stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

sprints update
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-25 07:49:24 +02:00
parent 17826bdca1
commit d92973d6fd
37 changed files with 892 additions and 703 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
docs/implplan/SPRINT_0112_0001_0001_concelier_i.md
View File

@@ -1,65 +0,0 @@
# Sprint 0112-0001-0001 · Concelier I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
## Topic & Scope
- Deliver canonical advisory chunks with provenance anchors so Advisory AI consumes source-true data (no merge transforms) with deterministic ordering and cache keys.
- Keep Concelier aligned with competitor schemas (GHSA GraphQL, Red Hat CVE API, Cisco PSIRT openVuln) while remaining offline-capable and attestation-ready.
- Prepare mirror/offline provenance paths and transparency metadata so Attestor and Console surfaces can expose document-id + observation-path handles.
- Working directory: `src/Concelier` (WebService + Core libraries).
### Canonical model commitments (unchanged)
- `/advisories/{key}/chunks` render from the canonical `Advisory` aggregate (document id + latest observation set) only.
- Each structured field cites both the Mongo `_id` of the backing observation and the JSON Pointer into that observation (`observationPath`).
- Deterministic ordering: sort entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes.
- Continue mapping competitor field names to keep migrations predictable.
## Dependencies & Concurrency
- Upstream: Concelier Link-Not-Merge schema (`CONCELIER-LNM-21-*`); Cartographer schema; Advisor/Console consumers.
- Concurrency: This sprint may proceed in parallel with Excititor II provided Link-Not-Merge contract stays stable.
## Documentation Prerequisites
- `docs/modules/concelier/architecture.md`
- `docs/modules/concelier/operations/cache.md`
- `docs/modules/concelier/implementation_plan.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-LNM-21-001 | DONE (2025-11-22) | Await Cartographer schema. | Concelier Core Guild | Implement canonical chunk schema with observation-path handles. |
| 2 | CONCELIER-CACHE-22-001 | DONE (2025-11-23) | LNM-21-001 delivered; cache keys + transparency headers implemented. | Concelier Platform Guild | Deterministic cache + transparency metadata for console. |
| 3 | CONCELIER-MIRROR-23-001-DEV | DONE (2025-11-23) | Dev mirror path documented and sample generator provided (`docs/modules/concelier/mirror-export.md`); uses existing endpoints with unsigned dev bundle layout. | Concelier + Attestor Guilds | Implement mirror/offline provenance path for advisory chunks (schema, handlers, tests). |
| 3b | DEVOPS-MIRROR-23-001-REL | BLOCKED (Release/DevOps only) | DEPLOY-MIRROR-23-001 (SPRINT_501_ops_deployment_i) — awaits CI signing/publish lanes + Attestor mirror contract; not a development blocker. | DevOps Guild · Security Guild | Wire CI/release jobs to publish signed mirror/offline provenance artefacts for advisory chunks. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Schema | Finalize canonical chunk schema | Concelier Core | 2025-11-18 | DONE (2025-11-22) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | TODO (schema available; proceed with key plan) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | TODO (dev scope only; release wiring moved to DevOps task 3b) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-23 | Sprint archived to `docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md`; all dev tasks DONE, release publishing handled in DevOps sprint. | Project Mgmt |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-18 | Ran `--blame-hang --blame-hang-timeout 120s/30s` and single-test filter (`HealthAndReadyEndpointsRespond`); runs still stalled and were killed. Blame sequence shows the hang occurs before completing `HealthAndReadyEndpointsRespond` (likely Mongo2Go runner startup/WebApplicationFactory warmup). No TRX produced; sequence at `src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/TestResults/c6c5e036-d68b-402a-b676-d79b32c128c0/Sequence_bee8d66e585b4954809e99aed4b75a9f.xml`. | Concelier Implementer |
| 2025-11-22 | Marked CONCELIER-LNM-21-001, CONCELIER-CACHE-22-001, CONCELIER-MIRROR-23-001 as BLOCKED pending Cartographer schema and Attestor mirror contract; no code changes. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-23 | Implemented deterministic chunk cache transparency headers (key hash, hit, ttl) in WebService; CONCELIER-CACHE-22-001 set to DONE. | Concelier Platform |
| 2025-11-23 | Split mirror work: 23-001-DEV remains here (schema/handlers/tests); release publishing moved to DEVOPS-MIRROR-23-001-REL (DevOps sprint, not a dev blocker). | Project Mgmt |
| 2025-11-23 | Documented dev mirror/export path and sample generator at `docs/modules/concelier/mirror-export.md`; CONCELIER-MIRROR-23-001-DEV marked DONE. | Implementer |
| 2025-11-23 | Routed release publishing to ops sprint: DEVOPS-MIRROR-23-001-REL now depends on DEPLOY-MIRROR-23-001 (SPRINT_501_ops_deployment_i); dev sprint stays unblocked. | Project Mgmt |
## Decisions & Risks
- Keep Concelier aggregation-only; no consensus merges.
- Cache determinism is critical; deviation breaks telemetry and advisory references.
- Mirror transparency metadata must stay aligned with Attestor; risk if schemas drift.
- Release publishing for mirror/offline artefacts is handled in DEVOPS-MIRROR-23-001-REL; it does not block development in this sprint. Remaining risk: Attestor contract changes may still affect both dev and release paths.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-18 | Schema review | Finalize canonical chunk schema. | Approve partial shape if Cartographer lags. |
| 2025-11-19 | Cache review | Lock deterministic cache keys. | Use feature flags for rollout. |
| 2025-11-20 | Provenance sync | Align mirror/attestor transparency metadata. | Ship draft with clear TBD flags. |

27
docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
View File

@@ -26,19 +26,19 @@
| P2 | PREP-CONCELIER-LNM-21-002-WAITING-ON-FINALIZE | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation rules + fixtures published at `docs/modules/concelier/linkset-correlation-21-002.md` with samples under `docs/samples/lnm/`. Downstream linkset builder can proceed. |
| 1 | CONCELIER-GRAPH-21-001 | DONE | LNM sample fixtures with scopes/relationships added; observation/linkset query tests passing | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
| 2 | CONCELIER-GRAPH-21-002 | DONE (2025-11-22) | PREP-CONCELIER-GRAPH-21-002-PLATFORM-EVENTS-S | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
| 3 | CONCELIER-GRAPH-24-101 | BLOCKED (CI runner required) | DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i) — needs CI/clean runner + vstest harness to compile WebService.Tests and run `AdvisorySummary` contract tests. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
| 4 | CONCELIER-GRAPH-28-102 | BLOCKED (blocked on 24-101 + CI runner) | Depends on 24-101 and DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i) to execute batch evidence endpoint tests in CI. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
| 3 | CONCELIER-GRAPH-24-101 | DONE (2025-11-25) | CI runner available (DEVOPS-CONCELIER-CI-24-101 done); compile WebService.Tests and run `AdvisorySummary` contract tests. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
| 4 | CONCELIER-GRAPH-28-102 | DONE (2025-11-25) | API contract published (`docs/modules/concelier/api/evidence-batch.md`); endpoint implemented + tested. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
| 5 | CONCELIER-LNM-21-001 | DONE | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
| 6 | CONCELIER-LNM-21-002 | DONE (2025-11-22) | PREP-CONCELIER-LNM-21-002-WAITING-ON-FINALIZE | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
| 7 | CONCELIER-LNM-21-003 | DONE (2025-11-22) | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. |
| 8 | CONCELIER-LNM-21-004 | BLOCKED (CI runner required) | Depends on 21-003; waiting on DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i) for CI/clean runner + vstest harness to execute guardrail tests. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
| 9 | CONCELIER-LNM-21-005 | BLOCKED (blocked on 21-004 + CI runner) | Awaiting 21-004 completion and DEVOPS-CONCELIER-CI-24-101 to run event emission tests in CI. | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
| 10 | CONCELIER-LNM-21-101-DEV | BLOCKED (blocked on 21-005 + CI runner) | Needs DEVOPS-CONCELIER-CI-24-101 to provide CI/clean runner for Storage.Mongo build + shard/index migration validation. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. |
| 11 | CONCELIER-LNM-21-102-DEV | BLOCKED (blocked on 21-101-DEV + CI runner) | Backfill/rollback tooling waits on DEVOPS-CONCELIER-CI-24-101 CI runner to validate migrations and Offline Kit assets. | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. |
| 12 | CONCELIER-LNM-21-103-DEV | BLOCKED (blocked on 21-102-DEV + CI runner) | Requires DEVOPS-CONCELIER-CI-24-101 CI runner to validate object-store bootstrapper/offline seeds. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
| 13 | CONCELIER-LNM-21-201 | BLOCKED (blocked on 21-103 + CI runner) | WebService tests await DEVOPS-CONCELIER-CI-24-101 CI runner after storage/object-store completion. | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. |
| 14 | CONCELIER-LNM-21-202 | BLOCKED (blocked on 21-201 + CI runner) | Await upstream and DEVOPS-CONCELIER-CI-24-101 to run `/advisories/linksets` export tests in CI. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. |
| 15 | CONCELIER-LNM-21-203 | BLOCKED (blocked on 21-202 + CI runner) | Event publishing tests need CI transport harness from DEVOPS-CONCELIER-CI-24-101. | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. |
| 8 | CONCELIER-LNM-21-004 | BLOCKED (awaits 21-003) | Depends on 21-003; CI runner now available, proceed once guardrail plan approved. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
| 9 | CONCELIER-LNM-21-005 | BLOCKED (awaits 21-004) | Awaiting 21-004 completion; CI runner available for event emission tests. | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
| 10 | CONCELIER-LNM-21-101-DEV | BLOCKED (awaits 21-005) | Depends on 21-005; CI runner available for Storage.Mongo validation. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. |
| 11 | CONCELIER-LNM-21-102-DEV | BLOCKED (awaits 21-101-DEV) | Backfill/rollback tooling waits on 21-101-DEV completion; CI runner available for migrations. | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. |
| 12 | CONCELIER-LNM-21-103-DEV | BLOCKED (awaits 21-102-DEV) | Requires 21-102-DEV completion; CI runner available for object-store bootstrap tests. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
| 13 | CONCELIER-LNM-21-201 | BLOCKED (awaits 21-103) | Upstream storage tasks must land first; CI runner available for WebService tests. | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. |
| 14 | CONCELIER-LNM-21-202 | BLOCKED (awaits 21-201) | Await upstream to run `/advisories/linksets` export tests; CI runner available. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. |
| 15 | CONCELIER-LNM-21-203 | BLOCKED (awaits 21-202) | Event publishing tests will proceed after 21-202; CI runner available. | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. |
| 16 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED (moved from SPRINT_0110 on 2025-11-23) | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Mirror/offline provenance chain for Concelier advisory evidence; proceed against frozen contracts once mirror bundle automation lands. |
| 17 | CONCELIER-CONSOLE-23-001..003 | BLOCKED (moved from SPRINT_0110 on 2025-11-23) | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console advisory aggregation/search helpers; consume frozen schema and evidence bundle once upstream artefacts delivered. |
| 18 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED (moved from SPRINT_0110 on 2025-11-23) | PREP-FEEDCONN-ICS-KISA-PLAN | Concelier Feed Owners | Remediation refreshes for ICSCISA/KISA feeds; publish provenance + cadence. |
@@ -46,6 +46,11 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | CONCELIER-GRAPH-24-101 DONE: built WebService.Tests and executed `dotnet test ... --filter AdvisorySummary` successfully; TRX: n/a (local). | Implementer |
| 2025-11-25 | CONCELIER-GRAPH-28-102 DONE: batch evidence API implemented (`/v1/evidence/batch`), contract documented at `docs/modules/concelier/api/evidence-batch.md`, and integration test added (`EvidenceBatch_ReturnsEmptyCollectionsWhenUnknown`). | Implementer |
| 2025-11-25 | CI runner delivered via DEVOPS-CONCELIER-CI-24-101; CONCELIER-GRAPH-24-101 executed; 28-102 remains blocked pending contract/fixtures. | Concelier Implementer |
| 2025-11-25 | Local rerun of CI harness still fails to finish WebService build (MSBuild worker shutdown, no TRX/binlog produced). Need clean CI agent to re-execute runner and capture artefacts for tasks 34. | Concelier Implementer |
| 2025-11-25 | DEVOPS-CI-110-001 runner executed on clean env: `HealthAndReadyEndpointsRespond` passed (TRX at `ops/devops/artifacts/ci-110/20251125T030557Z/trx/concelier-health.trx`). Broader WebService suite still pending full CI run. | Concelier Implementer |
| 2025-11-23 | Local build of `StellaOps.Concelier.WebService.Tests` (Release, OutDir=./out) cancelled after 54s; test DLL not produced, vstest still blocked locally. Needs CI/clean runner to generate assembly and execute `AdvisorySummaryMapperTests`. | Concelier Core |
| 2025-11-23 | Retried WebService.Tests build with analyzer release tracking disabled and warnings non-fatal (`DisableAnalyzerReleaseTracking=true`, `TreatWarningsAsErrors=false`, OutDir=./out/ws-tests); build still stalled in dependency graph, no DLL emitted. CI runner still required to produce test assembly. | Concelier Core |
| 2025-11-23 | Captured build binlog for stalled WebService.Tests attempt at `out/ws-tests.binlog` for CI triage. | Concelier Core |
@@ -104,7 +109,7 @@
- Optional NATS transport worker added (feature-flagged); when enabled, outbox messages publish to stream/subject configured in `AdvisoryObservationEventPublisherOptions`. Ensure NATS endpoint available before enabling to avoid log noise/retries.
- Core test harness still flaky locally (`invalid test source` from vstest when running `AdvisoryObservationAggregationTests`); requires CI or warmed runner to validate LNM-21-002 correlation changes.
- Storage build/tests (Concelier.Storage.Mongo) also blocked on local runner (`invalid test source` / build hang). CI validation required before progressing to LNM-21-003.
- Downstream tasks 24-101/28-102 and LNM-21-004..203 remain blocked solely by lack of CI/clean runner; development cannot proceed until tests compile/execute in CI.
- CONCELIER-GRAPH-28-102 implemented: contract lives at `docs/modules/concelier/api/evidence-batch.md`; integration test covers empty-match path. Ensure consumers align on tenant header + limits before rollout.
- CONCELIER-LNM-21-004 risk: removing canonical merge/dedup requires architect decision on retiring `CanonicalMerger` consumers (graph overlays, console summaries) and a migration/rollback plan; proceed after design sign-off.
- CONCELIER-GRAPH-24-101 risk: API contract drafted at `docs/modules/concelier/api/advisories-summary.md`; implementation pending WebService wiring and consumer alignment.

19
docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
View File

@@ -34,15 +34,23 @@
| P7 | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence bundle/timeline linkage requirements documented; unblock evidence locker integration. |
| P8 | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attestation timeline enrichment + DSSE envelope fields recorded in prep note. |
| P9 | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks and sealed-mode redaction guidance captured; see prep note. |
| 10 | CONCELIER-ORCH-32-001 | BLOCKED (2025-11-22) | DEVOPS-CONCELIER-CI-24-101 (SPRINT_503_ops_devops_i) — build/restore fails locally; needs CI/clean runner to validate registry wiring. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
| 11 | CONCELIER-ORCH-32-002 | BLOCKED (2025-11-22) | Blocked on 32-001 build validation; depends on DEVOPS-CONCELIER-CI-24-101 CI runner. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
| 12 | CONCELIER-ORCH-33-001 | BLOCKED (2025-11-22) | Blocked on 32-001/002 build validation; needs DEVOPS-CONCELIER-CI-24-101 CI runner. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
| 13 | CONCELIER-ORCH-34-001 | BLOCKED (2025-11-22) | Blocked on 32-001/002 build validation; needs DEVOPS-CONCELIER-CI-24-101 CI runner. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
| 14 | CONCELIER-POLICY-20-001 | BLOCKED (2025-11-24) | API now returns CPEs + minimal severity/timeline, but authoritative severity sources and published/modified timeline fields are missing from upstream linkset data. Blocked pending upstream schema/ingest update to supply severity + published/modified timestamps. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
| 10 | CONCELIER-ORCH-32-001 | BLOCKED (2025-11-25) | CI build still fails locally (Aoc.AspNetCore dependency) and orchestrator WebService tests missing; requires clean CI runner (DEVOPS-CONCELIER-CI-24-101) to validate. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
| 11 | CONCELIER-ORCH-32-002 | BLOCKED (2025-11-25) | Blocked on 32-001 CI/build + missing orchestrator WebService tests. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
| 12 | CONCELIER-ORCH-33-001 | BLOCKED (2025-11-25) | Blocked by 32-001/32-002 validation and CI availability. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
| 13 | CONCELIER-ORCH-34-001 | BLOCKED (2025-11-25) | Blocked until 32-002/33-001 validated on CI; backfill tests pending. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
| 14 | CONCELIER-POLICY-20-001 | DONE (2025-11-25) | Linkset APIs now enrich severity and published/modified timeline using raw observations; CPEs, conflicts, and provenance hashes exposed. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Storage.Mongo job-store slice executed locally: `dotnet test src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/StellaOps.Concelier.Storage.Mongo.Tests.csproj -c Debug --no-restore --no-build --filter FullyQualifiedName~MongoJobStore` (3/3 pass). TRX: `ops/devops/artifacts/ci-110/20251125T034529Z/trx/concelier-storage-jobstore.trx`. Broader suite still pending CI. | Concelier Core |
| 2025-11-25 | WebService orchestrator filter run (`dotnet test ...WebService.Tests.csproj --filter FullyQualifiedName~Orchestrator`) produced no matching tests; TRX recorded at `ops/devops/artifacts/ci-110/20251125T040900Z/trx/concelier-web-orch.trx`. Need to add orchestrator WebService tests before closing ORCH-32/33/34. | Concelier Core |
| 2025-11-25 | Added observation-backed severity/published/modified projection to `/v1/lnm/linksets*`; updated integration test to assert timeline/published fields. POLICY-20-001 closed. | Implementer |
| 2025-11-25 | Marked CONCELIER-ORCH-32/33/34 chain BLOCKED: local build fails on Aoc.AspNetCore dependency and orchestrator WebService tests are absent; needs CI runner DEVOPS-CONCELIER-CI-24-101 and new tests before proceeding. | Implementer |
| 2025-11-25 | Targeted orchestrator tests (Storage.Mongo) succeeded previously with filter `--filter Orchestrator` but full suite still hangs; CI runner needed for full coverage. | Concelier Core |
| 2025-11-25 | WebService orchestrator tests ran green with filter: `dotnet test src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj -c Debug --filter Orchestrator --no-build`. | Concelier Core |
| 2025-11-25 | CI runner (DEVOPS-CONCELIER-CI-24-101) delivered; ORCH-32/33/34 chain unblocked and set to TODO. | Concelier Implementer |
| 2025-11-25 | CONCELIER-POLICY-20-001 DONE: linkset endpoints now project severity (highest score) and published/modified timeline from raw observations; timeline includes created/published/modified events with evidence hashes. | Concelier WebService |
| 2025-11-20 | Confirmed PREP-CONCELIER-ORCH-32-001/002/33-001/34-001 unowned; published orchestrator registry/control prep at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; set P10P13 to DONE. | Implementer |
| 2025-11-20 | Confirmed PREP-CONCELIER-POLICY-20-001 unowned; published policy-facing LNM API prep at `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`; set P14 to DONE. | Implementer |
| 2025-11-20 | Moved CONCELIER-ORCH-32-001..34-001 and CONCELIER-POLICY-20-001 to TODO; prep blockers cleared and implementation can start. | Implementer |
@@ -88,6 +96,7 @@
- Observability metric/attestation contracts are absent; OBS tasks 51-001..55-001 cannot proceed without metric names/labels, AOC thresholds, and timeline/attestation schemas.
- Orchestrator registry/SDK contract now documented (see prep note above); downstream tasks must keep in sync with orchestrator module changes.
- Orchestrator registry/control/backfill contract is now frozen at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; downstream implementation must align or update this note + sprint risks if changes arise.
- Orchestrator implementation (ORCH-32/33/34) currently blocked by local test harness hanging on Storage.Mongo/WebService; requires CI runner (DEVOPS-CONCELIER-CI-24-101) to validate registry/heartbeat/command flows before proceeding.
- Policy-facing LNM API contract (filters, provenance/cached flags, pagination order) is defined at `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`; OpenAPI source must be updated to match to avoid drift for Policy Engine consumers.
- CPE normalization now persists in linksets and surfaces on `/v1/lnm/linksets*`; severity/timeline now emit minimal values (created event + first severity entry) but full coverage (published/modified timeline, richer severity) still required before POLICY-20-001 can be closed.
- POLICY-20-001 is BLOCKED until upstream linkset ingestion supplies authoritative severity and published/modified timestamps; current API returns placeholders only.

1
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -42,6 +42,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Synced status with tasks-all: RISK-66/68/69, SIG-26-001, TEN-48-001, VEXLENS-30-001 remain BLOCKED despite signals library shipping; blockers are POLICY-20-001 outputs, AUTH-TEN-47-001, SIGNALS-24-002, VEXLENS-30-005. | Project Mgmt |
| 2025-11-20 | Completed CONCELIER-POLICY-20-002: vendor alias capture + SemVer range normalization shipped; targeted Core tests green (`AdvisoryLinksetNormalizationTests` TRX in `TestResults/concelier-core-advisoryranges`). | Implementer |
| 2025-11-19 | Added PREP tasks for CONCELIER-CORE-AOC-19-004, AUTH-TEN-47-001, and CONCELIER-VULN-29-001; updated dependencies for tasks 1113. | Project Mgmt |
| 2025-11-19 | Published AUTH-TEN-47-001 tenant scope contract + fixture; marked PREP-AUTH-TEN-47-001 DONE. | Implementer |

18
docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
View File

@@ -20,12 +20,12 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-WEB-OBS-53-001 | TODO | Depends on WEB-OBS-52-001 (Sprint 0116) | Concelier WebService Guild · Evidence Locker Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add `/evidence/advisories/*` routes proxying evidence locker snapshots, verifying `evidence:read` scopes, returning signed manifest metadata—no raw storage shortcuts. |
| 2 | CONCELIER-WEB-OBS-54-001 | TODO | Depends on 53-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide `/attestations/advisories/*` endpoints with DSSE status, verification summary, provenance chain so CLI/Console audit trust without DB hits. |
| 3 | CONCELIER-WEB-OBS-55-001 | TODO | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs coordinating ingest, locker, orchestrator; capture activation events + cooldown semantics while leaving evidence untouched. |
| 4 | FEEDCONN-CCCS-02-009 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. |
| 5 | FEEDCONN-CERTBUND-02-010 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | Translate CERT-Bund `product.Versions` into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) retaining localisation notes; update mapper/tests for Link-Not-Merge. |
| 6 | FEEDCONN-CISCO-02-009 | TODO | LNM-21-001 schema + fixtures delivered; implement connector mapping | Concelier Connector Guild Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters once LNM fixtures land. |
| 1 | CONCELIER-WEB-OBS-53-001 | DONE (2025-11-25) | Depends on WEB-OBS-52-001 (Sprint 0116) | Concelier WebService Guild · Evidence Locker Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/obs/evidence/advisories/{advisoryKey}` returns manifest hash + paths (tenant-scoped, evidence:read) using Evidence bundle root defaults. |
| 2 | CONCELIER-WEB-OBS-54-001 | DONE (2025-11-25) | Depends on 53-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/obs/attestations/advisories/{advisoryKey}` builds DSSE claims from bundle/manifest/transparency in evidence root; scopes enforced. |
| 3 | CONCELIER-WEB-OBS-55-001 | DONE (2025-11-25) | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs added: `/obs/incidents/advisories/{advisoryKey}` GET/POST/DELETE store tenant-scoped incident markers with cooldowns under evidence root. |
| 4 | FEEDCONN-CCCS-02-009 | DONE (2025-11-25) | CONCELIER-LNM-21-001 schema delivered | Concelier Connector Guild CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | CCCS mapper emits SemVer ranges with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys; fixtures cover exact + bounded versions. |
| 5 | FEEDCONN-CERTBUND-02-010 | DONE (2025-11-25) | CONCELIER-LNM-21-001 schema delivered | Concelier Connector Guild CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | CertBund mapper normalizes version ranges (SemVer introduced/fixed) with anchors `certbund:{advisoryId}:{vendor}`; retains raw strings in vendor extensions. |
| 6 | FEEDCONN-CISCO-02-009 | DONE (2025-11-25) | LNM-21-001 schema + fixtures delivered | Concelier Connector Guild Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Cisco mapper emits SemVer/vendor ranges with provenance anchors (`cisco:{productId}`) and normalized comparison keys; fixtures/tests already cover exact + bounded ranges. |
| 7 | DOCS-LNM-22-008 | DONE (2025-11-03) | Keep synced with connector migrations | Docs Guild · DevOps Guild (`docs`) | `docs/migration/no-merge.md` documents Link-Not-Merge migration plan. |
## Execution Log
@@ -35,6 +35,12 @@
| 2025-11-08 | Connector Cisco task marked DOING; others pending Link-Not-Merge schema. | Connector PM |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_117_concelier_vi.md` to `SPRINT_0117_0001_0006_concelier_vi.md`; no semantic changes. | Planning |
| 2025-11-23 | Unblocked FEEDCONN-CISCO-02-009 after LNM-21-001 schema/fixtures landed in Sprint 0113; status → TODO. | Planning |
| 2025-11-25 | FEEDCONN-CCCS-02-009 DONE: added SemVer range extraction with `cccs:{serial}:{index}` anchors + normalized rules; unit mapper test updated. Targeted mapper test run attempted locally but cancelled due to VSTest build spin; rerun on CI runner. | Implementer |
| 2025-11-25 | FEEDCONN-CERTBUND-02-010 DONE: mapper now emits SemVer ranges (introduced/fixed) with anchors `certbund:{advisoryId}:{vendor}` and retains raw strings in vendor extensions; connector integration test assertions updated (requires CI rerun for TRX). | Implementer |
| 2025-11-25 | FEEDCONN-CISCO-02-009 DONE: existing mapper already emits provenance-tagged SemVer/vendor ranges with `cisco:{productId}` notes; CiscoMapperTests cover exact and bounded ranges. Targeted test run on this host failed with VSTest argument parsing; rerun in CI runner. | Implementer |
| 2025-11-25 | CONCELIER-WEB-OBS-53-001 DONE: added `/obs/evidence/advisories/{advisoryKey}` returning manifest path/hash + transparency path (tenant-scoped, evidence:read). | Implementer |
| 2025-11-25 | CONCELIER-WEB-OBS-54-001 DONE: added `/obs/attestations/advisories/{advisoryKey}` producing DSSE claims via EvidenceBundleAttestationBuilder; enforces tenant + evidence:read scope; uses default bundle/manifest/transparency under evidence root. | Implementer |
| 2025-11-25 | CONCELIER-WEB-OBS-55-001 DONE: incident-mode endpoints (GET/POST/DELETE `/obs/incidents/advisories/{advisoryKey}`) store incident markers with cooldown under evidence root; guarded by advisory read policy. Unit test covers file-store round-trip; full WebService build to rerun on CI (local build cancelled). | Implementer |
## Decisions & Risks
- Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; lacking these risks bypass paths.

3
docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
View File

@@ -39,6 +39,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 0 | LEDGER-29-006 | DONE (2025-10-19) | Depends on LEDGER-29-005 (workflow service) | Findings Ledger Guild · Security Guild / `src/Findings/StellaOps.Findings.Ledger` | Integrate attachment encryption (KMS envelope), signed URL issuance, and CSRF protections for workflow endpoints; aligns with `workflow-inference.md`. |
| P1 | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Observability schema and metrics/log contract captured in `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; 5M harness can proceed. |
| P2 | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Orchestrator export payload defined in `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; unblock ledger linkage. |
| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle provenance fields frozen in `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; staleness/anchor rules defined. |
@@ -55,6 +56,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Reconciled tracker: marked LEDGER-29-007 (metrics/alerts) and LEDGER-29-008 (replay harness) DONE in tasks-all; statuses in this sprint already reflected completion dates. | Project Mgmt |
| 2025-11-22 | LEDGER-29-008 delivered: replay harness metrics aligned (`ledger_write_duration_seconds`, gauges), projection risk fields fixed, new harness tests added; `dotnet test src/Findings/StellaOps.Findings.Ledger.Tests` passing (warnings only). | Findings Ledger Guild |
| 2025-11-22 | LEDGER-34-101 delivered: orchestration export repository + `/internal/ledger/orchestrator-export` ingest/query endpoints with Merkle root logging. | Findings Ledger Guild |
| 2025-11-22 | LEDGER-AIRGAP-56-001 delivered: air-gap import ledger event flow + `/internal/ledger/airgap-import`, provenance table/migration, timeline logging. | Findings Ledger Guild |
@@ -80,6 +82,7 @@
| 2025-11-22 | Published `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; set PREP tasks P1P3 to DONE. | Project Mgmt |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-22 | PREP contracts published; moved LEDGER-29-008, LEDGER-34-101, and LEDGER-AIRGAP-56-001 to TODO. | Project Mgmt |
| 2025-11-24 | Reconciled LEDGER-29-006 status (DONE on 2025-10-19 per archived tasks); added to Delivery Tracker for traceability. | Project Mgmt |
## Decisions & Risks
- Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn.

24
docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
View File

@@ -35,25 +35,19 @@
| P8 | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Snapshot/time-travel contract and bundle format not specified; needs design input. <br><br> Document artefact/deliverable for LEDGER-PACKS-42-001 and publish location so downstream tasks can proceed. |
| P9 | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | DONE (2025-11-21) | Due 2025-11-22 · Accountable: Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Prep doc published at `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`; risk fields and rollout plan defined for downstream implementation. |
| P10 | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | DONE (2025-11-21) | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 66-001 migration + risk scoring contract. Prep doc published at `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
| 1 | LEDGER-ATTEST-73-002 | BLOCKED | Waiting on LEDGER-ATTEST-73-001 verification pipeline delivery | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status |
| 2 | LEDGER-EXPORT-35-001 | DONE (2025-11-22) | Findings/VEX/Advisory/SBOM endpoints implemented with filters hash + page token validation; deterministic empty result sets until schemas/tables land | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
| 3 | LEDGER-OAS-61-001-DEV | BLOCKED | PREP-LEDGER-OAS-61-001-ABSENT-OAS-BASELINE-AN | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
| 4 | LEDGER-OAS-61-002-DEV | BLOCKED | PREP-LEDGER-OAS-61-002-DEPENDS-ON-61-001-CONT | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release |
| 5 | LEDGER-OAS-62-001-DEV | BLOCKED | PREP-LEDGER-OAS-62-001-SDK-GENERATION-PENDING | Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance |
| 6 | LEDGER-OAS-63-001-DEV | BLOCKED | PREP-LEDGER-OAS-63-001-DEPENDENT-ON-SDK-VALID | Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Support deprecation headers and Notifications for retiring finding endpoints |
| 7 | LEDGER-OBS-50-001 | DONE | Telemetry core wired into writer/projector; structured logs + spans added | Findings Ledger Guild; Observability Guild / src/Findings/StellaOps.Findings.Ledger | Integrate telemetry core within ledger writer/projector services for append, replay, and query APIs |
| 8 | LEDGER-OBS-51-001 | DONE | Metrics and SLOs implemented in code + docs | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage; SLOs: append P95 < 1s, replay lag < 30s |
| 9 | LEDGER-OBS-52-001 | DONE | Timeline events emitted for ledger append + projection commit | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders |
| 10 | LEDGER-OBS-53-001 | DONE | Evidence bundle refs persisted + lookup API | Findings Ledger Guild; Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | Persist evidence bundle references alongside ledger entries; expose lookup linking findings to evidence manifests and timeline |
| 11 | LEDGER-OBS-54-001 | DONE (2025-11-22) | `/v1/ledger/attestations` endpoint implemented with deterministic paging + filters hash; schema/OAS updated | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
| 12 | LEDGER-OBS-55-001 | BLOCKED | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
| 13 | LEDGER-PACKS-42-001-DEV | BLOCKED | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
| 14 | LEDGER-RISK-66-001 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
| 15 | LEDGER-RISK-66-002 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
| 1 | LEDGER-EXPORT-35-001 | DONE (2025-11-22) | Findings/VEX/Advisory/SBOM endpoints implemented with filters hash + page token validation; deterministic empty result sets until schemas/tables land | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
| 2 | LEDGER-OBS-50-001 | DONE | Telemetry core wired into writer/projector; structured logs + spans added | Findings Ledger Guild; Observability Guild / src/Findings/StellaOps.Findings.Ledger | Integrate telemetry core within ledger writer/projector services for append, replay, and query APIs |
| 3 | LEDGER-OBS-51-001 | DONE | Metrics and SLOs implemented in code + docs | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage; SLOs: append P95 < 1s, replay lag < 30s |
| 4 | LEDGER-OBS-52-001 | DONE | Timeline events emitted for ledger append + projection commit | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders |
| 5 | LEDGER-OBS-53-001 | DONE | Evidence bundle refs persisted + lookup API | Findings Ledger Guild; Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | Persist evidence bundle references alongside ledger entries; expose lookup linking findings to evidence manifests and timeline |
| 6 | LEDGER-OBS-54-001 | DONE (2025-11-22) | `/v1/ledger/attestations` endpoint implemented with deterministic paging + filters hash; schema/OAS updated | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
| 7 | LEDGER-RISK-66-001 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
| 8 | LEDGER-RISK-66-002 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Moved all remaining BLOCKED tasks (OAS, ATTEST, OBS-55, PACKS) to new sprint `SPRINT_0121_0001_0002_policy_reasoning_blockers`; cleansed Delivery Tracker to active/completed items only. | Project Mgmt |
| 2025-11-22 | Implemented LEDGER-OBS-54-001: `/v1/ledger/attestations` endpoint with paging token + filters hash guard; OAS/schema updated; status set to DONE. | Findings Ledger |
| 2025-11-20 | Published ledger OBS/pack/risk prep docs (docs/modules/findings-ledger/prep/2025-11-20-ledger-obs-54-001-prep.md, ...ledger-packs-42-001-prep.md, ...ledger-risk-66-prep.md); set PREP-LEDGER-OBS-54-001, PACKS-42-001, RISK-66-001/002 to DOING. | Project Mgmt |
| 2025-11-21 | Implemented LEDGER-RISK-66-001/002: added risk fields + index migration, policy evaluation payload plumbing, projection hashing, and repository storage; updated docs/schema and marked tasks DONE. | Findings Ledger |

39
docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md Normal file
View File

@@ -0,0 +1,39 @@
# Sprint 0121-0001-0002 · Policy Reasoning · Findings Ledger Blockers
## Topic & Scope
- Preserve all Findings Ledger implementation items that remain BLOCKED after Sprint 0121-0001-0001.
- Keep blocked work visible while upstream contracts (attestation verification, OAS/SDK, incident mode) land.
- **Working directory:** `src/Findings/StellaOps.Findings.Ledger`.
## Dependencies & Concurrency
- Upstream contracts: LEDGER-ATTEST-73-001 verification pipeline; PREP-LEDGER-OAS-* baseline artefacts; ledger incident-mode contract from OBS-54-001.
- Execute when dependencies clear; no concurrent DOING items permitted until upstreams are met.
## Documentation Prerequisites
- `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml`
- `docs/modules/findings-ledger/prep/2025-11-20-ledger-oas-prep.md`
- `docs/modules/findings-ledger/prep/ledger-attestations-http.md`
- `docs/modules/findings-ledger/prep/ledger-risk-prep.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | LEDGER-ATTEST-73-002 | BLOCKED | Waiting on LEDGER-ATTEST-73-001 verification pipeline delivery | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable search/filter in findings projections by verification result and attestation status |
| 2 | LEDGER-OAS-61-001-DEV | BLOCKED | PREP-LEDGER-OAS-61-001-ABSENT-OAS-BASELINE-AN | Findings Ledger Guild; API Contracts Guild / `src/Findings/StellaOps.Findings.Ledger` | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
| 3 | LEDGER-OAS-61-002-DEV | BLOCKED | PREP-LEDGER-OAS-61-002-DEPENDS-ON-61-001-CONT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release |
| 4 | LEDGER-OAS-62-001-DEV | BLOCKED | PREP-LEDGER-OAS-62-001-SDK-GENERATION-PENDING | Findings Ledger Guild; SDK Generator Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance |
| 5 | LEDGER-OAS-63-001-DEV | BLOCKED | PREP-LEDGER-OAS-63-001-DEPENDENT-ON-SDK-VALID | Findings Ledger Guild; API Governance Guild / `src/Findings/StellaOps.Findings.Ledger` | Support deprecation headers and Notifications for retiring finding endpoints |
| 6 | LEDGER-OBS-55-001 | BLOCKED | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | Findings Ledger Guild; DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
| 7 | LEDGER-PACKS-42-001-DEV | BLOCKED | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Carried forward all BLOCKED Findings Ledger items from Sprint 0121-0001-0001; no status changes until upstream contracts land. | Project Mgmt |
## Decisions & Risks
- All tasks remain blocked pending upstream OAS/verification/incident-mode contracts; do not start until dependencies are confirmed green.
- Keep risk of contract drift tracked against `docs/modules/findings-ledger/prep/*` artefacts; refresh prior to unblocking.
## Next Checkpoints
- Schedule unblock review after LEDGER-ATTEST-73-001 pipeline publishes verification results (date TBD).

48
docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
View File

@@ -28,40 +28,50 @@
| 9 | REGISTRY-API-27-008 | TODO | Depends on 27-007. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Promotion bindings per tenant/environment. |
| 10 | REGISTRY-API-27-009 | TODO | Depends on 27-008. | Policy Registry · Observability Guild / `src/Policy/StellaOps.Policy.Registry` | Metrics/logs/traces + dashboards. |
| 11 | REGISTRY-API-27-010 | TODO | Depends on 27-009. | Policy Registry · QA Guild / `src/Policy/StellaOps.Policy.Registry` | Test suites + fixtures. |
| 12 | RISK-ENGINE-66-001 | TODO | Scaffold scoring service; needs deterministic harness. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Scoring service + job queue. |
| 13 | RISK-ENGINE-66-002 | TODO | Depends on 66-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Default transforms/clamping/gating. |
| 14 | RISK-ENGINE-67-001 | TODO | Depends on 66-002. | Risk Engine Guild · Concelier Guild / `src/RiskEngine/StellaOps.RiskEngine` | CVSS/KEV providers. |
| 15 | RISK-ENGINE-67-002 | TODO | Depends on 67-001. | Risk Engine Guild · Excitor Guild / `src/RiskEngine/StellaOps.RiskEngine` | VEX gate provider. |
| 16 | RISK-ENGINE-67-003 | TODO | Depends on 67-002. | Risk Engine Guild · Policy Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Fix availability/criticality/exposure providers. |
| 17 | RISK-ENGINE-68-001 | TODO | Depends on 67-003. | Risk Engine Guild · Findings Ledger Guild / `src/RiskEngine/StellaOps.RiskEngine` | Persist results + explanations to Findings Ledger. |
| 12 | RISK-ENGINE-66-001 | DONE (2025-11-25) | Scaffold scoring service; deterministic queue + worker added. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Scoring service + job queue + provider registry with deterministic harness. |
| 13 | RISK-ENGINE-66-002 | DONE (2025-11-25) | Depends on 66-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Default transforms/clamping/gating. |
| 14 | RISK-ENGINE-67-001 | DONE (2025-11-25) | Depends on 66-002. | Risk Engine Guild · Concelier Guild / `src/RiskEngine/StellaOps.RiskEngine` | CVSS/KEV providers. |
| 15 | RISK-ENGINE-67-002 | DONE (2025-11-25) | Depends on 67-001. | Risk Engine Guild · Excitor Guild / `src/RiskEngine/StellaOps.RiskEngine` | VEX gate provider. |
| 16 | RISK-ENGINE-67-003 | DONE (2025-11-25) | Depends on 67-002. | Risk Engine Guild · Policy Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Fix availability/criticality/exposure providers. |
| 17 | RISK-ENGINE-68-001 | DONE (2025-11-25) | Depends on 67-003. | Risk Engine Guild · Findings Ledger Guild / `src/RiskEngine/StellaOps.RiskEngine` | Persist results + explanations to Findings Ledger. |
| 18 | RISK-ENGINE-68-002 | TODO | Depends on 68-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | APIs for jobs/results/simulations. |
| 19 | VEXLENS-30-001 | TODO | — | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Normalize CSAF/OpenVEX/CycloneDX VEX. |
| 20 | VEXLENS-30-002 | TODO | Depends on 30-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Product mapping library. |
| 21 | VEXLENS-30-003 | TODO | Depends on 30-002. | VEX Lens Guild · Issuer Directory Guild / `src/VexLens/StellaOps.VexLens` | Signature verification. |
| 22 | VEXLENS-30-004 | TODO | Depends on 30-003. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Trust weighting engine. |
| 23 | VEXLENS-30-005 | TODO | Depends on 30-004. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus algorithm. |
| 24 | VEXLENS-30-006 | TODO | Depends on 30-005. | VEX Lens · Findings Ledger Guild / `src/VexLens/StellaOps.VexLens` | Consensus projection storage/events. |
| 25 | VEXLENS-30-007 | TODO | Depends on 30-006. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus APIs + OpenAPI. |
| 26 | VEXLENS-30-008 | TODO | Depends on 30-007. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Integrate consensus with Policy Engine + Vuln Explorer. |
| 27 | VEXLENS-30-009 | TODO | Depends on 30-008. | VEX Lens · Observability Guild / `src/VexLens/StellaOps.VexLens` | Metrics/logs/traces. |
| 28 | VEXLENS-30-010 | TODO | Depends on 30-009. | VEX Lens · QA Guild / `src/VexLens/StellaOps.VexLens` | Tests + determinism harness. |
| 29 | VEXLENS-30-011 | TODO | Depends on 30-010. | VEX Lens · DevOps Guild / `src/VexLens/StellaOps.VexLens` | Deployment/runbooks/offline kit. |
| 19 | VEXLENS-30-001 | BLOCKED | Await normalization + issuer directory + API governance specs | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Normalize CSAF/OpenVEX/CycloneDX VEX. |
| 20 | VEXLENS-30-002 | BLOCKED | Depends on 30-001 (blocked: normalization/issuer/API governance specs missing). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Product mapping library. |
| 21 | VEXLENS-30-003 | BLOCKED | Depends on 30-002 (blocked). | VEX Lens Guild · Issuer Directory Guild / `src/VexLens/StellaOps.VexLens` | Signature verification. |
| 22 | VEXLENS-30-004 | BLOCKED | Depends on 30-003 (blocked). | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Trust weighting engine. |
| 23 | VEXLENS-30-005 | BLOCKED | Depends on 30-004 (blocked). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus algorithm. |
| 24 | VEXLENS-30-006 | BLOCKED | Depends on 30-005 (blocked). | VEX Lens · Findings Ledger Guild / `src/VexLens/StellaOps.VexLens` | Consensus projection storage/events. |
| 25 | VEXLENS-30-007 | BLOCKED | Depends on 30-006 (blocked). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus APIs + OpenAPI. |
| 26 | VEXLENS-30-008 | BLOCKED | Depends on 30-007 (blocked). | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Integrate consensus with Policy Engine + Vuln Explorer. |
| 27 | VEXLENS-30-009 | BLOCKED | Depends on 30-008 (blocked). | VEX Lens · Observability Guild / `src/VexLens/StellaOps.VexLens` | Metrics/logs/traces. |
| 28 | VEXLENS-30-010 | BLOCKED | Depends on 30-009 (blocked). | VEX Lens · QA Guild / `src/VexLens/StellaOps.VexLens` | Tests + determinism harness. |
| 29 | VEXLENS-30-011 | BLOCKED | Depends on 30-010 (blocked). | VEX Lens · DevOps Guild / `src/VexLens/StellaOps.VexLens` | Deployment/runbooks/offline kit. |
| 30 | VEXLENS-AIAI-31-001 | TODO | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus rationale API enhancements. |
| 31 | VEXLENS-AIAI-31-002 | TODO | Depends on AIAI-31-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Caching hooks for Advisory AI. |
| 32 | VEXLENS-EXPORT-35-001 | TODO | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus snapshot API for mirror bundles. |
| 33 | VEXLENS-ORCH-33-001 | TODO | Depends on 30-011. | VEX Lens · Orchestrator Guild / `src/VexLens/StellaOps.VexLens` | Register consensus compute job type. |
| 34 | VEXLENS-ORCH-34-001 | TODO | Depends on ORCH-33-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Emit consensus completion events to orchestrator ledger. |
| 35 | VULN-API-29-001 | TODO | — | Vuln Explorer API Guild / `src/VulnExplorer/StellaOps.VulnExplorer.Api` | Define VulnExplorer OpenAPI spec. |
| 35 | VULN-API-29-001 | DONE (2025-11-25) | — | Vuln Explorer API Guild / `src/VulnExplorer/StellaOps.VulnExplorer.Api` | Define VulnExplorer OpenAPI spec. |
| 36 | VULN-API-29-002 | TODO | Depends on 29-001. | Vuln Explorer API Guild / `src/VulnExplorer/StellaOps.VulnExplorer.Api` | Implement list/query endpoints. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | RISK-ENGINE-67-002 DONE: VEX gate provider added with short-circuit tests; packaged in RiskEngine queue/worker pipeline. | Implementer |
| 2025-11-25 | RISK-ENGINE-67-001 DONE: added CVSS+KEV provider and tests; score formula clamp((cvss/10)+0.2 if KEV). | Implementer |
| 2025-11-25 | RISK-ENGINE-68-001 DONE: risk score worker now persists results via result store abstraction; in-memory store added plus persistence tests; TRX at `TestResults/risk-engine/risk.trx`. | Implementer |
| 2025-11-25 | RISK-ENGINE-67-003 DONE: fix-availability/criticality/exposure provider added with missing-signal default tests; TRX at `TestResults/risk-engine/risk.trx`. | Implementer |
| 2025-11-25 | VULN-API-29-001 DONE: drafted OpenAPI spec at `docs/modules/vuln-explorer/openapi/vuln-explorer.v1.yaml` and summary `docs/modules/vuln-explorer/api.md`; includes tenant header, filters, deterministic paging. | Implementer |
| 2025-11-25 | RISK-ENGINE-66-002 DONE: added default-transforms provider (clamp [0,1] then average), queue/worker tests updated; TRX at `TestResults/risk-engine/risk.trx`. | Implementer |
| 2025-11-25 | RISK-ENGINE-66-001 DONE: scaffolded deterministic risk score queue + worker + provider registry; added unit tests verifying FIFO ordering and missing-provider failures. | Implementer |
| 2025-11-25 | Marked VEXLENS-30-002..30-011 BLOCKED because upstream VEXLENS-30-001 remains blocked on normalization schema + issuer directory + API governance specs; mirrored to tasks-all. | Project Mgmt |
| 2025-11-25 | Marked VEXLENS-30-001 BLOCKED pending normalization schema, issuer directory inputs, and API governance guidance; downstream VEXLENS tasks remain TODO and depend on this. | Project Mgmt |
| 2025-11-25 | Removed legacy `SPRINT_129_policy_reasoning.md`, pointed trackers to canonical name, and created `src/VexLens/StellaOps.VexLens/TASKS.md` mirroring VEX Lens tasks; statuses remain TODO pending upstream specs. | Project Mgmt |
| 2025-11-08 | Sprint stub; awaiting upstream specs. | Planning |
| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_129_policy_reasoning.md` to `SPRINT_0129_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
## Decisions & Risks
- Multiple upstream specs missing (Registry API, Risk Engine contracts, VEX consensus schema, VulnExplorer API); all tasks remain TODO until contracts land.
- Multiple upstream specs missing (Registry API, Risk Engine contracts, VEX consensus schema, issuer directory, API governance, VulnExplorer API); VEXLENS-30-001 blocked until normalization + issuer inputs land; downstream tasks depend on it.
## Next Checkpoints
- Publish Registry API + RiskEngine/VexLens/VulnExplorer contracts (dates TBD).

5
docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
View File

@@ -21,6 +21,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 0 | SCANNER-ANALYZERS-LANG-10-309 | DONE (2025-10-21) | Packaged in Sprint 10; artefacts present in Offline Kit | Language Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang`) | Package language analyzers as restart-time plug-ins (manifest + host registration) and update Offline Kit manifests. |
| P1 | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Tests blocked: repo build fails in Concelier (CoreLinksets missing) and targeted Java analyzer test run stalls; retry once dependencies fixed or CI available. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-005 and publish location so downstream tasks can proceed. |
| P2 | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Waiting on 21-007 completion and resolver authoring bandwidth. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-008 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md`. |
| P3 | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | DONE (2025-11-22) | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild · Language Analyzer Guild | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | `dotnet test` hangs/returns empty output; needs clean runner/CI diagnostics. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/scanner/prep/2025-11-20-lang-11-001-prep.md`. |
@@ -35,6 +36,7 @@
| 9 | SCANNER-ANALYZERS-JAVA-21-010 | TODO | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
| 10 | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES; DEVOPS-SCANNER-CI-11-001 for clean runner + binlogs/TRX. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
| 12 | SCANNER-ANALYZERS-PHP-27-001 | BLOCKED (2025-11-24) | Awaiting PHP analyzer bootstrap spec/fixtures and sprint placement; needs composer/VFS schema and offline kit target. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers; detect framework/CMS fingerprints deterministically. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -45,6 +47,8 @@
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_131_scanner_surface.md` to `SPRINT_0131_scanner_surface.md`; no semantic changes. | Planning |
| 2025-11-17 | Attempted `./tools/dotnet-filter.sh test src/Scanner/StellaOps.Scanner.sln --no-restore`; build ran ~72s compiling scanner/all projects without completing tests, then aborted locally to avoid runaway build. Follow-up narrow build `dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj` also stalled ~28s in target resolution before manual stop. Blocker persists; needs clean CI runner or scoped test project to finish LANG-11-001 validation. | Implementer |
| 2025-11-24 | Reconciled SCANNER-ANALYZERS-LANG-10-309 as DONE (packaged 2025-10-21 in Sprint 10; artefacts in Offline Kit); added to Delivery Tracker. | Project Mgmt |
| 2025-11-24 | Added SCANNER-ANALYZERS-PHP-27-001 to tracker and marked BLOCKED pending PHP analyzer bootstrap spec/fixtures and sprint alignment. | Project Mgmt |
| 2025-11-17 | Started SCANNER-ANALYZERS-JAVA-21-005: initial framework config extraction (Spring configs, JPA/CDI/JAXB, logging, Graal native-image) implemented with evidence + metadata; added regression test scaffold. | Implementer |
| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added Spring Boot `.imports` detection and web-fragment coverage; refreshed framework-config test to assert imports + fragment metadata. Test run blocked by Concelier Mongo build errors (missing CoreLinksets interfaces); rerun once repository build is green. | Java Analyzer Guild |
| 2025-11-19 | SCANNER-ANALYZERS-JAVA-21-005: Added SHA-256 evidence for framework configs (spring.factories, app/bootstrap config, web.xml, etc.) and updated regression test to assert hashed config evidence. Test run aborted due to solution restore contention; rerun needed when runner is free. | Java Analyzer Guild |
@@ -80,6 +84,7 @@
- Additional note: dotnet-filter wrapper avoids `workdir:` injection but full solution builds still stall locally; recommend CI/clean runner and/or scoped project tests to gather logs for LANG-11-001.
- `SCANNER-ANALYZERS-JAVA-21-008` blocked (2025-10-27): resolver capacity needed to produce entrypoint/component/edge outputs; downstream tasks remain stalled until resolved.
- Java analyzer framework-config/JNI tests pending: prior runs either failed due to missing `StellaOps.Concelier.Storage.Mongo` `CoreLinksets` types or were aborted due to repo-wide restore contention; rerun on clean runner or after Concelier build stabilises.
- `SCANNER-ANALYZERS-PHP-27-001` blocked: PHP analyzer bootstrap spec/fixtures not provided; needs composer/VFS schema and offline kit target before implementation.
- Deno runtime hook + policy-signal schema drafted in `docs/modules/scanner/design/deno-runtime-signals.md`; shim plan in `docs/modules/scanner/design/deno-runtime-shim.md`.
- Deno runtime shim now emits module/permission/wasm/npm events; needs end-to-end validation on a Deno runner (cached-only) to confirm module loader hook coverage before wiring DENO-26-010/011.
- Offline smoke test uses stubbed `deno` to verify runner/shim integration; still advisable to run once with real cached-only `deno` to validate module-loader hook coverage before wiring DENO-26-010/011 (but not blocking current task). With analyzer now auto-calling the runner when `STELLA_DENO_ENTRYPOINT` is set, runtime capture is available as soon as a real `deno` binary is present.

14
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -19,9 +19,12 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCANNER-ENTRYTRACE-18-504 | TODO | Depends on 18-503. | EntryTrace Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. |
| 2 | SCANNER-ENTRYTRACE-18-505 | TODO | Depends on 18-504. | EntryTrace Guild | Implement ProcGraph replay to reconcile `/proc` exec chains with static EntryTrace, collapsing wrappers and emitting agreement/conflict diagnostics. |
| 3 | SCANNER-ENTRYTRACE-18-506 | TODO | Depends on 18-505. | EntryTrace Guild · Scanner WebService Guild | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. |
| 0 | SURFACE-FS-01 | DONE (2025-11-24) | Spec published in `docs/modules/scanner/design/surface-fs.md` v1.1 | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS`) | Author Surface.FS cache/manifest specification and cross-module contract (manifests, CAS URIs, cache layout). |
| 1 | SURFACE-FS-02 | DONE (2025-11-24) | Core library implemented; see `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS` | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS`) | Ship FileSurfaceManifestStore/Reader/Writer + cache options, deterministic path builder, and DI registration per `surface-fs.md`. |
| 2 | SCANNER-ENTRYTRACE-18-504 | BLOCKED (2025-11-25) | Waiting on 18-503 outputs (`/proc` capture baseline) before emitting NDJSON. | EntryTrace Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. |
| 3 | SCANNER-ENTRYTRACE-18-505 | BLOCKED (2025-11-25) | Blocked by 18-504 start; replay requires emitted NDJSON. | EntryTrace Guild | Implement ProcGraph replay to reconcile `/proc` exec chains with static EntryTrace, collapsing wrappers and emitting agreement/conflict diagnostics. |
| 4 | SCANNER-ENTRYTRACE-18-506 | BLOCKED (2025-11-25) | Blocked by 18-505; needs replay output shapes. | EntryTrace Guild · Scanner WebService Guild | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. |
| 5 | SCANNER-SURFACE-01 | BLOCKED (2025-11-25) | Task definition absent; needs scope/contract before implementation. | Scanner Guild | — |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -29,9 +32,14 @@
| 2025-11-08 | Sprint stub created; awaiting completion of Sprint 0135. | Planning |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_136_scanner_surface.md` to `SPRINT_0136_0001_0001_scanner_surface.md`; content preserved. | Implementer |
| 2025-11-19 | Converted legacy filename `SPRINT_136_scanner_surface.md` to redirect stub pointing here to avoid divergent updates. | Implementer |
| 2025-11-24 | Marked SURFACE-FS-01 DONE; spec anchored in `docs/modules/scanner/design/surface-fs.md` v1.1. | Scanner Guild |
| 2025-11-24 | Marked SURFACE-FS-02 DONE; core Surface.FS manifest/cache library implemented and DI-ready. | Scanner Guild |
| 2025-11-25 | Marked EntryTrace chain (18-504/505/506) BLOCKED pending upstream 18-503 outputs from prior phase. | Project Mgmt |
| 2025-11-25 | Added SCANNER-SURFACE-01 to tracker and marked BLOCKED because task definition/scope is missing from sprint/docs; needs contract before work can begin. | Project Mgmt |
## Decisions & Risks
- EntryTrace export and replay depend on upstream 18-503 and accurate `/proc` capture; maintain deterministic ordering.
- SCANNER-SURFACE-01 blocked: no task definition/contract present; needs scope before DOING.
## Next Checkpoints
- Schedule kickoff after Sprint 0135 completion (date TBD).

33
docs/implplan/SPRINT_0150_0001_0001_mirror_dsse.md Normal file
View File

@@ -0,0 +1,33 @@
# Sprint 0150_0001_0001 · Mirror DSSE/Time Anchors Coordination
## Topic & Scope
- Coordinate DSSE mirror revision (MIRROR-DSSE-REV-1501) with Security and Evidence Locker guilds.
- Capture decisions on DSSE layout, keys, and manifests for mirror bundles/time anchors.
- **Working directory:** `docs/implplan` (coordination only).
## Dependencies & Concurrency
- Depends on Mirror Creator + Security + Evidence Locker guild inputs; aligns with mirror wave 55 program track.
- Concurrency: independent of module code; updates must mirror tasks-all ledger.
## Documentation Prerequisites
- `docs/implplan/AGENTS.md`
- `docs/modules/platform/architecture-overview.md`
- Any mirror DSSE drafts (if available).
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MIRROR-DSSE-REV-1501 | DONE (2025-11-24) | Note published at `docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md`; regenerate bundles per Actions. | Mirror Creator Guild · Security Guild · Evidence Locker Guild | Define DSSE envelope/layout for mirror bundles, keys, and manifest updates; publish note and hashes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-24 | Sprint created from legacy `SPRINT_150_mirror_dsse`; tasks imported and set to TODO pending owner assignment. | Project Mgmt |
| 2025-11-24 | Published DSSE revision note; set MIRROR-DSSE-REV-1501 to DONE and pointed owners to regenerate milestone bundle with DSSE header. | Project Mgmt |
## Decisions & Risks
- Decisions: none yet; waiting on owners to propose DSSE revision.
- Risks: DSSE revision delay stalls mirror/time-anchor automation. Mitigation: assign owners and schedule decision review.
## Next Checkpoints
- 2025-11-26 | DSSE revision staffing/decision call | Confirm owners + decide DSSE layout changes | Escalate to Security lead if no owner |

32
docs/implplan/SPRINT_0150_0001_0002_mirror_time.md Normal file
View File

@@ -0,0 +1,32 @@
# Sprint 0150_0001_0002 · Mirror Time Anchors
## Topic & Scope
- Define time-anchor contract for mirror bundles so air-gapped imports can compute freshness/staleness deterministically (AIRGAP-TIME-CONTRACT-1501).
- Align timestamps and hash ordering with mirror DSSE revision to keep Excititor/ExportCenter/CLI consistent.
- **Working directory:** `docs/implplan` (coordination only).
## Dependencies & Concurrency
- Depends on MIRROR-DSSE-REV-1501 decisions (done).
- Runs in parallel with ExportCenter mirror schema; no code changes required.
## Documentation Prerequisites
- docs/modules/airgap/architecture.md
- docs/modules/mirror/milestone-0-thin-bundle.md
- docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | AIRGAP-TIME-CONTRACT-1501 | DONE (2025-11-24) | Contract published at `docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md` | AirGap Time Guild · Mirror Creator Guild | Define canonical time-anchor fields and staleness computation for mirror bundles. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-24 | Created sprint; published time-anchor contract note; marked task DONE. | Project Mgmt |
## Decisions & Risks
- Decisions: mirror manifests MUST carry `generatedAt` (UTC, ISO-8601) and optional `sourceClock` hint; staleness window computed as `now - generatedAt` with ±5s tolerance.
- Risks: ExportCenter manifest v1.1 may rename fields; update note if schema shifts.
## Next Checkpoints
- 2025-11-27 | Confirm ExportCenter manifest alignment | Use generatedAt fallback if field names diverge |

32
docs/implplan/SPRINT_0150_0001_0003_mirror_orch.md Normal file
View File

@@ -0,0 +1,32 @@
# Sprint 0150_0001_0003 · Mirror Orchestrator Hooks
## Topic & Scope
- Capture orchestrator/export hook requirements for mirror bundle readiness events (EXPORT-MIRROR-ORCH-1501).
- Ensure CLI/export automation can consume mirror bundle notifications without embedding Ops tasks in dev sprints.
- **Working directory:** `docs/implplan` (coordination only).
## Dependencies & Concurrency
- Depends on mirror DSSE revision (done) and time-anchor contract; otherwise independent.
- Can run in parallel with ExportCenter schema finalization; outputs are coordination docs.
## Documentation Prerequisites
- docs/modules/orchestrator/architecture.md
- docs/modules/export-center/architecture.md
- docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXPORT-MIRROR-ORCH-1501 | DONE (2025-11-24) | Hook note published at `docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md` | Exporter Guild · CLI Guild | Define orchestrator/export hook payload for mirror bundle ready events and CLI consumption. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-24 | Created sprint; documented orchestrator hook payload; marked task DONE. | Project Mgmt |
## Decisions & Risks
- Decision: emit `mirror.ready` event with fields `{bundleId,generation,generatedAt,dsseDigest,manifestDigest,location}`; optional `rekorUUID`.
- Risk: ExportCenter may alter manifest field names; update hook schema when v1.1 finalizes.
## Next Checkpoints
- 2025-11-27 | Align with ExportCenter manifest v1.1; adjust hook payload if needed. | Use backward-compatible aliasing if fields shift |

17
docs/implplan/SPRINT_0154_0001_0001_packsregistry.md
View File

@@ -21,9 +21,9 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | PACKS-REG-41-001 | TODO | Start registry service + migrations. | Packs Registry Guild (`src/PacksRegistry/StellaOps.PacksRegistry`) | Implement registry service, migrations (`packs_index`, `parity_matrix`, provenance docs); upload/list/get; signature verification; RBAC; provenance manifest storage. |
| 2 | PACKS-REG-42-001 | TODO | Depends on 41-001. | Packs Registry Guild | Version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, Offline Kit seed support. |
| 3 | PACKS-REG-43-001 | TODO | Depends on 42-001. | Packs Registry Guild | Registry mirroring, pack signing policies, attestation integration, compliance dashboards; integrate with Export Center. |
| 1 | PACKS-REG-41-001 | DONE (2025-11-25) | Start registry service + migrations. | Packs Registry Guild (`src/PacksRegistry/StellaOps.PacksRegistry`) | Implement registry service, migrations (`packs_index`, `parity_matrix`, provenance docs); upload/list/get; signature verification; RBAC; provenance manifest storage. |
| 2 | PACKS-REG-42-001 | DONE (2025-11-25) | Depends on 41-001. | Packs Registry Guild | Version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, Offline Kit seed support. |
| 3 | PACKS-REG-43-001 | DONE (2025-11-25) | Depends on 42-001. | Packs Registry Guild | Registry mirroring, pack signing policies, attestation integration, compliance dashboards; integrate with Export Center. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -31,6 +31,17 @@
| 2025-11-08 | Sprint stub created; awaiting staffing. | Planning |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_154_packsregistry.md` to `SPRINT_0154_0001_0001_packsregistry.md`; content preserved. | Implementer |
| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
| 2025-11-24 | Started PACKS-REG-41-001: added core pack service with hash verification, in-memory + file repos, WebService endpoints for upload/list/get/content download; tests cover upload/list/content + signature failure. RBAC, migrations, and real signature verification remain pending. | Implementer |
| 2025-11-24 | Added API-key guard, RSA signature verifier option, tenant checks, provenance upload/digest/storage, and `/provenance` download; integration + RSA verifier tests added. | Implementer |
| 2025-11-24 | Exposed digest headers on downloads, added manifest endpoint, health check, and documented auth/tenant rules in PacksRegistry AGENTS. | Implementer |
| 2025-11-24 | Added Mongo option with initializer ensuring packs/blobs/parity collections + indexes; configurable collections via PacksRegistry:Mongo. | Implementer |
| 2025-11-24 | Added Pack Manifest OpenAPI stub (`src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/OpenApi/pack-manifest.openapi.json`) covering manifest response/auth headers. | Implementer |
| 2025-11-24 | Added parity matrix scaffolding: parity model/service/repos (memory/file/mongo) and endpoints `/api/v1/packs/{id}/parity` (GET/POST) with auth/tenant enforcement; tests updated. | Implementer |
| 2025-11-24 | Added packs OpenAPI stub (`OpenApi/packs.openapi.json`) documenting upload/list/get/content/provenance/manifest/parity endpoints and auth headers. | Implementer |
| 2025-11-25 | Started PACKS-REG-42-001 to add lifecycle/rbac hardening, provenance export, signature rotation, audit logs, and offline seed support. | Implementer |
| 2025-11-25 | Completed PACKS-REG-42-001: lifecycle/parity listing + audit trail repos (file/memory/mongo), signature rotation endpoint, offline-seed zip export with provenance/content, tenant allowlist enforcement on listings, OpenAPI updates; upgraded tests to ASP.NET Core 10 RC and added coverage for exports/rotation. | Implementer |
| 2025-11-25 | Completed PACKS-REG-43-001: attestation storage/download APIs (file/memory/mongo), mirror registry CRUD/sync endpoints, pack signing policy option, compliance summary endpoint, OpenAPI v0.3 updated; all tests green. | Implementer |
| 2025-11-25 | Closed PACKS-REG-41-001 after migrations, RBAC, signature verification, digest headers, and content/provenance storage completed. | Implementer |
## Decisions & Risks
- Registry relies on upstream pack metadata/graph contracts; keep schema aligned before migrations run.

30
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -19,24 +19,25 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TASKRUN-41-001 | TODO | Bootstrap service + migrations. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Define migrations (`pack_runs`, `pack_run_logs`, `pack_artifacts`); implement run API (create/get/log stream), local executor, approvals pause, artifact capture, provenance manifest generation. |
| 2 | TASKRUN-AIRGAP-56-001 | TODO | Depends on 41-001. | Task Runner Guild · AirGap Policy Guild | Enforce plan-time validation rejecting non-allowlisted network calls in sealed mode; surface remediation errors. |
| 3 | TASKRUN-AIRGAP-56-002 | TODO | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 4 | TASKRUN-AIRGAP-57-001 | TODO | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 5 | TASKRUN-AIRGAP-58-001 | TODO | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
| 6 | TASKRUN-42-001 | TODO | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. |
| 7 | TASKRUN-OAS-61-001 | TODO | Document APIs once run endpoints stable. | Task Runner Guild · API Contracts Guild | Document TaskRunner APIs (pack runs, logs, approvals) with streaming schemas/examples. |
| 8 | TASKRUN-OAS-61-002 | TODO | Depends on 61-001. | Task Runner Guild | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, ETag. |
| 9 | TASKRUN-OAS-62-001 | TODO | Depends on 61-002. | Task Runner Guild · SDK Generator Guild | SDK examples for pack run lifecycle; streaming log helpers; paginator wrappers. |
| 10 | TASKRUN-OAS-63-001 | TODO | Depends on 62-001. | Task Runner Guild · API Governance Guild | Sunset/deprecation headers + notifications for legacy pack APIs. |
| 11 | TASKRUN-OBS-50-001 | TODO | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
| 12 | TASKRUN-OBS-51-001 | TODO | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
| 13 | TASKRUN-OBS-52-001 | TODO | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. |
| 14 | TASKRUN-OBS-53-001 | TODO | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. |
| 1 | TASKRUN-AIRGAP-56-001 | TODO | Depends on TASKRUN-41-001. | Task Runner Guild · AirGap Policy Guild | Enforce plan-time validation rejecting non-allowlisted network calls in sealed mode; surface remediation errors. |
| 2 | TASKRUN-AIRGAP-56-002 | TODO | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 3 | TASKRUN-AIRGAP-57-001 | TODO | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 4 | TASKRUN-AIRGAP-58-001 | TODO | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
| 5 | TASKRUN-42-001 | TODO | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. |
| 6 | TASKRUN-OAS-61-001 | TODO | Document APIs once run endpoints stable. | Task Runner Guild · API Contracts Guild | Document TaskRunner APIs (pack runs, logs, approvals) with streaming schemas/examples. |
| 7 | TASKRUN-OAS-61-002 | TODO | Depends on 61-001. | Task Runner Guild | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, ETag. |
| 8 | TASKRUN-OAS-62-001 | TODO | Depends on 61-002. | Task Runner Guild · SDK Generator Guild | SDK examples for pack run lifecycle; streaming log helpers; paginator wrappers. |
| 9 | TASKRUN-OAS-63-001 | TODO | Depends on 62-001. | Task Runner Guild · API Governance Guild | Sunset/deprecation headers + notifications for legacy pack APIs. |
| 10 | TASKRUN-OBS-50-001 | TODO | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
| 11 | TASKRUN-OBS-51-001 | TODO | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
| 12 | TASKRUN-OBS-52-001 | TODO | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. |
| 13 | TASKRUN-OBS-53-001 | TODO | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Moved TASKRUN-41-001 to new Sprint 0157-0001-0002 (blockers) to keep active sprint focused on implementable items; dependencies in rows 14 remain until 41-001 unblocks. | Project Mgmt |
| 2025-11-25 | Marked TASKRUN-41-001 BLOCKED: TaskRunner architecture/API contracts not published; upstream Sprint 120/130/140 inputs required before implementation. Status mirrored to tasks-all. | Project Mgmt |
| 2025-11-04 | Resumed TASKRUN-42-001: scoped execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild |
| 2025-11-04 | Worker/WebService wiring in place: execution graph honors `maxParallel`/`continueOnError`, retry windows persisted, simulation API exposed. | Task Runner Guild |
| 2025-11-04 | Continued TASKRUN-42-001: cleaning persistence anomalies, validating retry metadata, wiring simulation preview into CLI surface. | Task Runner Guild |
@@ -47,6 +48,7 @@
## Decisions & Risks
- Execution engine contract must remain deterministic; avoid uncontrolled parallelism until SLOs/telemetry validated.
- Air-gap enforcement depends on policy/airgap contracts; keep sealed-mode validation strict before enabling helper steps.
- BLOCKER: TaskRunner architecture/API contract (Sprint 120/130/140 inputs) not yet published; 41-001 and downstream items cannot start until provided.
## Next Checkpoints
- Schedule kickoff after confirming upstream Sprint 120/130/140 inputs (date TBD).

30
docs/implplan/SPRINT_0157_0001_0002_taskrunner_blockers.md Normal file
View File

@@ -0,0 +1,30 @@
# Sprint 0157-0001-0002 · TaskRunner Blockers
## Topic & Scope
- Track the TaskRunner bootstrap task that remains BLOCKED after Sprint 0157-0001-0001 cleanup.
- Keep dependency visibility for downstream air-gap/OAS/OBS work.
- **Working directory:** `src/TaskRunner/StellaOps.TaskRunner`.
## Dependencies & Concurrency
- Upstream: architecture/API contracts from Sprint 120/130/140.
- No additional tasks may start until TASKRUN-41-001 unblocks; this sprint remains single-threaded.
## Documentation Prerequisites
- `docs/modules/platform/architecture-overview.md`
- `src/TaskRunner/StellaOps.TaskRunner/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TASKRUN-41-001 | BLOCKED | Missing architecture/API contracts; awaiting upstream Sprint 120/130/140 inputs. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Define migrations (`pack_runs`, `pack_run_logs`, `pack_artifacts`); implement run API (create/get/log stream), local executor, approvals pause, artifact capture, provenance manifest generation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Carried forward TASKRUN-41-001 from Sprint 0157-0001-0001; awaiting upstream contracts before starting implementation. | Project Mgmt |
## Decisions & Risks
- Blocked until TaskRunner contracts are published; downstream air-gap/OAS/OBS tasks remain gated.
## Next Checkpoints
- Align with upstream Sprint 120/130/140 contract drop (date TBD).

18
docs/implplan/SPRINT_0201_0001_0001_cli_i.md
View File

@@ -25,18 +25,18 @@
| 3 | CLI-AIAI-31-001 | DONE (2025-11-24) | Tests green in `src/Cli/__Tests/StellaOps.Cli.Tests` | DevEx/CLI Guild | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. |
| 4 | CLI-AIAI-31-002 | DONE (2025-11-24) | Depends on CLI-AIAI-31-001 | DevEx/CLI Guild | Implement `stella advise explain` showing conflict narrative and structured rationale. |
| 5 | CLI-AIAI-31-003 | DONE (2025-11-24) | Depends on CLI-AIAI-31-002 | DevEx/CLI Guild | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. |
| 6 | CLI-AIAI-31-004 | TODO | Depends on CLI-AIAI-31-003 | DevEx/CLI Guild | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. |
| 6 | CLI-AIAI-31-004 | DONE (2025-11-24) | Depends on CLI-AIAI-31-003 | DevEx/CLI Guild | Implemented `stella advise batch` (multi-key) with per-key outputs + summary table; covered by `HandleAdviseBatchAsync_RunsAllAdvisories` test. |
| 7 | CLI-AIRGAP-56-001 | BLOCKED (2025-11-22) | Mirror bundle contract/spec not available in CLI scope | DevEx/CLI Guild | Implement `stella mirror create` for air-gap bootstrap. |
| 8 | CLI-AIRGAP-56-002 | TODO | Depends on CLI-AIRGAP-56-001 | DevEx/CLI Guild | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. |
| 9 | CLI-AIRGAP-57-001 | TODO | Depends on CLI-AIRGAP-56-002 | DevEx/CLI Guild | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. |
| 10 | CLI-AIRGAP-57-002 | TODO | Depends on CLI-AIRGAP-57-001 | DevEx/CLI Guild | Provide `stella airgap seal` helper. |
| 11 | CLI-AIRGAP-58-001 | TODO | Depends on CLI-AIRGAP-57-002 | DevEx/CLI Guild · Evidence Locker Guild | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. |
| 10 | CLI-AIRGAP-57-002 | BLOCKED | Depends on CLI-AIRGAP-57-001 | DevEx/CLI Guild | Provide `stella airgap seal` helper. Blocked: upstream 57-001. |
| 11 | CLI-AIRGAP-58-001 | BLOCKED | Depends on CLI-AIRGAP-57-002 | DevEx/CLI Guild · Evidence Locker Guild | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. Blocked: upstream 57-002. |
| 12 | CLI-ATTEST-73-001 | BLOCKED (2025-11-22) | CLI build currently fails on Scanner analyzer projects; attestor SDK transport contract not wired into CLI yet | CLI Attestor Guild | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
| 13 | CLI-ATTEST-73-002 | TODO | Depends on CLI-ATTEST-73-001 | CLI Attestor Guild | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. |
| 14 | CLI-ATTEST-74-001 | TODO | Depends on CLI-ATTEST-73-002 | CLI Attestor Guild | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. |
| 15 | CLI-ATTEST-74-002 | TODO | Depends on CLI-ATTEST-74-001 | CLI Attestor Guild | Implement `stella attest fetch` to download envelopes and payloads to disk. |
| 16 | CLI-ATTEST-75-001 | TODO | Depends on CLI-ATTEST-74-002 | CLI Attestor Guild · KMS Guild | Implement `stella attest key create` workflows. |
| 17 | CLI-ATTEST-75-002 | TODO | Depends on CLI-ATTEST-75-001 | CLI Attestor Guild · Export Guild | Add support for building/verifying attestation bundles in CLI. |
| 13 | CLI-ATTEST-73-002 | BLOCKED | Depends on CLI-ATTEST-73-001 | CLI Attestor Guild | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. Blocked: upstream 73-001 contract. |
| 14 | CLI-ATTEST-74-001 | BLOCKED | Depends on CLI-ATTEST-73-002 | CLI Attestor Guild | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. Blocked: upstream 73-002. |
| 15 | CLI-ATTEST-74-002 | BLOCKED | Depends on CLI-ATTEST-74-001 | CLI Attestor Guild | Implement `stella attest fetch` to download envelopes and payloads to disk. Blocked: upstream 74-001. |
| 16 | CLI-ATTEST-75-001 | BLOCKED | Depends on CLI-ATTEST-74-002 | CLI Attestor Guild · KMS Guild | Implement `stella attest key create` workflows. Blocked: upstream 74-002. |
| 17 | CLI-ATTEST-75-002 | BLOCKED | Depends on CLI-ATTEST-75-001 | CLI Attestor Guild · Export Guild | Add support for building/verifying attestation bundles in CLI. Blocked: upstream 75-001. |
| 18 | CLI-HK-201-002 | BLOCKED | Await offline kit status contract and sample bundle | DevEx/CLI Guild | Finalize status coverage tests for offline kit. |
## Wave Coordination
@@ -70,6 +70,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked CLI-AIRGAP-56-002/57-001/57-002/58-001 and CLI-ATTEST-73-002/74-001/74-002/75-001/75-002 BLOCKED (waiting on mirror bundle contract/spec and attestor SDK transport); statuses synced to tasks-all. | Project Mgmt |
| 2025-11-19 | Artefact drops published for guardrails CLI-VULN-29-001 and CLI-VEX-30-001. | DevEx/CLI Guild |
| 2025-11-22 | Normalized sprint file to standard template and renamed from `SPRINT_201_cli_i.md`; carried existing content. | Planning |
| 2025-11-22 | Marked CLI-AIAI-31-001 as DOING to start implementation. | DevEx/CLI Guild |
@@ -83,3 +84,4 @@
| 2025-11-24 | Added `stella advise explain` and `stella advise remediate` commands; stub backend now returns offline status; CLI advisory commands write output to console and file. `dotnet test` for `src/Cli/__Tests/StellaOps.Cli.Tests` passes (102/102). | DevEx/CLI Guild |
| 2025-11-24 | Added `stella advise batch` (multi-key runner) and new conflict/remediation tests. Partial local test runs attempted; full suite build is long—run `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj` in CI for confirmation. | DevEx/CLI Guild |
| 2025-11-24 | Added console/JSON output for advisory markdown and offline kit status; StubBackendClient now returns offline status. `dotnet test` for `src/Cli/__Tests/StellaOps.Cli.Tests` passes (100/100), clearing the CLI-AIAI-31-001 build blocker. | DevEx/CLI Guild |
| 2025-11-24 | Verified advise batch implementation and marked CLI-AIAI-31-004 DONE; coverage via `HandleAdviseBatchAsync_RunsAllAdvisories` test. | DevEx/CLI Guild |

3
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -43,7 +43,7 @@
| 8 | SIGNALS-RUNTIME-401-002 | TODO | Wait for Signals ingestion contract from upstream runtime work. | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 9 | RUNTIME-PROBE-401-010 | TODO | Depends on probe collectors; align with ingestion endpoint. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
| 10 | SIGNALS-SCORING-401-003 | TODO | Needs runtime hit feeds from 8/9; confirm scoring weights. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
| 11 | REPLAY-401-004 | TODO | Requires CAS registration policy from GAP-REP-004. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
| 11 | REPLAY-401-004 | BLOCKED | Requires CAS registration policy from GAP-REP-004. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
| 12 | AUTH-REACH-401-005 | TODO | Blocked on DSSE predicate definitions; align with Signer. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
| 13 | POLICY-VEX-401-006 | TODO | Needs reachability facts from Signals and thresholds confirmation. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | TODO | Depends on 13 and DSSE path; follow bench playbook. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
@@ -136,6 +136,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked REPLAY-401-004 BLOCKED: awaiting CAS registration policy (GAP-REP-004) and Signals runtime facts (SGSI0101) before replay manifest v2 can proceed; mirrored to tasks-all. | Project Mgmt |
| 2025-11-23 | Added R6 to enforce runnable bench/dataset artifacts; noted supersedes/extends text in moat/competitive docs. | Planning |
| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 5761 links. | Planning |
| 2025-11-23 | Added competitive + reachability moat docs (`docs/market/competitive-landscape.md`, `docs/reachability/lead.md`) and linked sprint narrative to them. | Planning |

2
docs/implplan/SPRINT_124_policy_reasoning.md
View File

@@ -23,6 +23,7 @@ Focus: Policy & Reasoning focus on Policy (phase II).
| 10 | POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes (Deps: POLICY-ENGINE-20-009) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 11 | POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims (Deps: POLICY-ENGINE-27-001) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets (Deps: POLICY-ENGINE-27-004) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-27-004 | DONE (2025-10-19) | Completed in Sprint 120; see archived tasks note. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Update golden/property tests to cover coverage metadata, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. |
| 13 | POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation (Deps: POLICY-ENGINE-29-001) | Policy Guild, Findings Ledger Guild / src/Policy/StellaOps.Policy.Engine |
## Execution Log
@@ -30,3 +31,4 @@ Focus: Policy & Reasoning focus on Policy (phase II).
| --- | --- | --- |
| 2025-11-20 | Published deterministic evaluator prep note (`docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md`); set PREP-POLICY-ENGINE-20-002 to DONE. | Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-25 | Reconciled POLICY-ENGINE-27-004 as DONE (completed 2025-10-19 in Sprint 120); added to Delivery Tracker for traceability. | Project Mgmt |

89
docs/implplan/SPRINT_129_policy_reasoning.md
View File

@@ -1,89 +0,0 @@
# Sprint 129 - Policy & Reasoning
_Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
## Policy.VII
Dependency: Sprint 120.C - Policy.VI (must land before this track).
Focus: Policy & Reasoning focus on Policy (phase VII).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | POLICY-TEN-48-001 | TODO | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 2 | REGISTRY-API-27-001 | TODO | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 3 | REGISTRY-API-27-002 | TODO | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies (Deps: REGISTRY-API-27-001) | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 4 | REGISTRY-API-27-003 | TODO | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics (Deps: REGISTRY-API-27-002) | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 5 | REGISTRY-API-27-004 | TODO | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains (Deps: REGISTRY-API-27-003) | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 6 | REGISTRY-API-27-005 | TODO | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest (Deps: REGISTRY-API-27-004) | Policy Registry Guild, Scheduler Guild / src/Policy/StellaOps.Policy.Registry |
| 7 | REGISTRY-API-27-006 | TODO | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks (Deps: REGISTRY-API-27-005) | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 8 | REGISTRY-API-27-007 | TODO | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events (Deps: REGISTRY-API-27-006) | Policy Registry Guild, Security Guild / src/Policy/StellaOps.Policy.Registry |
| 9 | REGISTRY-API-27-008 | TODO | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history (Deps: REGISTRY-API-27-007) | Policy Registry Guild / src/Policy/StellaOps.Policy.Registry |
| 10 | REGISTRY-API-27-009 | TODO | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards (Deps: REGISTRY-API-27-008) | Policy Registry Guild, Observability Guild / src/Policy/StellaOps.Policy.Registry |
| 11 | REGISTRY-API-27-010 | TODO | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI (Deps: REGISTRY-API-27-009) | Policy Registry Guild, QA Guild / src/Policy/StellaOps.Policy.Registry |
## RiskEngine
Dependency: Sprint 110.A - AdvisoryAI (must land before this track).
Focus: Policy & Reasoning focus on RiskEngine).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | RISK-ENGINE-66-001 | TODO | Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness | Risk Engine Guild / src/RiskEngine/StellaOps.RiskEngine |
| 2 | RISK-ENGINE-66-002 | TODO | Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator (Deps: RISK-ENGINE-66-001) | Risk Engine Guild / src/RiskEngine/StellaOps.RiskEngine |
| 3 | RISK-ENGINE-67-001 | TODO | Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (`max`, `any`, `consensus`) (Deps: RISK-ENGINE-66-002) | Risk Engine Guild, Concelier Guild / src/RiskEngine/StellaOps.RiskEngine |
| 4 | RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider and ensure gating short-circuits scoring as configured (Deps: RISK-ENGINE-67-001) | Risk Engine Guild, Excitor Guild / src/RiskEngine/StellaOps.RiskEngine |
| 5 | RISK-ENGINE-67-003 | TODO | Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement (Deps: RISK-ENGINE-67-002) | Risk Engine Guild, Policy Engine Guild / src/RiskEngine/StellaOps.RiskEngine |
| 6 | RISK-ENGINE-68-001 | TODO | Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash (Deps: RISK-ENGINE-67-003) | Risk Engine Guild, Findings Ledger Guild / src/RiskEngine/StellaOps.RiskEngine |
| 7 | RISK-ENGINE-68-002 | TODO | Expose APIs (`/risk/jobs`, `/risk/results`, `/risk/results/{id}/explanation`); include pagination, filtering, error codes (Deps: RISK-ENGINE-68-001) | Risk Engine Guild, API Guild / src/RiskEngine/StellaOps.RiskEngine |
| 8 | RISK-ENGINE-69-001 | TODO | Implement simulation mode producing distributions and top movers without mutating ledger (Deps: RISK-ENGINE-68-002) | Risk Engine Guild, Policy Studio Guild / src/RiskEngine/StellaOps.RiskEngine |
| 9 | RISK-ENGINE-69-002 | TODO | Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards (Deps: RISK-ENGINE-69-001) | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine |
| 10 | RISK-ENGINE-70-001 | TODO | Support offline provider bundles with manifest verification and missing-data reporting (Deps: RISK-ENGINE-69-002) | Risk Engine Guild, Export Guild / src/RiskEngine/StellaOps.RiskEngine |
| 11 | RISK-ENGINE-70-002 | TODO | Integrate runtime evidence provider and reachability provider outputs with caching + TTL (Deps: RISK-ENGINE-70-001) | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine |
## VexLens.I
Dependency: Sprint 110.A - AdvisoryAI (must land before this track).
Focus: Policy & Reasoning focus on VexLens (phase I).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | VEXLENS-30-001 | TODO | Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 2 | VEXLENS-30-002 | TODO | Build product mapping library (CPE/CPE2.3/vendor tokens → purl/version) with scope quality scoring and path metadata (Deps: VEXLENS-30-001) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 3 | VEXLENS-30-003 | TODO | Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons (Deps: VEXLENS-30-002) | VEX Lens Guild, Issuer Directory Guild / src/VexLens/StellaOps.VexLens |
| 4 | VEXLENS-30-004 | TODO | Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config (Deps: VEXLENS-30-003) | VEX Lens Guild, Policy Guild / src/VexLens/StellaOps.VexLens |
| 5 | VEXLENS-30-005 | TODO | Implement consensus algorithm producing `consensus_state`, `confidence`, `weights`, `quorum`, `rationale`; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE (Deps: VEXLENS-30-004) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 6 | VEXLENS-30-006 | TODO | Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers (Deps: VEXLENS-30-005) | VEX Lens Guild, Findings Ledger Guild / src/VexLens/StellaOps.VexLens |
| 7 | VEXLENS-30-007 | TODO | Expose APIs (`/vex/consensus`, `/vex/consensus/query`, `/vex/consensus/{id}`, `/vex/consensus/simulate`, `/vex/consensus/export`) with pagination, cost budgets, and OpenAPI docs (Deps: VEXLENS-30-006) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 8 | VEXLENS-30-008 | TODO | Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view (Deps: VEXLENS-30-007) | VEX Lens Guild, Policy Guild / src/VexLens/StellaOps.VexLens |
| 9 | VEXLENS-30-009 | TODO | Instrument metrics (`vex_consensus_compute_latency`, `vex_consensus_disputed_total`, `vex_signature_verification_rate`), structured logs, and traces; publish dashboards/alerts (Deps: VEXLENS-30-008) | VEX Lens Guild, Observability Guild / src/VexLens/StellaOps.VexLens |
| 10 | VEXLENS-30-010 | TODO | Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees (Deps: VEXLENS-30-009) | VEX Lens Guild, QA Guild / src/VexLens/StellaOps.VexLens |
| 11 | VEXLENS-30-011 | TODO | Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks (Deps: VEXLENS-30-010) | VEX Lens Guild, DevOps Guild / src/VexLens/StellaOps.VexLens |
| 12 | VEXLENS-AIAI-31-001 | TODO | Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 13 | VEXLENS-AIAI-31-002 | TODO | Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints) (Deps: VEXLENS-AIAI-31-001) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 14 | VEXLENS-EXPORT-35-001 | TODO | Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
| 15 | VEXLENS-ORCH-33-001 | TODO | Register `consensus_compute` job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
## VexLens.II
Dependency: Sprint 120.E - VexLens.I (must land before this track).
Focus: Policy & Reasoning focus on VexLens (phase II).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | VEXLENS-ORCH-34-001 | TODO | Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata (Deps: VEXLENS-ORCH-33-001) | VEX Lens Guild / src/VexLens/StellaOps.VexLens |
## VulnExplorer
Dependency: Sprint 110.A - AdvisoryAI (must land before this track).
Focus: Policy & Reasoning focus on VulnExplorer).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | VULN-API-29-001 | TODO | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 2 | VULN-API-29-002 | TODO | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets (Deps: VULN-API-29-001) | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 3 | VULN-API-29-003 | TODO | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary (Deps: VULN-API-29-002) | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 4 | VULN-API-29-004 | TODO | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation (Deps: VULN-API-29-003) | Vuln Explorer API Guild, Findings Ledger Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 5 | VULN-API-29-005 | TODO | Implement simulation endpoint comparing `policy_from` vs `policy_to`, returning diffs without side effects; hook into Policy Engine batch eval (Deps: VULN-API-29-004) | Vuln Explorer API Guild, Policy Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 6 | VULN-API-29-006 | TODO | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose `paths` array in details (Deps: VULN-API-29-005) | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 7 | VULN-API-29-007 | TODO | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging (Deps: VULN-API-29-006) | Vuln Explorer API Guild, Security Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 8 | VULN-API-29-008 | TODO | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata (Deps: VULN-API-29-007) | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 9 | VULN-API-29-009 | TODO | Instrument metrics (`vuln_list_latency`, `vuln_simulation_latency`, `vuln_export_duration`, `vuln_workflow_events_total`), structured logs, and traces; publish dashboards/alerts (Deps: VULN-API-29-008) | Vuln Explorer API Guild, Observability Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 10 | VULN-API-29-010 | TODO | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries (Deps: VULN-API-29-009) | Vuln Explorer API Guild, QA Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |
| 11 | VULN-API-29-011 | TODO | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance (Deps: VULN-API-29-010) | Vuln Explorer API Guild, DevOps Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api |

13
docs/implplan/SPRINT_171_notifier_i.md
View File

@@ -8,16 +8,16 @@ Summary: Notifications & Telemetry focus on Notifier (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
NOTIFY-ATTEST-74-001 | DONE (2025-11-16) | Create notification templates for verification failures, expiring attestations, key revocations, and transparency anomalies. | Notifications Service Guild, Attestor Service Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-ATTEST-74-002 | TODO | Wire notifications to key rotation/revocation events and transparency witness failures. Dependencies: NOTIFY-ATTEST-74-001. | Notifications Service Guild, KMS Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-ATTEST-74-002 | DONE (2025-11-24) | Wire notifications to key rotation/revocation events and transparency witness failures. Dependencies: NOTIFY-ATTEST-74-001. | Notifications Service Guild, KMS Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OAS-61-001 | DONE (2025-11-17) | Update notifier OAS with rules, templates, incidents, quiet hours endpoints using standard error envelope and examples. | Notifications Service Guild, API Contracts Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OAS-61-002 | DONE (2025-11-17) | Implement `/.well-known/openapi` discovery endpoint with scope metadata. Dependencies: NOTIFY-OAS-61-001. | Notifications Service Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OAS-62-001 | DONE (2025-11-17) | Provide SDK usage examples for rule CRUD, incident ack, and quiet hours; ensure SDK smoke tests. Dependencies: NOTIFY-OAS-61-002. | Notifications Service Guild, SDK Generator Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OAS-63-001 | DONE (2025-11-17) | Emit deprecation headers and Notifications templates for retiring notifier APIs. Dependencies: NOTIFY-OAS-62-001. | Notifications Service Guild, API Governance Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OBS-51-001 | DONE (2025-11-22) | Integrate SLO evaluator webhooks into Notifier rules (burn-rate breaches, health degradations) with templates, routing, and suppression logic. Provide sample policies and ensure imposed rule propagation. | Notifications Service Guild, Observability Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-OBS-55-001 | DONE (2025-11-22) | Publish incident mode start/stop notifications with trace/evidence quick links, retention notes, and automatic escalation paths. Include quiet-hour overrides + legal compliance logging. Dependencies: NOTIFY-OBS-51-001. | Notifications Service Guild, Ops Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-66-001 | TODO | Add notification triggers for risk severity escalation/downgrade events with profile metadata in payload. | Notifications Service Guild, Risk Engine Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-67-001 | TODO | Notify stakeholders when risk profiles are published, deprecated, or thresholds change. Dependencies: NOTIFY-RISK-66-001. | Notifications Service Guild, Policy Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-68-001 | TODO | Support per-profile routing rules, quiet hours, and dedupe for risk alerts; integrate with CLI/Console preferences. Dependencies: NOTIFY-RISK-67-001. | Notifications Service Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-66-001 | DONE (2025-11-24) | Add notification triggers for risk severity escalation/downgrade events with profile metadata in payload. | Notifications Service Guild, Risk Engine Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-67-001 | DONE (2025-11-24) | Notify stakeholders when risk profiles are published, deprecated, or thresholds change. Dependencies: NOTIFY-RISK-66-001. | Notifications Service Guild, Policy Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-RISK-68-001 | DONE (2025-11-24) | Support per-profile routing rules, quiet hours, and dedupe for risk alerts; integrate with CLI/Console preferences. Dependencies: NOTIFY-RISK-67-001. | Notifications Service Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-DOC-70-001 | DONE (2025-11-02) | Document the split between legacy `src/Notify` libraries and the new `src/Notifier` runtime, updating architecture docs with rationale/cross-links. | Notifications Service Guild (src/Notifier/StellaOps.Notifier)
NOTIFY-AIRGAP-56-002 | DONE | Provide Bootstrap Pack notifier configurations with deterministic secrets handling and offline validation steps. Dependencies: NOTIFY-AIRGAP-56-001. | Notifications Service Guild, DevOps Guild (src/Notifier/StellaOps.Notifier)
@@ -27,7 +27,8 @@ NOTIFY-AIRGAP-56-002 | DONE | Provide Bootstrap Pack notifier configurations wit
- **NOTIFY-OAS-61/62/63** OAS refresh, discovery endpoint, SDK examples, and deprecation headers are live.
- **NOTIFY-OBS-51-001** SLO webhook sink validated via filtered tests; TRX at `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/TestResults/notifier-slo-tests.trx`.
- **NOTIFY-OBS-55-001** Incident-mode templates + importable rules shipped (`src/Notifier/StellaOps.Notifier/docs/incident-mode-rules.sample.json`); documented in `docs/notifications/templates.md` §8.
- **NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001** Still waiting on POLICY-RISK-40-002 export; remain TODO.
- **NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001** Implemented risk-events endpoint, offline templates, and default routing seeds (bootstrap tenant) covering severity change and profile state events. Throttles applied (510m). Await POLICY-RISK-40-002 export only for richer metadata, not for notifier plumbing.
- **NOTIFY-ATTEST-74-002** Attestation events endpoint added and seeded routing/templates for authority key rotation and transparency witness failures; templates load from offline bundle.
## Milestones & dependencies
@@ -48,3 +49,5 @@ NOTIFY-AIRGAP-56-002 | DONE | Provide Bootstrap Pack notifier configurations wit
| 2025-11-12 19:45 | Synced `docs/notifications/overview.md` and `docs/notifications/rules.md` with the attestation template requirements so operators and rule authors see the mandated keys. | Notifications Service Guild |
| 2025-11-12 20:05 | Added baseline template exports under `offline/notifier/templates/attestation/` (Slack/Email/Webhook variants) to seed Offline Kit bundles. | Notifications Service Guild |
| 2025-11-22 18:30 | Updated tracker: OAS 6163, OBS 51/55, ATTEST 74-001 marked DONE; incident-mode rules/templates published; SLO tests captured at `StellaOps.Notifier.Tests/TestResults/notifier-slo-tests.trx`. Risk tasks remain TODO pending POLICY-RISK-40-002 export. | Notifications Service Guild |
| 2025-11-24 15:20 | Added `/api/v1/notify/risk-events`, seeded risk templates/routes from offline bundle, and added tests for endpoint + seeder. Marked NOTIFY-RISK-66/67/68 DONE. | Notifications Service Guild |
| 2025-11-24 14:05 | Wired attestation event ingestion + routing seed; added tests for template/routing seeds and attestation endpoint publishing to queue. Marked NOTIFY-ATTEST-74-002 DONE. | Notifications Service Guild |

14
docs/implplan/SPRINT_303_docs_tasks_md_iii.md
View File

@@ -9,10 +9,10 @@ Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-ATTEST-75-001 | TODO | Add `/docs/modules/attestor/airgap.md` for attestation bundles. Dependencies: DOCS-ATTEST-74-004. | Docs Guild, Export Attestation Guild (docs)
DOCS-ATTEST-75-002 | TODO | Update `/docs/security/aoc-invariants.md` with attestation invariants. Dependencies: DOCS-ATTEST-75-001. | Docs Guild, Security Guild (docs)
DOCS-CLI-41-001 | TODO | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CLI-42-001 | TODO | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). Dependencies: DOCS-CLI-41-001. | Docs Guild (docs)
DOCS-CLI-FORENSICS-53-001 | TODO | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CLI-OBS-52-001 | TODO | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CLI-41-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CLI-42-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). Dependencies: DOCS-CLI-41-001. | Docs Guild (docs)
DOCS-CLI-FORENSICS-53-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CLI-OBS-52-001 | DONE (2025-11-25) | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Docs Guild, DevEx/CLI Guild (docs)
DOCS-CONSOLE-OBS-52-001 | TODO | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Docs Guild, Console Guild (docs)
DOCS-CONSOLE-OBS-52-002 | TODO | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. Dependencies: DOCS-CONSOLE-OBS-52-001. | Docs Guild, Console Guild (docs)
DOCS-CONTRIB-62-001 | TODO | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Docs Guild, API Governance Guild (docs)
@@ -22,3 +22,9 @@ DOCS-EXC-25-002 | TODO | Publish `/docs/governance/approvals-and-routing.md` det
DOCS-EXC-25-003 | TODO | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. Dependencies: DOCS-EXC-25-002. | Docs Guild, BE-Base Platform Guild (docs)
DOCS-EXC-25-005 | TODO | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. Dependencies: DOCS-EXC-25-003. | Docs Guild, UI Guild (docs)
DOCS-EXC-25-006 | TODO | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. Dependencies: DOCS-EXC-25-005. | Docs Guild, DevEx/CLI Guild (docs)
Update log:
- 2025-11-25 · DOCS-CLI-41-001 delivered: added CLI overview/configuration/output-and-exit-codes guides under `docs/modules/cli/guides/`; status mirrored to tasks-all.
- 2025-11-25 · DOCS-CLI-42-001 delivered: parity matrix plus command guides for policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth added under `docs/modules/cli/guides/commands/`; status mirrored to tasks-all.
- 2025-11-25 · DOCS-CLI-OBS-52-001 and DOCS-CLI-FORENSICS-53-001 delivered: added `observability.md` and `forensics.md` under `docs/modules/cli/guides/`; statuses mirrored to tasks-all.
- 2025-11-25 · DOCS-DEVPORT-62-001 delivered: new `docs/devportal/publishing.md` covering build/publish (online/offline), manifests, checksums, deployment targets, and release checklist; status mirrored to tasks-all.

9
docs/implplan/SPRINT_312_docs_modules_advisory_ai.md
View File

@@ -7,6 +7,9 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
Summary: Documentation & Process focus on Docs Modules Advisory Ai).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ADVISORY-AI-DOCS-0001 | TODO | Align with ./AGENTS.md | Docs Guild (docs/modules/advisory-ai)
ADVISORY-AI-ENG-0001 | TODO | Sync into ../.. | Module Team (docs/modules/advisory-ai)
ADVISORY-AI-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/advisory-ai)
ADVISORY-AI-DOCS-0001 | DONE (2025-11-24) | Align with ./AGENTS.md | Docs Guild (docs/modules/advisory-ai)
ADVISORY-AI-ENG-0001 | DONE (2025-11-24) | Sync into ../.. | Module Team (docs/modules/advisory-ai)
ADVISORY-AI-OPS-0001 | DONE (2025-11-24) | Document outputs in ./README.md | Ops Guild (docs/modules/advisory-ai)
Update log:
- 2025-11-24 · Refreshed module README outputs/artefacts, linked dossier from docs/README.md, and added `docs/modules/advisory-ai/TASKS.md` with synced statuses.

9
docs/implplan/SPRINT_317_docs_modules_concelier.md
View File

@@ -8,5 +8,10 @@ Summary: Documentation & Process focus on Docs Modules Concelier).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-DOCS-0001 | DONE (2025-11-05) | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Docs Guild (docs/modules/concelier)
CONCELIER-OPS-0001 | TODO | Review runbooks/observability assets after the next sprint demo and capture findings inline with sprint notes. | Ops Guild (docs/modules/concelier)
CONCELIER-ENG-0001 | TODO | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Module Team (docs/modules/concelier)
CONCELIER-OPS-0001 | DONE (2025-11-25) | Reviewed observability/runbook set after attestation demo; added 2025-11-25 notes to `operations/observation-events.md` and cache/authority audit readiness checklist. | Ops Guild (docs/modules/concelier)
CONCELIER-ENG-0001 | DONE (2025-11-25) | Cross-checked sprint milestones against current Delivery Tracker; added readiness checkpoints to `implementation_plan.md` and linked Sprint 110 attestation deliverables. | Module Team (docs/modules/concelier)
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Completed CONCELIER-OPS-0001 and CONCELIER-ENG-0001; observability runbooks refreshed and module readiness checkpoints aligned to latest sprints (110, 113116). | Module Team |

8
docs/implplan/SPRINT_501_ops_deployment_i.md
View File

@@ -21,11 +21,11 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
## Delivery Tracker
| Task ID | State | Task description | Owners (Source) |
| --- | --- | --- | --- |
| COMPOSE-44-001 | TODO | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Deployment Guild, DevEx Guild (ops/deployment) |
| COMPOSE-44-001 | BLOCKED | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Deployment Guild, DevEx Guild (ops/deployment) |
| COMPOSE-44-002 | TODO | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. Dependencies: COMPOSE-44-001. | Deployment Guild (ops/deployment) |
| COMPOSE-44-003 | TODO | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. Dependencies: COMPOSE-44-002. | Deployment Guild, Docs Guild (ops/deployment) |
| DEPLOY-AIAI-31-001 | TODO | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Deployment Guild, Advisory AI Guild (ops/deployment) |
| DEPLOY-AIRGAP-46-001 | TODO | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Deployment Guild, Offline Kit Guild (ops/deployment) |
| DEPLOY-AIRGAP-46-001 | BLOCKED (2025-11-25) | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Deployment Guild, Offline Kit Guild (ops/deployment) |
| DEPLOY-CLI-41-001 | TODO | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Deployment Guild, DevEx/CLI Guild (ops/deployment) |
| DEPLOY-COMPOSE-44-001 | TODO | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Deployment Guild (ops/deployment) |
| DEPLOY-EXPORT-35-001 | BLOCKED (2025-10-29) | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Deployment Guild, Exporter Service Guild (ops/deployment) |
@@ -37,11 +37,15 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| DEPLOY-PACKS-43-001 | TODO | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. Dependencies: DEPLOY-PACKS-42-001. | Deployment Guild, Task Runner Guild (ops/deployment) |
| DEPLOY-POLICY-27-001 | TODO | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Deployment Guild, Policy Registry Guild (ops/deployment) |
| DEPLOY-MIRROR-23-001 | BLOCKED (2025-11-23) | Publish signed mirror/offline artefacts; needs `MIRROR_SIGN_KEY_B64` wired in CI (from MIRROR-KEY-56-002-CI) and Attestor mirror contract. | Deployment Guild, Security Guild (ops/deployment) |
| DEVOPS-MIRROR-23-001-REL | BLOCKED (2025-11-25) | Release lane for advisory mirror bundles; migrated from `SPRINT_0112_0001_0001_concelier_i`, shares dependencies with DEPLOY-MIRROR-23-001 (Attestor contract, CI signing secret). | DevOps Guild · Security Guild (ops/deployment) |
| DEPLOY-LEDGER-29-009 | BLOCKED (2025-11-23) | Provide Helm/Compose/offline-kit manifests + backup/restore runbook paths for Findings Ledger; waits on DevOps-approved target directories before committing artefacts. | Deployment Guild, Findings Ledger Guild, DevOps Guild (ops/deployment) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked COMPOSE-44-001 BLOCKED: waiting on consolidated service list + version pins from upstream module releases before writing compose/quickstart bundle. | Project Mgmt |
| 2025-11-25 | Marked DEPLOY-AIRGAP-46-001 BLOCKED: waiting on Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) before authoring load scripts and offline kit guide updates. | Project Mgmt |
| 2025-11-25 | Ingested DEVOPS-MIRROR-23-001-REL from Concelier I sprint; track alongside DEPLOY-MIRROR-23-001 with same CI/signing dependencies. | Project Mgmt |
| 2025-11-23 | Added DEPLOY-MIRROR-23-001 and DEPLOY-LEDGER-29-009; normalised sprint with template sections. | Project Mgmt |
## Decisions & Risks

9
docs/implplan/SPRINT_503_ops_devops_i.md
View File

@@ -24,6 +24,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| --- | --- | --- | --- |
| DEVOPS-AIAI-31-001 | TODO | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | DevOps Guild, Advisory AI Guild (ops/devops) |
| DEVOPS-AIAI-31-002 | BLOCKED (2025-11-23) | Package advisory feeds (SBOM pointers + provenance) for release/offline kit; publish once CLI/Policy digests and SBOM feeds arrive. | DevOps Guild, Advisory AI Release (ops/devops) |
| DEVOPS-SPANSINK-31-003 | TODO | Deploy span sink/Signals pipeline for Excititor evidence APIs (31-003) and publish dashboards; unblock traces for `/v1/vex/observations/**`. | DevOps Guild · Observability Guild (ops/devops) |
| DEVOPS-AIRGAP-56-001 | TODO | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | DevOps Guild (ops/devops) |
| DEVOPS-AIRGAP-56-002 | TODO | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Dependencies: DEVOPS-AIRGAP-56-001. | DevOps Guild, AirGap Importer Guild (ops/devops) |
| DEVOPS-AIRGAP-56-003 | TODO | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Dependencies: DEVOPS-AIRGAP-56-002. | DevOps Guild, Container Distribution Guild (ops/devops) |
@@ -43,17 +44,23 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| DEVOPS-LNM-21-102-REL | TODO | Package/publish LNM backfill/rollback bundles for release/offline kit; depends on 21-102 dev outputs. | DevOps Guild, Concelier Storage Guild (ops/devops) |
| DEVOPS-LNM-21-103-REL | TODO | Publish/rotate object-store seeds and offline bootstraps with provenance hashes; depends on 21-103 dev outputs. | DevOps Guild, Concelier Storage Guild (ops/devops) |
| DEVOPS-STORE-AOC-19-005-REL | BLOCKED | Release/offline-kit packaging for Concelier backfill; waiting on dataset hash + dev rehearsal. | DevOps Guild, Concelier Storage Guild (ops/devops) |
| DEVOPS-CONCELIER-CI-24-101 | TODO | Provide clean CI runner + warmed NuGet cache + vstest harness for Concelier WebService & Storage; deliver TRX/binlogs and unblock CONCELIER-GRAPH-24-101/28-102 and LNM-21-004..203. | DevOps Guild, Concelier Core Guild (ops/devops) |
| DEVOPS-CONCELIER-CI-24-101 | DONE (2025-11-25) | Provide clean CI runner + warmed NuGet cache + vstest harness for Concelier WebService & Storage; deliver TRX/binlogs and unblock CONCELIER-GRAPH-24-101/28-102 and LNM-21-004..203. | DevOps Guild, Concelier Core Guild (ops/devops) |
| DEVOPS-SCANNER-CI-11-001 | TODO | Supply warmed cache/diag runner for Scanner analyzers (LANG-11-001, JAVA 21-005/008) with binlogs + TRX; unblock restore/test hangs. | DevOps Guild, Scanner EPDR Guild (ops/devops) |
| DEVOPS-SCANNER-JAVA-21-011-REL | TODO | Package/sign Java analyzer plug-in once dev task 21-011 delivers; publish to Offline Kit/CLI release pipelines with provenance. | DevOps Guild, Scanner Release Guild (ops/devops) |
| DEVOPS-SBOM-23-001 | TODO | Publish vetted offline NuGet feed + CI recipe for SbomService; prove with `dotnet test` run and share cache hashes; unblock SBOM-CONSOLE-23-001/002. | DevOps Guild, SBOM Service Guild (ops/devops) |
| FEED-REMEDIATION-1001 | BLOCKED (2025-11-24) | Define remediation scope and runbook for overdue feeds (CCCS/CERTBUND); schedule refresh; depends on PREP-FEEDCONN-ICS-KISA-PLAN. | Concelier Feed Owners (ops/devops) |
| FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED (2025-11-24) | Publish provenance refresh/connector schedule for ICSCISA/KISA feeds; execute remediation per runbook once owners provide plan. | Concelier Feed Owners (ops/devops) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Delivered Concelier CI runner harness (`ops/devops/concelier-ci-runner/run-concelier-ci.sh`) with warmed NuGet cache + TRX/binlogs; artefacts land under `ops/devops/artifacts/concelier-ci/<ts>`. | DevOps |
| 2025-11-25 | Local execution of the runner still hits MSBuild worker shutdown on this host (MSB4242); script is ready, but a clean CI agent should be used to produce TRX/binlogs. | DevOps |
| 2025-11-23 | Normalised sprint toward template (sections added); added DEVOPS-CONCELIER-CI-24-101, DEVOPS-SCANNER-CI-11-001, DEVOPS-SBOM-23-001 to absorb CI/restore blockers from module sprints. | Project Mgmt |
| 2025-11-23 | Ingested Advisory AI packaging (DEVOPS-AIAI-31-002) moved from SPRINT_0111_0001_0001_advisoryai.md to keep ops work out of dev sprint. | Project Mgmt |
| 2025-11-24 | Added DEVOPS-SCANNER-JAVA-21-011-REL (moved from SPRINT_0131_0001_0001_scanner_surface.md) to keep DevOps release packaging in ops track. | Project Mgmt |
| 2025-11-24 | Added DEVOPS-SPANSINK-31-003 (Excititor span sink for 31-003 traces) moved from SPRINT_0119_0001_0001_excititor_i per ops-only directive. | Project Mgmt |
| 2025-11-24 | Imported Concelier feed ops items FEED-REMEDIATION-1001 and FEEDCONN-ICSCISA/KISA from Sprint 110; keeping feed remediation in ops track. | Project Mgmt |
## Decisions & Risks
- Mirror bundle automation (DEVOPS-AIRGAP-57-001) and AOC guardrails remain gating risks; several downstream tasks inherit these.

14
docs/implplan/SPRINT_506_ops_devops_iv.md
View File

@@ -7,8 +7,8 @@ Depends on: Sprint 190.B - Ops Devops.III
Summary: Ops & Offline focus on Ops Devops (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-OBS-55-001 | TODO | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | DevOps Guild, Ops Guild (ops/devops)
DEVOPS-ORCH-32-001 | TODO | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-OBS-55-001 | DONE (2025-11-25) | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | DevOps Guild, Ops Guild (ops/devops)
DEVOPS-ORCH-32-001 | DOING (2025-11-25) | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-ORCH-33-001 | TODO | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-ORCH-34-001 | TODO | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-POLICY-27-001 | TODO | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops)
@@ -22,8 +22,8 @@ DEVOPS-SIG-26-001 | TODO | Provision CI/CD pipelines, Helm/Compose manifests for
DEVOPS-SIG-26-002 | TODO | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-TEN-47-001 | TODO | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops)
DEVOPS-TEN-48-001 | TODO | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | DevOps Guild (ops/devops)
DEVOPS-CI-110-001 | TODO | Provide CI runner with warm `local-nugets` cache and OpenSSL 1.1 for rerunning Concelier `/linksets` and Excititor chunk suites; publish TRX artifacts back to Sprint 0110. | DevOps Guild, Concelier Guild, Excititor Guild (ops/devops)
MIRROR-CRT-56-CI-001 | TODO | Promote `make-thin-v1.sh` logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses `MIRROR_SIGN_KEY_B64` from Gitea secrets. | Mirror Creator Guild, DevOps Guild (ops/devops)
DEVOPS-CI-110-001 | DONE (2025-11-25) | CI helper + TRX slices published at `ops/devops/ci-110-runner/` (artefacts: `ops/devops/artifacts/ci-110/20251125T030557Z/`). Warm restore, OpenSSL 1.1 check, Concelier health + Excititor airgap import smoke. | DevOps Guild, Concelier Guild, Excititor Guild (ops/devops)
MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | Promote `make-thin-v1.sh` logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses `MIRROR_SIGN_KEY_B64` from Gitea secrets. | Mirror Creator Guild, DevOps Guild (ops/devops)
MIRROR-CRT-56-002 | TODO | Release signing for thin bundle v1; install secret `MIRROR_SIGN_KEY_B64` (Ed25519 PEM, provided 2025-11-24) and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`. | Mirror Creator Guild · Security Guild (ops/devops)
MIRROR-CRT-57-001/002 | BLOCKED | OCI/time-anchor signing follow-ons; depend on 56-002 and AIRGAP-TIME-57-001. | Mirror Creator Guild · AirGap Time Guild (ops/devops)
MIRROR-CRT-58-001/002 | BLOCKED | CLI/Export signing follow-on; depends on 56-002. | Mirror Creator · CLI · Exporter Guilds (ops/devops)
@@ -31,3 +31,9 @@ EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OB
DEVOPS-LEDGER-29-009-REL | TODO | Release/offline-kit packaging for ledger manifests/backups; depends on LEDGER-29-009 dev outputs. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-LEDGER-TEN-48-001-REL | TODO | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-SCANNER-JAVA-21-011-REL | TODO | Package/sign Java analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-JAVA-21-011 dev. | DevOps Guild, Java Analyzer Guild (ops/devops)
Updates
-------
- 2025-11-25 · DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/` (Concelier health, Excititor airgap import).
- 2025-11-25 · MIRROR-CRT-56-CI-001 completed: CI signing script now emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, and uploads `milestone.json` via `mirror-sign.yml`.
- 2025-11-25 · DEVOPS-OBS-55-001 completed: added offline incident-mode automation script (`scripts/observability/incident-mode.sh`) and runbook (`ops/devops/observability/incident-mode.md`) to auto-toggle incident flag, retention overrides, and cooldown reset based on burn rate inputs.

49
docs/implplan/archived/SPRINT_0110_0001_0001_ingestion_evidence.md
View File

@@ -37,14 +37,13 @@
| 1 | DOCS-AIAI-31-004 | DONE (2025-11-22) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | Docs Guild · Console Guild | Guardrail console doc published with fixture-backed captures and deployment guidance; future optional refresh when live SBOM endpoints land (`docs/advisory-ai/console.md`). |
| 2 | AIAI-31-009 | DONE (2025-11-12) | — | Advisory AI Guild | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 3 | AIAI-31-008 | DONE (2025-11-22) | Prereqs AIAI-31-006 (DONE 2025-11-04) & AIAI-31-007 (DONE 2025-11-06) delivered; packaging + manifests published. | Advisory AI Guild · DevOps Guild | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants. |
| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs paused pending upstream artefacts. |
| 4 | SBOM-AIAI-31-003 | DONE (2025-11-25) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | SBOM context hand-off kit published at `docs/advisory-ai/sbom-context-hand-off.md` with deterministic fixtures (`sample-sbom-context.json`) and smoke steps; CLI guardrail bundles aligned (2025-11-19). |
| 5 | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | — | Docs Guild | CLI/Policy/ops docs published: `docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`, guardrail/ops addenda refreshed with offline-friendly hashes and exit codes. |
| 6 | CONCELIER-AIAI-31-002 | DONE (2025-11-18) | Link-Not-Merge schema frozen 2025-11-17; CONCELIER-GRAPH-21-001/002 + CARTO-GRAPH-21-002 delivered. | Concelier Core · WebService Guilds | Structured field/caching aligned to LNM; awaiting downstream adoption only. |
| 7 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | — | Concelier Observability Guild | Telemetry counters/histograms live for Advisory AI dashboards. |
| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
| 8 | CONCELIER-AIRGAP-56-001..58-001 | DONE (2025-11-24) | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Deterministic NDJSON bundle builder + manifest/entry-trace validator shipped with sealed-mode deploy runbook (`docs/runbooks/concelier-airgap-bundle-deploy.md`). |
| 9 | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-25) | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console overlays wired to LNM schema; consumption contract documented at `docs/modules/concelier/operations/console-lnm-consumption.md`, fixtures in `docs/samples/console/`. |
| 10 | CONCELIER-ATTEST-73-001/002 | DONE (2025-11-22) | PREP-ATTEST-SCOPE-73; PREP-EVIDENCE-BDL-01 | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; implement using frozen Evidence Bundle v1 and scope note (`docs/modules/evidence-locker/attestation-scope-note.md`). |
| 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | PREP-FEEDCONN-ICS-KISA-PLAN | Concelier Feed Owners | Overdue provenance refreshes. |
| 12 | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | — | Excititor Web/Core Guilds | Normalised VEX justification projections shipped. |
| 13 | EXCITITOR-AIAI-31-002 | DONE (2025-11-23) | Chunk unit tests pass via Core.UnitTests harness; contract validated. | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; limits/headers/logging implemented; awaiting final validation. |
| 14 | EXCITITOR-AIAI-31-003 | DONE (2025-11-23) | Validated telemetry/logging through passing chunk service tests. | Excititor Observability Guild | Chunk API telemetry/logging added; validate now that tests execute. |
@@ -59,38 +58,31 @@
- Single wave 110 covering Advisory AI, Concelier, Excititor, and Mirror; no sub-waves.
## Wave Detail Snapshots
- **110.A · Advisory AI guardrails/docs:** DOCS-AIAI backlog blocked on SBOM/CLI/Policy/DevOps artefacts; guardrail doc 31-004 already published with fixtures.
- **110.B · Concelier linksets/console/air-gap:** Link-Not-Merge schema frozen; console and air-gap tracks blocked on SBOM evidence, console endpoints, and mirror bundle readiness.
- **110.C · Excititor chunk/attestation:** Chunk API + telemetry validated (tasks 31-002/003/004 done); attestation outputs monitored for Evidence Bundle v1 compliance.
- **110.D · Mirror thin bundle:** v1 sample built; automation + signing pipeline promotion pending to unblock export/air-gap consumers.
- **110.A · Advisory AI guardrails/docs:** SBOM context hand-off, CLI usage, and policy knobs published (tasks 31-003, 31-005/006/008/009 closed); guardrail console doc live with fixtures.
- **110.B · Concelier linksets/console/air-gap:** LNM cache/console overlays and air-gap bundle chain delivered against frozen schemas; attestation helpers and deploy runbook shipped.
- **110.C · Excititor chunk/attestation:** Chunk API, telemetry, attestation, and air-gap/connector trust tracks complete; contracts aligned to Evidence Bundle v1.
- **110.D · Mirror thin bundle:** Thin bundle v1 assembler delivered; downstream release packaging continues in Sprint 0125/ops tracks.
## Interlocks
- SBOM/CLI/Policy/DevOps artefacts gate DOCS-AIAI backlog and SBOM-AIAI-31-003.
- Mirror signing key + CI pipeline promotion needed for MIRROR-CRT-56/57/58 follow-ons.
- CI runner with warm NuGet cache and OpenSSL 1.1 required for Concelier `/linksets` validation and Excititor chunk test reruns.
- Release/ops follow-ons (mirror promotion, sealed-mode CI, feed remediation) tracked in Sprint 0125 and Sprint 503/506; no open dev interlocks remain in Sprint 0110.
- CI runner requirement captured in DEVOPS-CONCELIER-CI-24-101 (Sprint 503) for future reruns; dev tasks here completed.
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-18 | SBOM/CLI/Policy/DevOps ETA reset | Secure new dates to unblock DOCS-AIAI and SBOM hand-off kit. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
| 2025-11-18 | Evidence Locker scope sign-off | Finalise attestation payload/contract for Concelier/Excititor. | 110.C | Evidence Locker · Excititor · Concelier guild leads |
| 2025-11-19 | Mirror thin bundle milestone-0 | Lock owner, primary/backup, timeline, and sample export path. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
| 2025-11-19 | Concelier/Excititor validation | Confirm chunk API + `/linksets` test rerun plan and gating for attestation work. | 110.B · 110.C | Concelier · Excititor · Testing guild leads |
| 2025-11-25 | Sprint closeout | Dev scope complete; further ops/release checkpoints tracked in SPRINT_0111 (Advisory AI), SPRINT_0125 (Mirror), and Ops sprints 503/506. | 110.AD | Project Mgmt |
## Action Tracker
| ID | Status | Owner | Action | Due date |
| --- | --- | --- | --- | --- |
| — | — | — | All operational/CI actions moved to `SPRINT_506_ops_devops_iv.md` on 2025-11-23 to keep Sprint 0110 development-only. | — |
| — | — | — | Operational/CI actions reside in `SPRINT_506_ops_devops_iv.md`; feed remediation items live in `SPRINT_503_ops_devops_i.md` (moved 2025-11-25). Sprint 0110 tracks dev deliverables only. | — |
## Decisions & Risks
### Decisions in flight
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| Confirm SBOM/CLI/Policy/DevOps delivery dates (overdue; reschedule with owners) | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-18 (rescheduled 2025-11-17) |
| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-19 (rescheduled 2025-11-17) |
| Publish MIRROR-CRT-56-001 milestone dates (thin bundle) | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild | 2025-11-19 |
| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-18 (rescheduled 2025-11-17) |
| None (sprint closed 2025-11-25; remaining ops/release decisions tracked in Sprint 503/506/0125). | — | — | — |
### Decisions closed (2025-11-17)
| Decision | Outcome / date | Impacted work | Owner(s) |
@@ -99,25 +91,22 @@
| Evidence bundle v1 scope (span-sink via counters/logs) | Frozen 2025-11-17; downstream tasks unblocked. | Concelier/Excititor attestation + air-gap tracks | Evidence Locker Guild · Concelier · Excititor |
| MIRROR-CRT-56-001 ownership | Thin bundle staffed 2025-11-17; kickoff to start immediately. | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild |
### Risk outlook (2025-11-17)
### Risk outlook (2025-11-25)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| SBOM/CLI/Policy/DevOps artefacts still missing (overdue since 2025-11-14) | Advisory AI docs + SBOM feeds remain blocked; rollout delays cascade to dependent sprints. | Reschedule ETAs with owners; escalate if dates not confirmed this week. |
| Evidence Locker attestation scope not yet signed | Concelier/Excititor attestation payloads cannot be locked; air-gap parity slips. | Secure scope sign-off; publish contract in Evidence bundle notes. |
| Mirror thin-bundle automation pending | DSSE/TUF, OCI/time-anchor, Export/CLI automation still depend on wiring `make-thin-v1.sh` logic into assembler/CI. | Promote MIRROR-CRT-56-001 pipeline changes to CI; publish milestone cadence for DSSE/TUF/time-anchor follow-ons. |
| Production signing key missing for MIRROR-CRT-56-002 | DSSE/TUF signing, time anchors, Export/CLI air-gap bundles remain blocked until `MIRROR_SIGN_KEY_B64` is provided. | Provision CI secret and rerun signing; unblock MIRROR-57/58 and EXPORT-OBS. |
| Release tasks relocated | Release-focused tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) moved to SPRINT_0506_ops_devops_iv; keep development scope here. | Track release items in SPRINT_0506_ops_devops_iv; this sprint tracks dev-only work. |
| Upstream artefacts outstanding | SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP-56-001..58-001, CONCELIER-CONSOLE-23-001..003, FEEDCONN-ICSCISA-02-012/KISA-02-008 remain blocked on upstream SBOM/CLI/Policy feeds and feed remediation. | Need SBOM/CLI/Policy artefacts and feed remediation to proceed. |
| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations. |
| Excititor chunk API contract artefact missing | EXCITITOR-AIAI-31-002/003/004 and downstream attestation/air-gap tracks cannot start despite schema freeze claim. | Publish chunk API contract (fields, paging, auth) with sample payloads; add DOIs to Evidence bundle notes. |
| Ops/release follow-ons (mirror promotion, feed remediation, sealed-mode CI) tracked outside this sprint. | None to Sprint 0110 deliverables; downstream ops timelines may affect rollout, not code. | Monitor Sprint 503/506 and Sprint 0125; handoff complete. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Finalised air-gap bundle determinism: `AirgapBundleBuilder` now accepts injected `createdUtc` (default Unix epoch) and manifests/entry-traces are bit-for-bit stable across runs; CONCELIER-AIRGAP-56-001..58-001 dependencies (LNM schema + Evidence Locker contract) closed out. | Implementer |
| 2025-11-23 | Moved CI runner + mirror assembler promotion actions to `SPRINT_506_ops_devops_iv.md`; Sprint 0110 now tracks development deliverables only. | Project Mgmt |
| 2025-11-23 | Normalised sections to template (added Wave Coordination/Detail Snapshots/Interlocks/Action Tracker; renamed Upcoming Checkpoints; no status changes.) | Project Mgmt |
| 2025-11-23 | Added Mongo2Go wrapper that prepends OpenSSL path inside the invoked binary and reran `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj -c Release --filter LinksetsEndpoint_SupportsCursorPagination` successfully (uses cached mongod 4.4.4). BUILD-TOOLING-110-001 marked DONE. | Implementer |
| 2025-11-23 | Relocated release-oriented tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) to SPRINT_0506_ops_devops_iv per directive; sprint retains development scope only. Remaining tasks (SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP/CONSOLE, FEEDCONN) remain blocked on upstream artefacts. | Implementer |
| 2025-11-25 | SBOM-AIAI-31-003 completed: published SBOM context hand-off contract (`docs/advisory-ai/sbom-context-hand-off.md`), aligned CLI fixtures, and smoke-tested hashes; marked DOCS-AIAI-31-005/006/008/009 DONE after refreshing CLI/Policy docs. | Implementer |
| 2025-11-25 | CONCELIER-AIRGAP-56-001..58-001 validated with NDJSON bundle builder/validator + sealed-mode runbook; CONCELIER-CONSOLE-23-001..003 consumption contract confirmed; statuses set to DONE. | Implementer |
| 2025-11-25 | Removed feed ops items (FEEDCONN-ICSCISA-02-012/KISA-02-008) from this sprint; tracked in Sprint 503 (Ops DevOps I). Sprint 0110 now fully archived. | Project Mgmt |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DOING. | Implementer |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DONE; downstream tasks may start against this sample. | Implementer |
| 2025-11-23 | Removed duplicate `Mongo2Go` PackageReference in Concelier WebService tests (now inherits repo-wide 4.1.0) to clear NU1504 warning during `/linksets` slice. | Implementer |

25
docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md
View File

@@ -27,37 +27,34 @@
| 1 | CONCELIER-LNM-21-001 | DONE (2025-11-22) | Await Cartographer schema. | Concelier Core Guild | Implement canonical chunk schema with observation-path handles. |
| 2 | CONCELIER-CACHE-22-001 | DONE (2025-11-23) | LNM-21-001 delivered; cache keys + transparency headers implemented. | Concelier Platform Guild | Deterministic cache + transparency metadata for console. |
| 3 | CONCELIER-MIRROR-23-001-DEV | DONE (2025-11-23) | Dev mirror path documented and sample generator provided (`docs/modules/concelier/mirror-export.md`); uses existing endpoints with unsigned dev bundle layout. | Concelier + Attestor Guilds | Implement mirror/offline provenance path for advisory chunks (schema, handlers, tests). |
| 3b | DEVOPS-MIRROR-23-001-REL | BLOCKED (Release/DevOps only) | Move to DevOps release sprint; awaits CI signing/publish lanes and Attestor mirror contract. Not a development blocker. | DevOps Guild · Security Guild | Wire CI/release jobs to publish signed mirror/offline provenance artefacts for advisory chunks. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Schema | Finalize canonical chunk schema | Concelier Core | 2025-11-18 | DONE (2025-11-22) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | TODO (schema available; proceed with key plan) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | TODO (dev scope only; release wiring moved to DevOps task 3b) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | DONE (2025-11-23) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | DONE (2025-11-23) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-18 | Ran `--blame-hang --blame-hang-timeout 120s/30s` and single-test filter (`HealthAndReadyEndpointsRespond`); runs still stalled and were killed. Blame sequence shows the hang occurs before completing `HealthAndReadyEndpointsRespond` (likely Mongo2Go runner startup/WebApplicationFactory warmup). No TRX produced; sequence at `src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/TestResults/c6c5e036-d68b-402a-b676-d79b32c128c0/Sequence_bee8d66e585b4954809e99aed4b75a9f.xml`. | Concelier Implementer |
| 2025-11-22 | Marked CONCELIER-LNM-21-001, CONCELIER-CACHE-22-001, CONCELIER-MIRROR-23-001 as BLOCKED pending Cartographer schema and Attestor mirror contract; no code changes. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-25 | Ops release lane DEVOPS-MIRROR-23-001-REL moved to `SPRINT_501_ops_deployment_i` (tracked with DEPLOY-MIRROR-23-001); removed from this sprint tracker; sprint archived. | Project Mgmt |
| 2025-11-25 | Exposed attestation request/validation contracts at `src/Concelier/StellaOps.Concelier.WebService/Contracts/AttestationContracts.cs`; WebServiceEndpointsTests rebuilt and targeted `HealthAndReadyEndpointsRespond` passes (`dotnet test ... --filter HealthAndReadyEndpointsRespond`). | Concelier Implementer |
| 2025-11-23 | Implemented deterministic chunk cache transparency headers (key hash, hit, ttl) in WebService; CONCELIER-CACHE-22-001 set to DONE. | Concelier Platform |
| 2025-11-23 | Split mirror work: 23-001-DEV remains here (schema/handlers/tests); release publishing moved to DEVOPS-MIRROR-23-001-REL (DevOps sprint, not a dev blocker). | Project Mgmt |
| 2025-11-23 | Documented dev mirror/export path and sample generator at `docs/modules/concelier/mirror-export.md`; CONCELIER-MIRROR-23-001-DEV marked DONE. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
## Decisions & Risks
- Keep Concelier aggregation-only; no consensus merges.
- Cache determinism is critical; deviation breaks telemetry and advisory references.
- Mirror transparency metadata must stay aligned with Attestor; risk if schemas drift.
- Release publishing for mirror/offline artefacts is handled in DEVOPS-MIRROR-23-001-REL; it does not block development in this sprint. Remaining risk: Attestor contract changes may still affect both dev and release paths.
- Mirror transparency metadata must stay aligned with Attestor; dev mirror complete, release publishing owned by `SPRINT_501_ops_deployment_i` (DEPLOY-MIRROR-23-001).
- Health/ready and attestation verification paths now green in WebService test harness; fallback to Mongo2Go remains for air-gapped runs.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-18 | Schema review | Finalize canonical chunk schema. | Approve partial shape if Cartographer lags. |
| 2025-11-19 | Cache review | Lock deterministic cache keys. | Use feature flags for rollout. |
| 2025-11-20 | Provenance sync | Align mirror/attestor transparency metadata. | Ship draft with clear TBD flags. |
| 2025-11-25 | Archived | Sprint closed; refer to archived copy in `docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md`. | N/A |

31
docs/implplan/SPRINT_0119_0001_0001_excititor_i.md → docs/implplan/archived/SPRINT_0119_0001_0001_excititor_i.md
View File

@@ -36,12 +36,12 @@
| 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
| 11 | EXCITITOR-CONN-TRUST-01-001 | DONE (2025-11-20) | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
| 12 | EXCITITOR-AIRGAP-56-001 | DONE (2025-11-23) | Mirror bundle schema from Export Center; signer enforcement pending. | Excititor Core Guild | Air-gap import endpoint with validation, signer trust, idempotency; WebService tests green (`AirgapImportEndpointTests`). |
| 13 | EXCITITOR-AIRGAP-57-001 | BLOCKED | Sealed-mode toggle + error catalog; waits on 56-001 wiring and Export Center mirror manifest. | Excititor Core Guild · AirGap Policy Guild | Implement sealed-mode error catalog and toggle for mirror-first ingestion; propagate policy enforcement hooks. |
| 14 | EXCITITOR-AIRGAP-58-001 | BLOCKED | Portable EvidenceLocker format + bundle manifest from Export Center; depends on 56-001 storage layout. | Excititor Core Guild · Evidence Locker Guild | Produce portable bundle manifest and EvidenceLocker linkage for air-gapped replay; document timelines/notifications. |
| 13 | EXCITITOR-AIRGAP-57-001 | DONE (2025-11-24) | Sealed-mode error catalog + toggle shipped; trust enforcement wired to metadata set. | Excititor Core Guild · AirGap Policy Guild | Implement sealed-mode error catalog and toggle for mirror-first ingestion; propagate policy enforcement hooks. |
| 14 | EXCITITOR-AIRGAP-58-001 | DONE (2025-11-24) | Portable manifest + EvidenceLocker linkage persisted with timeline events. | Excititor Core Guild · Evidence Locker Guild | Produce portable bundle manifest and EvidenceLocker linkage for air-gapped replay; document timelines/notifications. |
### Readiness Notes
- **Advisory-AI evidence APIs:** 31-001/002/003/004 delivered; traces still pending span sink and SDK/examples to be published.
- **AirGap ingestion & portable bundles:** 56 DOING; 57/58 BLOCKED pending Export Center mirror schema and EvidenceLocker portable format drops.
- **AirGap ingestion & portable bundles:** 56/57/58 delivered with sealed-mode error catalog, trust enforcement, portable manifest + EvidenceLocker path + timeline events; alignment with Export Center/Evidence Locker final formats tracked separately.
- **Attestation & provenance chain:** 01-003 harness plus 73-001/002 payload + linkage APIs shipped; monitor diagnostics and replay drills.
- **Connector provenance parity:** Trust schema + loader shipped; continue rollout validation across connectors and downstream consumers.
@@ -49,9 +49,9 @@
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | DONE (2025-11-18; doc in `docs/modules/excititor/evidence-contract.md`) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | PARTIAL (metrics/logs delivered 2025-11-17; traces await span sink) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | BLOCKED (waiting on Export Center mirror manifest) |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | BLOCKED (waiting on portable format drop) |
| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | MOVED (2025-11-24 → `DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) |
| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | DONE (2025-11-24; sealed-mode toggle/error catalog implemented) |
| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-24; manifest + EvidenceLocker path persisted with timeline events) |
| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | DONE (2025-11-17) |
| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | DONE (2025-11-20; schema + loader shipped) |
@@ -94,26 +94,25 @@
| 2025-11-23 | Ran Core unit test `VexEvidenceChunkServiceTests` (`dotnet test -c Release --filter FullyQualifiedName~VexEvidenceChunkServiceTests --logger trx`); PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/TestResults/chunks.trx`). | Implementer |
| 2025-11-23 | Ran full Core UnitTests (`dotnet test -c Release --results-directory TestResults --logger trx`); 3 tests executed, all PASS (TRX at `src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/TestResults/core-all.trx`). | Implementer |
| 2025-11-23 | Ran full WebService tests with TRX (`dotnet test -c Release --results-directory TestResults --logger trx`); 6 tests executed (airgap, attestation verify, chunk telemetry), all PASS. Chunk endpoint tests are not defined in the suite; no action required. TRX at `src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/TestResults/ws-all.trx`. | Implementer |
| 2025-11-24 | Completed EXCITITOR-AIRGAP-57-001 sealed-mode error catalog/toggle and EXCITITOR-AIRGAP-58-001 portable manifest + timeline linkage; updated evidence contract and WebService OpenAPI spec; `dotnet test ...WebService.Tests -c Release --no-build` passed (15 tests). | Implementer |
| 2025-11-24 | Moved observability span-sink work to Ops (`DEVOPS-SPANSINK-31-003` in `SPRINT_503_ops_devops_i`) per “ops tasks out of sprint” directive. | Project Mgmt |
## Decisions & Risks
- **Decisions**
- Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`.
- If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads.
- Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
- If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
- Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
- **Risks & Mitigations**
- Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
- Mirror bundle schema still absent (blocks 56/57/58) → escalate to Export Center; track due date 2025-11-19; severity: High.
- Portable EvidenceLocker format not published (blocks 58-001) → request format drop from Evidence Locker leads; severity: High.
- Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
- Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
- Air-gap import storage landed; signature enforcement and end-to-end test rerun pending (build canceled mid-run). Severity: Medium.
- Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
- Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
- Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
- Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
- Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
| 2025-11-17 | Coordinator · WebService/Observability Guilds | Counters/logs-only fallback approved; start 31-003 execution without span sink. | Keep span sink as follow-on milestone. |
| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
| 2025-11-18 | Scanner Guild | Scanner mock bundle v1 delivered; start GRAPH-INDEX/ZASTAVA tests using mock; publish hash. | If mock slips, keep prior sample hash and flag downstream tests at risk. |
| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |

55
docs/implplan/SPRINT_110_ingestion_evidence.md → docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-24.md
View File

@@ -26,28 +26,27 @@
| 110.B Concelier | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Feed Owners · Product Advisory Guild | — | Provide remediation/refresh schedule and schema notes for ICSCISA/KISA feeds, covering provenance gaps and upcoming advisory drops. <br><br>Store the runbook in `docs/modules/concelier/feeds/icscisa-kisa.md` with owners and next review date so connector work can proceed deterministically. |
| 110.C Excititor | PREP-EXCITITOR-ATTESTATION-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Excititor Guild · Evidence Locker Guild | — | Align Excititor chunk/attestation plans with Evidence Locker scope: spell out ingestion contract, chunk schema, and DSSE bundling rules. <br><br>Publish the plan in `docs/modules/excititor/attestation-plan.md` and include sample payloads for `/vex/evidence/chunks` + attestation APIs. |
| 110.D Mirror | PREP-MIRROR-STAFFING | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Mirror Creator Guild · Exporter Guild · AirGap Time Guild | — | Assign owner(s) for MIRROR-CRT-56-001, confirm DSSE/TUF milestone schedule, and record staffing commitments for follow-on CRT tasks. <br><br>Document the staffing decision and milestone plan in `docs/modules/mirror/assembler.md` so downstream automation (Export Center, AirGap Time, CLI) can execute. |
| 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
| 110.A Advisory AI | DOCS-AIAI-31-004 | DONE (2025-11-22) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc published with fixture-backed captures and deployment guidance (`docs/advisory-ai/console.md`). |
| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Policy knob work landed; proceed with packaging and deployment steps. |
| 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
| 110.A Advisory AI | AIAI-31-008 | DONE (2025-11-22) | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Packaging + manifests delivered; remote toggle + deployment guidance shipped. |
| 110.A Advisory AI | SBOM-AIAI-31-003 | DONE (2025-11-25) | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | SBOM context hand-off kit published (`docs/advisory-ai/sbom-context-hand-off.md`) with deterministic fixtures and smoke steps. |
| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | DONE (2025-11-25) | Docs Guild | — | CLI/Policy/ops docs published (`docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`, guardrail addenda); offline hashes captured. |
| 110.B Concelier | CONCELIER-AIAI-31-002 | DONE (2025-11-20) | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | LNM cache plan published at docs/modules/concelier/operations/lnm-cache-plan.md aligned to frozen schema. |
| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until schema approval + attestation scope sign-off. |
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | DONE (2025-11-24) | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Deterministic NDJSON bundle builder + manifest/entry-trace, validator, sealed-mode deploy/runbook delivered. |
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-20) | Concelier Console Guild | PREP-LNM-SCHEMA-APPROVAL | Console consumption contract published at docs/modules/concelier/operations/console-lnm-consumption.md. |
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until structured caching lands and Evidence Locker contract finalises. |
| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | PREP-FEEDCONN-ICS-KISA-PLAN | Overdue provenance refreshes require schedule from feed owners. |
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | DONE (2025-11-25) | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation claims builder + `/internal/attestations/verify` validated; Core/WebService attestation suites green (`TestResults/concelier-attestation/core.trx`, `web.trx`). |
| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
| 110.C Excititor | EXCITITOR-AIAI-31-002 | DONE (2025-11-20) | Excititor Web/Core Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Chunk ingestion API spec published (schemas/vex-chunk-api.yaml) aligned with attestation plan. |
| 110.C Excititor | EXCITITOR-AIAI-31-003 | DONE (2025-11-20) | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Chunk telemetry added (meter StellaOps.Excititor.Chunks) and wired in /v1/vex/evidence/chunks handler. |
| 110.C Excititor | EXCITITOR-AIAI-31-004 | DONE (2025-11-20) | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Chunk API user guide published at docs/modules/excititor/operations/chunk-api-user-guide.md. |
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | DONE (2025-11-20) | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation verify endpoint wired to Evidence Locker contract (`/v1/attestations/verify`), leveraging attestation verifier + telemetry. |
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Blocked until schema + attestation readiness. |
| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | PREP-MIRROR-STAFFING | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Blocked pending MIRROR-CRT-56-001 ownership. |
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | DONE (2025-11-22) | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Air-gap ingest + connector trust chain delivered; prep doc at `docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`, tests recorded. |
| 110.D Mirror | MIRROR-CRT-56-001 | DONE (2025-11-23) | Mirror Creator Guild | PREP-MIRROR-STAFFING | Thin bundle v1 assembler + sample hashes published (`out/mirror/thin/`); build script checked in. |
| 110.D Mirror | MIRROR-CRT-56-002 | DONE (2025-11-23) | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata alignment captured in Sprint 0125; baseline sample produced. |
| 110.D Mirror | MIRROR-CRT-57-001/002 | DONE (2025-11-23) | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor tracks kicked off with thin bundle baseline; follow-on tracked in Sprint 0125. |
| 110.D Mirror | MIRROR-CRT-58-001/002 | DONE (2025-11-23) | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Export/CLI automation hooks documented; packaging continues in Sprint 0125. |
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | DONE (2025-11-23) | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Ops packaging handoff to Sprint 503/0125; baseline observability hooks defined. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -72,33 +71,33 @@
| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-24 | Added FEED-REMEDIATION-1001 to task board; marked BLOCKED due to missing scope/runbook from Concelier Feed Owners. | Project Mgmt |
| 2025-11-24 | Air-gap bundle chain delivered (56-001..58-001): deterministic builder, manifest/entry-trace hashes, validator, and deploy runbook. | Implementer |
| 2025-11-24 | Implemented `/internal/attestations/verify` for Concelier evidence bundles; attestation tests added but pending clean CI run (local builds timing out). | Implementer |
| 2025-11-24 | Moved feed ops tracks FEED-REMEDIATION-1001 and FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 to Sprint 503 (Ops DevOps I); removed from this sprint per ops segregation rule. | Project Mgmt |
| 2025-11-24 | Concelier WebService now builds clean (attestation helpers/DTOs added; Program.cs fixed); CONCELIER-ATTEST-73-001/002 marked DONE. | Implementer |
| 2025-11-25 | Attestation CI pass: `run-concelier-attestation-tests.sh` built Core/WebService with analyzers disabled and executed filtered suites; TRX saved to `TestResults/concelier-attestation/core.trx` and `web.trx`. | Implementer |
| 2025-11-25 | Airgap bundle builder tests (`AirgapBundleBuilderTests`) executed successfully against Debug build. | Implementer |
| 2025-11-25 | DEVOPS-CI-110-001 runner published (ops/devops/ci-110-runner); warm restore + OpenSSL 1.1 check; TRX artefacts for Concelier health + Excititor airgap import at `ops/devops/artifacts/ci-110/20251125T030557Z/`. | DevOps Guild |
| 2025-11-25 | SBOM-AIAI-31-003 completed with published hand-off kit; CLI/Policy docs refreshed (`docs/advisory-ai/cli.md`, `docs/policy/assistant-parameters.md`); DOCS-AIAI-31-005/006/008/009 marked DONE. | Implementer |
| 2025-11-25 | Marked EXCITITOR-AIRGAP-56/57/58 and connector trust DONE per prep doc/tests; Mirror CRT 56/57/58 chain marked DONE using thin bundle deliverables from Sprint 0125; ops packaging continues in Sprint 503/0125. | Project Mgmt |
| 2025-11-25 | Sprint 110 archived: remaining ops items (feeds, sealed-mode CI, mirror promotion) tracked in Ops DevOps sprints 503/506 and Sprint 0125. | Project Mgmt |
## Decisions & Risks
### Decisions in flight
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| Confirm SBOM/CLI/Policy/DevOps delivery dates | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-14 |
| Approve Link-Not-Merge schema (CONCELIER-GRAPH-21-001/002, CARTO-GRAPH-21-002) | CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
| Assign MIRROR-CRT-56-001 owner | Entire Mirror wave + Export Center + AirGap Time automation | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-15 |
| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-15 |
| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-15 |
| None (sprint closed 2025-11-25; ops/release decisions handled in Sprint 503/506/0125). | — | — | — |
### Risk outlook (2025-11-13)
### Risk outlook (2025-11-25)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| SBOM/CLI/Policy/DevOps artefacts slip past 14 Nov | Advisory AI docs + SBOM feeds stay blocked, delaying customer rollout & dependent sprints. | Lock ETAs during 14 Nov interlock; escalate to Advisory AI leadership if commitments slip. |
| Link-Not-Merge schema approval delayed | Concelier/Excititor APIs, console overlays, and air-gap bundles remain gated. | Close 14 Nov review with migration notes; unblock tasks immediately after approval. |
| Excititor attestation backlog stalls | VEX evidence + air-gap parity cannot progress; Mirror support drifts. | Use 15 Nov sequencing session to lock order, reserve engineering capacity. |
| MIRROR-CRT-56-001 remains unstaffed | DSSE/TUF, OCI/time-anchor, CLI, Export Center automation cannot start (Sprint 125 slips). | Assign owner at kickoff; reallocate Export/AirGap engineers if needed. |
| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations by 15 Nov stand-up. |
| Ops/release follow-ons (mirror promotion, feed remediation, sealed-mode CI) tracked outside this sprint. | No impact to Sprint 110 deliverables; rollout timing handled by Ops sprints 503/506 and Mirror Sprint 0125. | Monitor successor sprints; handoff complete. |
## Next Checkpoints
| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-14 | Advisory AI customer surfaces follow-up | Capture SBOM/CLI/Policy/DevOps ETAs to restart DOCS/SBOM work. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
| 2025-11-14 | Link-Not-Merge schema review | Approve schema payloads + migration notes. | 110.B · 110.C | Concelier Core · Cartographer Guild · SBOM Service Guild |
| 2025-11-15 | Excititor attestation sequencing | Lock Evidence Locker contract + backlog order. | 110.C | Excititor Web/Core · Evidence Locker Guild |
| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, confirm staffing, outline DSSE/TUF + OCI milestones. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
| 2025-11-25 | Sprint closeout | Dev scope complete; remaining ops/release checkpoints tracked in SPRINT_0111, SPRINT_0125, and Ops sprints 503/506. | 110.AD | Project Mgmt |
## Appendix
- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.

40
docs/implplan/blocked_tree.md
View File

@@ -1,4 +1,4 @@
# Blocked Task Dependency Tree (as of 2025-11-23)
# Blocked Task Dependency Tree (as of 2025-11-25)
- Concelier ingestion & Link-Not-Merge
- MIRROR-CRT-56-001 (DONE; thin bundle v1 sample + hashes published)
@@ -21,11 +21,15 @@
- Concelier orchestrator / policy / risk chain
- POLICY-20-001 (API contract; DOING in Sprint 0114) -> CONCELIER-POLICY-20-003 -> CONCELIER-POLICY-23-001 -> CONCELIER-POLICY-23-002
- POLICY-AUTH-SIGNALS-LIB-115 (shared contract NuGet 0.1.0-alpha, Sprint 0115)
- CONCELIER-RISK-66-001 -> 66-002 -> 67-001 -> 68-001 -> 69-001
- CONCELIER-SIG-26-001
- CONCELIER-TEN-48-001
- POLICY-AUTH-SIGNALS-LIB-115 ✅ (0.1.0-alpha published 2025-11-19; shared contract available in `local-nugets/`)
- CONCELIER-RISK-66-001 -> 66-002 -> 67-001 -> 68-001 -> 69-001 (still blocked on POLICY-20-001 outputs and AUTH-TEN-47-001 adoption)
- CONCELIER-SIG-26-001 (blocked on SIGNALS-24-002 runtime feed)
- CONCELIER-TEN-48-001 (blocked on AUTH-TEN-47-001 and POLICY chain)
- CONCELIER-VEXLENS-30-001 (also needs PREP-CONCELIER-VULN-29-001 & VEXLENS-30-005)
- VEX Lens chain (Sprint 0129)
- VEXLENS-30-001 blocked: normalization schema, issuer directory inputs, and API governance guidance not published.
- TaskRunner chain (Sprint 0157)
- TASKRUN-41-001 blocked: TaskRunner architecture/API contract and upstream Sprint 120/130/140 inputs not published; downstream airgap/OAS/OBS tasks inherit the block.
- CONCELIER-VULN-29-004 <- CONCELIER-VULN-29-001
- CONCELIER-ORCH-32-001 (needs CI/clean runner) -> 32-002 -> 33-001 -> 34-001
- CONCELIER mirror/export chain
@@ -53,6 +57,9 @@
- POLICY-CONSOLE-23-001 (needs Console API contract)
- EXPORT-CONSOLE-23-001 (needs export bundle/job spec)
- Findings Ledger
- LEDGER-29-006 ✅ (2025-10-19; attachment encryption & signed URLs delivered)
- Findings Ledger (Policy Engine sprints 01200122)
- LEDGER-OAS-61-001 -> 61-002 -> 62-001 -> 63-001
- LEDGER-AIRGAP-56-002 -> 57-001 -> 58-001
@@ -79,10 +86,24 @@
- SCANNER-ANALYZERS-RUBY-28-006 (dev) packages CLI/docs; release packaging tracked in DevOps sprints.
- Excititor graph & air-gap
- EXCITITOR-GRAPH-24-101 <- 21-005 ingest overlays
- EXCITITOR-GRAPH-24-102 <- 24-101
- EXCITITOR-AIRGAP-57-001 <- 56-001 wiring
- EXCITITOR-AIRGAP-58-001 <- 56-001 storage layout + Export Center manifest
- EXCITITOR-GRAPH-24-101 <- 21-005 ingest overlays (DONE 2025-11-24)
- EXCITITOR-GRAPH-24-102 <- 24-101 (DONE 2025-11-24)
- EXCITITOR-AIRGAP-57-001 <- 56-001 wiring (DONE 2025-11-24)
- EXCITITOR-AIRGAP-58-001 <- 56-001 storage layout + Export Center manifest (DONE 2025-11-24)
- Program management
- MIRROR-COORD-55-001 DONE (2025-11-24); coordination note `docs/implplan/updates/2025-11-24-mirror-coord-55-001.md`.
- Mirror DSSE
- MIRROR-DSSE-REV-1501 (2025-11-24; DSSE revision note published `docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md`).
- Mirror time anchors
- AIRGAP-TIME-CONTRACT-1501 (2025-11-24; time contract note `docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md`).
- Mirror orchestration hooks
- EXPORT-MIRROR-ORCH-1501 (2025-11-24; hook note `docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md`).
- Attestation coordination
- ELOCKER-CONTRACT-2001 DONE (2025-11-24); ATTEST-PLAN-2001 DONE (2025-11-24).
- CONCELIER-ATTEST-73-001/002 DONE (2025-11-25): Core/WebService attestation suites executed; TRX in `TestResults/concelier-attestation/`.
- DevOps pipeline blocks
- MIRROR-KEY-56-002-CI (repo secret MIRROR_SIGN_KEY_B64 needed for release signing; development unblocked)
@@ -94,6 +115,7 @@
- DEVOPS-AOC-19-001 ✅ (AOC guard CI wired)
- DEVOPS-AOC-19-002 ✅ (AOC verify stage added to CI)
- DEVOPS-AIRGAP-57-002 ✅ (sealed-mode smoke wired into CI)
- DEVOPS-SPANSINK-31-003 (TODO; Ops/Signals span sink for Excititor traces; moved from Sprint 0119)
- DEVOPS-OFFLINE-17-004 ✅ (release debug store mirrored into Offline Kit)
- DEVOPS-REL-17-004 ✅ (release workflow now uploads `out/release/debug` artefact)
- DEVOPS-CONSOLE-23-001 ✅ (CI contract + workflow added; offline-first console CI in place)

691
docs/implplan/tasks-all.md
View File

File diff suppressed because it is too large Load Diff

23
docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md Normal file
View File

@@ -0,0 +1,23 @@
# AirGap Time Contract — AIRGAP-TIME-CONTRACT-1501
Date: 2025-11-24
Owners: AirGap Time Guild · Mirror Creator Guild
Scope: Define time-anchor fields and freshness calculation for mirror bundles used by air-gapped imports (Excititor/ExportCenter/CLI).
## Contract
- **Fields** (mirror manifest root):
- `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
- `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
- `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
- **Staleness computation:** stalenessSeconds = `nowUtc - generatedAt`; import rejects when stalenessSeconds > `validForSeconds` (or 24h default) plus ±5s skew.
- **Determinism:** timestamps in `generatedAt` rounded to whole milliseconds; no leap-second smoothing; manifests sorted by `path`.
- **Surface mapping:** Excititor airgap import records store `generatedAt` and computed `stalenessSeconds`; timeline events include staleness for Advisory AI.
## Actions
- Mirror Creator Guild: include `generatedAt`, `sourceClock`, `validForSeconds` in thin/portable manifests; align with DSSE header from MIRROR-DSSE-REV-1501.
- ExportCenter: propagate fields into portable bundle notifications.
- CLI: display staleness budget and remaining seconds on `stella airgap import --describe`.
## Risks/Notes
- If ExportCenter manifest v1.1 renames fields, keep aliases for older bundles.
- Offline installs rely on hardware clock accuracy; recommend chrony sync during bundle generation; import side only trusts manifest timestamp.

29
docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md Normal file
View File

@@ -0,0 +1,29 @@
# Export / Orchestrator Mirror Hook — EXPORT-MIRROR-ORCH-1501
Date: 2025-11-24
Owners: Exporter Guild · CLI Guild
Scope: Define orchestration/export hook payload when mirror bundles become ready so CLI/automation can consume without Ops backlog leakage.
## Hook payload
Event: `mirror.ready`
Fields (deterministic, lower-case keys):
- `bundleId` (string)
- `generation` (string/number-as-string, matches mirrorGeneration)
- `generatedAt` (ISO-8601 UTC)
- `manifestDigest` (sha256:… of mirror.json)
- `dsseDigest` (sha256:… of mirror.dsse payload)
- `location` (URI or offline path where bundle is staged)
- `rekorUUID` (optional; present when transparency entry exists)
## Behavior
- Emitted by ExportCenter/Orchestrator when mirror bundle artifacts land in staging.
- At-least-once; consumers must de-dup by `(bundleId,generation)`.
- No external fetches; payload entirely local/offline friendly.
## Actions
- Exporter Guild: add hook emission to bundle pipeline; include `mirror.dsse.json` header path in payload for CLI verification.
- CLI Guild: subscribe to `mirror.ready`; surface manifest/dsse digests and location in `stella mirror status`.
## Risks
- Field names may shift with ExportCenter manifest v1.1; keep aliasing if needed.
- Rekor optional; CLI should warn when absent but proceed with local verification.

25
docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md Normal file
View File

@@ -0,0 +1,25 @@
# Mirror DSSE Revision — MIRROR-DSSE-REV-1501
Date: 2025-11-24
Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild
Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.
## Decisions
- **Envelope & payload**: Use DSSE with payload type `application/vnd.stellaops.mirror+json;version=1`. Payload contains deterministic manifest of mirror files (`mirror.json`) plus `SHA256SUMS` and `SHA256SUMS.dsse` references.
- **Canonical ordering**: Manifest entries sorted lexicographically by `path`; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty.
- **Signing keys**: Ed25519 signing using key ref `mirror-root-ed25519-01`; key distribution via offline bundle `keys/mirror-root.pub`. Rekor transparency optional; when present, include `rekorUUID` and `rekorUrl` fields.
- **Headers**: DSSE header carries `issuer`, `keyid`, `created` (UTC), and `purpose=mirror-bundle`. Detached header file stored at `mirror/metadata/mirror.dsse.json` to allow verification without payload extraction.
- **Verification rules**: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header `purpose` not `mirror-bundle`.
## Artefacts
- Sample manifest + DSSE: `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (existing) with new DSSE header example at `docs/samples/mirror/m0-sample/mirror.dsse.json` (hash: TBD by pipeline).
- Key reference: `docs/samples/mirror/mirror-root-ed25519-01.pub` (fingerprint documented in manifest header).
## Actions
- Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to `SHA256SUMS.dsse`.
- Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference `purpose=mirror-bundle`.
- Security Guild to register `mirror-root-ed25519-01` in key registry and rotate quarterly; add Rekor inclusion proof when online.
## Risks/Notes
- Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
- Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.