test
This commit is contained in:
StellaOps Bot
@@ -1,17 +1,17 @@
|
||||
Here’s a tight, first‑time‑friendly blueprint for two Stella Ops UX pillars—**Triage & Exceptions** and **Knowledge Snapshots & Merge Semantics**—with just enough background plus concrete specs your PMs/devs can ship.
|
||||
Here's a tight, first‑time‑friendly blueprint for two Stella Ops UX pillars—**Triage & Exceptions** and **Knowledge Snapshots & Merge Semantics**—with just enough background plus concrete specs your PMs/devs can ship.
|
||||
|
||||
---
|
||||
|
||||
# Triage & Exceptions (quiet‑by‑design)
|
||||
|
||||
**Why it matters (plain English):** Most scanners drown users in alerts. “Quiet‑by‑design” shows only *provable, reachable* risks and lets you create **auditable exceptions** (temporary waivers) that auto‑feed compliance packs.
|
||||
**Why it matters (plain English):** Most scanners drown users in alerts. "Quiet‑by‑design" shows only *provable, reachable* risks and lets you create **auditable exceptions** (temporary waivers) that auto‑feed compliance packs.
|
||||
|
||||
**User flow**
|
||||
|
||||
1. **Inbox grouped by exploit path**
|
||||
|
||||
* Group key = `(artifact → package → vulnerable symbol → runtime path)`.
|
||||
* Each group shows: risk score, blast radius (count of dependents), EPSS/CVSS, and a “Proof” button.
|
||||
* Each group shows: risk score, blast radius (count of dependents), EPSS/CVSS, and a "Proof" button.
|
||||
2. **Open a path → Proof bundle**
|
||||
|
||||
* **Reach subgraph** (who calls what).
|
||||
@@ -19,7 +19,7 @@ Here’s a tight, first‑time‑friendly blueprint for two Stella Ops UX pill
|
||||
* **VEX claims** (vendor/distro/internal) with trust score + signatures.
|
||||
3. **Raise Exception** (time‑boxed)
|
||||
|
||||
* **Required fields:** attested reason (dropdown + free text), expiry date, recheck policy (e.g., “fail build if new reachable path appears”, “fail if EPSS > X”).
|
||||
* **Required fields:** attested reason (dropdown + free text), expiry date, recheck policy (e.g., "fail build if new reachable path appears", "fail if EPSS > X").
|
||||
* **Attestation:** DSSE‑signed exception object, OCI‑attached to artifact digest.
|
||||
* Auto‑lands in **Audit Pack** (PDF/JSON bundle) and **Timeline**.
|
||||
|
||||
@@ -64,7 +64,7 @@ record ExceptionObj(
|
||||
|
||||
# Knowledge Snapshots & Merge Semantics
|
||||
|
||||
**Plain English:** Take a sealed “photo” of everything you *know* at a point in time—SBOM, VEX, attestations, policies—so audits and incident reviews can be replayed exactly.
|
||||
**Plain English:** Take a sealed "photo" of everything you *know* at a point in time—SBOM, VEX, attestations, policies—so audits and incident reviews can be replayed exactly.
|
||||
|
||||
**Lifecycle: Snapshot → Seal → Export**
|
||||
|
||||
@@ -82,19 +82,19 @@ record ExceptionObj(
|
||||
|
||||
**Policy pane with merge semantics**
|
||||
|
||||
* Default preview: **vendor ⊕ distro ⊕ internal** (not “vendor > distro > internal”).
|
||||
* Default preview: **vendor ⊕ distro ⊕ internal** (not "vendor > distro > internal").
|
||||
* **Lattice rules** define resolution (e.g., `NOT_AFFECTED ⊕ AFFECTED → AFFECTED unless Evidence(feature_flag_off)`).
|
||||
* **Evidence hooks (required):**
|
||||
|
||||
* “Not affected because feature X off” → must include **feature‑flag attestation** (env‑scoped, signed).
|
||||
* “Backported patch” → must include **patch‑index** mapping (`fixed‑symbols`, commit OIDs).
|
||||
* “Compensating control” → must include **control attestation** (control ID, monitoring link, SLO).
|
||||
* "Not affected because feature X off" → must include **feature‑flag attestation** (env‑scoped, signed).
|
||||
* "Backported patch" → must include **patch‑index** mapping (`fixed‑symbols`, commit OIDs).
|
||||
* "Compensating control" → must include **control attestation** (control ID, monitoring link, SLO).
|
||||
|
||||
**UI essentials**
|
||||
|
||||
* **Snapshot panel:** shows inputs (feed versions, rules hash), diff vs last snapshot, “Seal & Export” button.
|
||||
* **Policy pane:** interactive merge preview; failed hooks highlighted with “Add evidence” CTA.
|
||||
* **Replay check:** “Verify determinism” runs local re‑eval; shows PASS/FAIL badge.
|
||||
* **Snapshot panel:** shows inputs (feed versions, rules hash), diff vs last snapshot, "Seal & Export" button.
|
||||
* **Policy pane:** interactive merge preview; failed hooks highlighted with "Add evidence" CTA.
|
||||
* **Replay check:** "Verify determinism" runs local re‑eval; shows PASS/FAIL badge.
|
||||
|
||||
**APIs**
|
||||
|
||||
@@ -138,3 +138,22 @@ record ExceptionObj(
|
||||
---
|
||||
|
||||
If you want, I can turn this into: (a) Swagger stubs, (b) EF Core schema + migrations, or (c) a Figma‑ready UI spec with screen flows and copy.
|
||||
|
||||
---
|
||||
|
||||
## Archive Note
|
||||
|
||||
**Archived:** 2025-12-22
|
||||
|
||||
**Disposition:** Converted to implementation sprints:
|
||||
- `SPRINT_3900_0003_0001_exploit_path_inbox_proof_bundles.md`
|
||||
- `SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md`
|
||||
- `SPRINT_4100_0003_0001_snapshot_merge_preview_replay_ui.md`
|
||||
|
||||
**Documentation created:**
|
||||
- `docs/modules/triage/exploit-path-inbox.md`
|
||||
- `docs/modules/triage/proof-bundle-spec.md`
|
||||
- `docs/modules/policy/recheck-policy.md`
|
||||
- `docs/modules/policy/evidence-hooks.md`
|
||||
- `docs/modules/snapshot/replay-yaml.md`
|
||||
- `docs/modules/snapshot/merge-preview.md`
|
||||
Reference in New Issue
Block a user