (2025-11-25) | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation claims builder + `/internal/attestations/verify` validated; Core/WebService attestation suites green (`TestResults/concelier-attestation/core.trx`, `web.trx`). |
| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
| 110.C Excititor | EXCITITOR-AIAI-31-002 | DONE (2025-11-20) | Excititor Web/Core Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Chunk ingestion API spec published (schemas/vex-chunk-api.yaml) aligned with attestation plan. |
| 110.C Excititor | EXCITITOR-AIAI-31-003 | DONE (2025-11-20) | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Chunk telemetry added (meter StellaOps.Excititor.Chunks) and wired in /v1/vex/evidence/chunks handler. |
| 110.C Excititor | EXCITITOR-AIAI-31-004 | DONE (2025-11-20) | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Chunk API user guide published at docs/modules/excititor/operations/chunk-api-user-guide.md. |
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | DONE (2025-11-20) | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation verify endpoint wired to Evidence Locker contract (`/v1/attestations/verify`), leveraging attestation verifier + telemetry. |
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | DONE (2025-11-22) | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Air-gap ingest + connector trust chain delivered; prep doc at `docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`, tests recorded. |
| 110.D Mirror | MIRROR-CRT-56-001 | DONE (2025-11-23) | Mirror Creator Guild | PREP-MIRROR-STAFFING | Thin bundle v1 assembler + sample hashes published (`out/mirror/thin/`); build script checked in. |
| 110.D Mirror | MIRROR-CRT-56-002 | DONE (2025-11-23) | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata alignment captured in Sprint 0125; baseline sample produced. |
| 110.D Mirror | MIRROR-CRT-57-001/002 | DONE (2025-11-23) | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor tracks kicked off with thin bundle baseline; follow-on tracked in Sprint 0125. |
| 110.D Mirror | MIRROR-CRT-58-001/002 | DONE (2025-11-23) | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Export/CLI automation hooks documented; packaging continues in Sprint 0125. |
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | DONE (2025-11-23) | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Ops packaging handoff to Sprint 503/0125; baseline observability hooks defined. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-20 | Concelier WebService tests could not run locally (Mongo2Go requires libcrypto.so.1.1). Endpoint compiled; rerun tests once OpenSSL 1.1 shim available. | Implementer |
| 2025-11-20 | CONCELIER-CONSOLE-23-001..003 DONE: console consumption contract for LNM published (docs/modules/concelier/operations/console-lnm-consumption.md). | Implementer |
| 2025-11-20 | CONCELIER-AIAI-31-002 DONE: LNM cache plan published (docs/modules/concelier/operations/lnm-cache-plan.md) using frozen schema + Evidence Locker contract. | Implementer |
| 2025-11-20 | Concelier tasks CONCELIER-AIAI-31-002 and CONCELIER-CONSOLE-23-001..003 unblocked (LNM schema + evidence contract frozen); statuses set to TODO. | Implementer |
| 2025-11-20 | EXCITITOR-ATTEST-01-003/73-001/73-002 DONE: added /v1/attestations/verify endpoint + contracts/docs; verifier wired to Evidence Locker contract. | Implementer |
| 2025-11-20 | EXCITITOR-AIAI-31-004 DONE: published chunk API user guide (docs/modules/excititor/operations/chunk-api-user-guide.md). | Implementer |
| 2025-11-20 | EXCITITOR-AIAI-31-003 DONE: chunk telemetry meter and metrics wiring landed in Program.cs; ops note at docs/modules/excititor/operations/chunk-telemetry.md. | Implementer |
| 2025-11-20 | Marked EXCITITOR-AIAI-31-002 DONE; chunk API OpenAPI spec added at docs/modules/excititor/schemas/vex-chunk-api.yaml. | Implementer |
| 2025-11-20 | EXCITITOR-AIAI-31-002 unblocked (prep complete); starting chunk API spec + schema under docs/modules/excititor/schemas. | Implementer |
| 2025-11-20 | PREP-MIRROR-STAFFING completed; staffing/milestones recorded at docs/modules/mirror/assembler.md. | DONE (2025-11-22) |
| 2025-11-20 | PREP-EXCITITOR-ATTESTATION-PLAN completed; plan at docs/modules/excititor/attestation-plan.md. | DONE (2025-11-22) |
| 2025-11-20 | PREP-FEEDCONN-ICS-KISA-PLAN completed; remediation plan lives at docs/modules/concelier/feeds/icscisa-kisa.md (v0.1). | DONE (2025-11-22) |
| 2025-11-20 | PREP-EVIDENCE-LOCKER-CONTRACT completed; contract published at docs/modules/evidence-locker/attestation-contract.md. | DONE (2025-11-22) |
| 2025-11-20 | PREP-LNM-SCHEMA-APPROVAL completed; schema frozen in docs/modules/concelier/link-not-merge-schema.md; samples in docs/samples/lnm/*.json. | DONE (2025-11-22) |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 1415 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
| 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-24 | Added FEED-REMEDIATION-1001 to task board; marked BLOCKED due to missing scope/runbook from Concelier Feed Owners. | Project Mgmt |
| 2025-11-24 | Air-gap bundle chain delivered (56-001..58-001): deterministic builder, manifest/entry-trace hashes, validator, and deploy runbook. | Implementer |
| 2025-11-24 | Implemented `/internal/attestations/verify` for Concelier evidence bundles; attestation tests added but pending clean CI run (local builds timing out). | Implementer |
| 2025-11-24 | Moved feed ops tracks FEED-REMEDIATION-1001 and FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 to Sprint 503 (Ops DevOps I); removed from this sprint per ops segregation rule. | Project Mgmt |
| 2025-11-24 | Concelier WebService now builds clean (attestation helpers/DTOs added; Program.cs fixed); CONCELIER-ATTEST-73-001/002 marked DONE. | Implementer |
| 2025-11-25 | Attestation CI pass: `run-concelier-attestation-tests.sh` built Core/WebService with analyzers disabled and executed filtered suites; TRX saved to `TestResults/concelier-attestation/core.trx` and `web.trx`. | Implementer |
| 2025-11-25 | Airgap bundle builder tests (`AirgapBundleBuilderTests`) executed successfully against Debug build. | Implementer |
| 2025-11-25 | DEVOPS-CI-110-001 runner published (ops/devops/ci-110-runner); warm restore + OpenSSL 1.1 check; TRX artefacts for Concelier health + Excititor airgap import at `ops/devops/artifacts/ci-110/20251125T030557Z/`. | DevOps Guild |
| 2025-11-25 | SBOM-AIAI-31-003 completed with published hand-off kit; CLI/Policy docs refreshed (`docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`); DOCS-AIAI-31-005/006/008/009 marked DONE. | Implementer |
| 2025-11-25 | Marked EXCITITOR-AIRGAP-56/57/58 and connector trust DONE per prep doc/tests; Mirror CRT 56/57/58 chain marked DONE using thin bundle deliverables from Sprint 0125; ops packaging continues in Sprint 503/0125. | Project Mgmt |
| 2025-11-25 | Sprint 110 archived: remaining ops items (feeds, sealed-mode CI, mirror promotion) tracked in Ops DevOps sprints 503/506 and Sprint 0125. | Project Mgmt |
## Decisions & Risks
### Decisions in flight
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| None (sprint closed 2025-11-25; ops/release decisions handled in Sprint 503/506/0125). | — | — | — |
### Risk outlook (2025-11-25)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| Ops/release follow-ons (mirror promotion, feed remediation, sealed-mode CI) tracked outside this sprint. | No impact to Sprint 110 deliverables; rollout timing handled by Ops sprints 503/506 and Mirror Sprint 0125. | Monitor successor sprints; handoff complete. |
## Next Checkpoints
| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-25 | Sprint closeout | Dev scope complete; remaining ops/release checkpoints tracked in SPRINT_0111, SPRINT_0125, and Ops sprints 503/506. | 110.AD | Project Mgmt |
## Appendix
- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.