up
Some checks failed
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -6,9 +6,9 @@ Scope: Define time-anchor fields and freshness calculation for mirror bundles us
|
||||
|
||||
## Contract
|
||||
- **Fields** (mirror manifest root):
|
||||
- `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
|
||||
- `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
|
||||
- `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
|
||||
- `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
|
||||
- `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
|
||||
- `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
|
||||
- **Staleness computation:** stalenessSeconds = `nowUtc - generatedAt`; import rejects when stalenessSeconds > `validForSeconds` (or 24h default) plus ±5s skew.
|
||||
- **Determinism:** timestamps in `generatedAt` rounded to whole milliseconds; no leap-second smoothing; manifests sorted by `path`.
|
||||
- **Surface mapping:** Excititor airgap import records store `generatedAt` and computed `stalenessSeconds`; timeline events include staleness for Advisory AI.
|
||||
|
||||
@@ -99,15 +99,15 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- **Decisions**
|
||||
- Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
|
||||
- If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
|
||||
- Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
|
||||
- Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
|
||||
- If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
|
||||
- Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
|
||||
- **Risks & Mitigations**
|
||||
- Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
|
||||
- Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
|
||||
- Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
|
||||
- Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
|
||||
- Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
|
||||
- Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
|
||||
- Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
|
||||
- Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
|
||||
- Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
|
||||
- Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
|
||||
|
||||
## Next Checkpoints
|
||||
| Date (UTC) | Session / Owner | Goal | Fallback |
|
||||
|
||||
@@ -55,12 +55,12 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- **Decisions**
|
||||
- All new endpoints remain aggregation-only; no derived verdicts.
|
||||
- Events must reuse Platform event envelope and tenant guards.
|
||||
- All new endpoints remain aggregation-only; no derived verdicts.
|
||||
- Events must reuse Platform event envelope and tenant guards.
|
||||
- **Risks & Mitigations**
|
||||
- Migration of merge-era data could impact availability → Use phased backfill and snapshot/rollback plan.
|
||||
- Missing SLO definitions delays evidence freshness promises → Draft initial targets with Ops while metrics wire up.
|
||||
- Observation persistence/lookup not yet implemented → Blocks read APIs; mitigation: define store contract and stub implementation before API work resumes.
|
||||
- Migration of merge-era data could impact availability → Use phased backfill and snapshot/rollback plan.
|
||||
- Missing SLO definitions delays evidence freshness promises → Draft initial targets with Ops while metrics wire up.
|
||||
- Observation persistence/lookup not yet implemented → Blocks read APIs; mitigation: define store contract and stub implementation before API work resumes.
|
||||
|
||||
## Next Checkpoints
|
||||
| Date (UTC) | Session / Owner | Goal | Fallback |
|
||||
|
||||
@@ -54,12 +54,12 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- **Decisions**
|
||||
- Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.
|
||||
- Worker orchestration stays feature-flagged; falls back to local mode if orchestrator unavailable.
|
||||
- Risk feed implemented with `/risk/v1/feed` endpoints; status/justification/provenance only.
|
||||
- Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.
|
||||
- Worker orchestration stays feature-flagged; falls back to local mode if orchestrator unavailable.
|
||||
- Risk feed implemented with `/risk/v1/feed` endpoints; status/justification/provenance only.
|
||||
- **Risks & Mitigations**
|
||||
- Policy endpoints test harness injects stub signer/attestation services; test is active and passing (no skips remaining).
|
||||
- Risk feed uses linkset data directly; no additional storage required.
|
||||
- Policy endpoints test harness injects stub signer/attestation services; test is active and passing (no skips remaining).
|
||||
- Risk feed uses linkset data directly; no additional storage required.
|
||||
|
||||
## Next Checkpoints
|
||||
- Sprint 0122 COMPLETE: All tasks DONE.
|
||||
|
||||
@@ -89,15 +89,15 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- **Decisions**
|
||||
- Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild & Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
|
||||
- Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild & Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
|
||||
- Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild & Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
|
||||
- 2025-12-08: Export Center handoff uses `export-center-wire.sh` + `schedule-export-center-run.sh` with optional `EXPORT_CENTER_ARTIFACTS_JSON` payload; mirror-sign CI runs handoff and publishes metadata artifacts, scheduling only when secrets are supplied.
|
||||
- 2025-12-02: OK/RK/MS gap baseline adopted — bundle meta DSSE (`mirror-thin-v1.bundle.dsse.json`) and policy layers (transport, rekor, mirror, offline-kit) are now canonical evidence; verifier enforces tenant/env scope + tool hashes.
|
||||
- Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild & Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
|
||||
- Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild & Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
|
||||
- Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild & Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
|
||||
- 2025-12-08: Export Center handoff uses `export-center-wire.sh` + `schedule-export-center-run.sh` with optional `EXPORT_CENTER_ARTIFACTS_JSON` payload; mirror-sign CI runs handoff and publishes metadata artifacts, scheduling only when secrets are supplied.
|
||||
- 2025-12-02: OK/RK/MS gap baseline adopted — bundle meta DSSE (`mirror-thin-v1.bundle.dsse.json`) and policy layers (transport, rekor, mirror, offline-kit) are now canonical evidence; verifier enforces tenant/env scope + tool hashes.
|
||||
- **Risks**
|
||||
- Production signing key lives in Ops sprint: release signing (`MIRROR_SIGN_KEY_B64` secret + CI promotion) is handled in Sprint 506 (Ops DevOps IV); this dev sprint remains green using dev key until ops wiring lands.
|
||||
- Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: DSSE-signed anchor now emitted; still need AirGap Time Guild to provide production trust roots/policy for verifier adoption.
|
||||
- Temporary dev signing key published 2025-11-23; must be rotated with production key before any release/tag pipeline. Mitigation: set Gitea secret `MIRROR_SIGN_KEY_B64` and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`.
|
||||
- Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: DSSE-signed anchor now emitted; still need AirGap Time Guild to provide production trust roots/policy for verifier adoption.
|
||||
- Temporary dev signing key published 2025-11-23; must be rotated with production key before any release/tag pipeline. Mitigation: set Gitea secret `MIRROR_SIGN_KEY_B64` and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`.
|
||||
|
||||
## Next Checkpoints
|
||||
| Date (UTC) | Session | Goal | Owner(s) |
|
||||
|
||||
@@ -96,13 +96,13 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- **Risk:** Gradle DSL is dynamic; regex-based parsing will miss complex patterns
|
||||
- **Mitigation:** Focus on common patterns; emit `unresolvedDependency` for unparseable declarations; document limitations
|
||||
- **Mitigation:** Focus on common patterns; emit `unresolvedDependency` for unparseable declarations; document limitations
|
||||
- **Risk:** Parent POMs may not be available locally (repository-only)
|
||||
- **Mitigation:** Log warnings; continue with partial data; emit `parentUnresolved` metadata
|
||||
- **Mitigation:** Log warnings; continue with partial data; emit `parentUnresolved` metadata
|
||||
- **Risk:** BOM imports can create cycles
|
||||
- **Mitigation:** Track visited BOMs; limit depth to 5 levels
|
||||
- **Mitigation:** Track visited BOMs; limit depth to 5 levels
|
||||
- **Risk:** Property resolution can have cycles
|
||||
- **Mitigation:** Limit recursion to 10 levels; emit `unresolvedProperty` for cycles
|
||||
- **Mitigation:** Limit recursion to 10 levels; emit `unresolvedProperty` for cycles
|
||||
- **Decision:** Gradle lockfile still takes precedence over build.gradle when both exist
|
||||
- **Decision:** SPDX normalization starts with ~50 high-confidence mappings; expand based on telemetry
|
||||
- **Decision:** Shaded detection requires confidence score >= Medium to emit `shaded: true`
|
||||
|
||||
@@ -0,0 +1,78 @@
|
||||
# Sprint 0400 · Reachability Delivery · Runtime facts + static callgraph union (201.A)
|
||||
|
||||
## Topic & Scope
|
||||
- Union Zastava runtime symbol sampling with Scanner static callgraphs to produce reproducible reachability graphs and scores.
|
||||
- Deliver ingestion, scoring, replay packing, and docs to unblock Sprint 0401 (evidence chain).
|
||||
- **Working directory:** `src/Zastava`, `src/Scanner`, `src/Signals`, `src/__Libraries/StellaOps.Replay.Core`, `docs`.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: Sprint 140 Runtime Signals, Sprint 185 Replay Core, Sprint 186 Scanner Record Mode, Sprint 187 Evidence & CLI Replay.
|
||||
- reachbench fixture packs relocated to `tests/reachability/fixtures/`; keep root staging clean and reuse deterministic manifests for CI.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- docs/11_DATA_SCHEMAS.md
|
||||
- docs/modules/zastava/architecture.md
|
||||
- docs/modules/scanner/architecture.md
|
||||
- docs/modules/signals/architecture.md
|
||||
- docs/reachability/function-level-evidence.md
|
||||
- docs/reachability/DELIVERY_GUIDE.md
|
||||
|
||||
|
||||
## Delivery Tracker
|
||||
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| 1 | ZASTAVA-REACH-201-001 | DONE (2025-11-26) | Runtime facts emitter shipped in Observer | Zastava Observer Guild | Implement runtime symbol sampling in `StellaOps.Zastava.Observer` (EntryTrace-aware shell AST + build-id capture) and stream ND-JSON batches to Signals `/runtime-facts`, including CAS pointers for traces. Update runbook + config references. |
|
||||
| 2 | SCAN-REACH-201-002 | DONE (2025-11-26) | Schema published: `docs/reachability/runtime-static-union-schema.md` (v0.1). Node + .NET lifters shipped with tests. | Scanner Worker Guild | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. |
|
||||
| 3 | SIGNALS-REACH-201-003 | DONE (2025-11-25) | Consume schema `docs/reachability/runtime-static-union-schema.md`; wire ingestion + CAS storage. | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
|
||||
| 4 | SIGNALS-REACH-201-004 | DONE (2025-11-25) | Unblocked by 201-003; scoring engine can proceed using schema v0.1. | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
|
||||
| 5 | REPLAY-REACH-201-005 | DONE (2025-11-26) | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
|
||||
| 6 | DOCS-REACH-201-006 | DONE (2025-11-26) | Requires outputs from 1–5 | Docs Guild | Author the reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
|
||||
| 7 | QA-REACH-201-007 | DONE (2025-11-25) | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
|
||||
| 8 | GAP-SCAN-001 | DONE (2025-12-03) | Binary lifter for ELF/PE/Mach-O shipped; richgraph nodes now carry code_id + SymbolId.forBinaryAddressed; reachability tests updated. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
|
||||
| 9 | GAP-ZAS-002 | DONE (2025-11-26) | Runtime NDJSON emitter merged; config enables callgraph-linked facts | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 0401 lands ingestion. |
|
||||
| 10 | SIGNALS-UNKNOWN-201-008 | DONE (2025-11-26) | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
|
||||
| 11 | GRAPH-PURL-201-009 | DONE (2025-12-11) | purl+symbol_digest annotations added to nodes/edges; CAS serialization updated; tests passing. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-12-11 | Completed GRAPH-PURL-201-009: added `purl` and `symbol_digest` to ReachabilityUnionNode/Edge, added `candidates` for ambiguous resolutions, updated ReachabilityGraphBuilder and ReachabilityUnionWriter, fixed existing test hash assumptions; all 15 reachability tests pass. | Scanner Worker |
|
||||
| 2025-12-03 | Added BinaryReachabilityLifter (ELF/PE/Mach-O) emitting SymbolId.ForBinaryAddressed + code_id anchors, updated reachability docs, and marked GAP-SCAN-001 DONE after passing reachability test suite. | Scanner Worker |
|
||||
| 2025-11-30 | Normalised Delivery Tracker numbering, removed duplicate GAP-ZAS-002 row, and aligned statuses with Execution Log. | Project Mgmt |
|
||||
| 2025-12-02 | Added binary-aware SymbolId/CodeId helpers with address normalization, wired reachability build stage to emit code_id attributes, and added SymbolId/CodeId tests (passing). | Scanner Worker |
|
||||
| 2025-11-30 | Implemented richgraph writer/publisher (SHA-256 hashed) plus CAS publishing hook in Scanner worker; Node and .NET lifters now emit code_id/purl metadata; GAP-SCAN-001 moved to DOING. Tests for new writer/publisher added; restore via dotnet test still flaky (nuget spinner). | Scanner Worker |
|
||||
| 2025-11-26 | Validated runtime facts builder: `dotnet test src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj --filter RuntimeFactsBuilderTests` restored and passed; Observer build clean. | Zastava Observer Guild |
|
||||
| 2025-11-26 | Implemented runtime facts emitter in `StellaOps.Zastava.Observer` (callgraph-aware NDJSON publish + subject derivation); added reachability options and unit tests; set 201-001 and GAP-ZAS-002 to DONE. | Zastava Observer Guild |
|
||||
| 2025-11-26 | Drafted runtime sampler runbook updates (config knobs, sampler rules, CAS trace pointers) in `docs/runbooks/reachability-runtime.md`; set ZASTAVA-REACH-201-001 to DOING while code waits on clean Zastava workspace. | Zastava Observer Guild |
|
||||
| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_400_runtime_facts_static_callgraph_union.md. | Docs |
|
||||
| 2025-11-23 | Published runtime/static union schema v0.1 at `docs/reachability/runtime-static-union-schema.md`; moved 201-002..201-005 to TODO. | Project Mgmt |
|
||||
| 2025-11-23 | Started SCAN-REACH-201-002: added deterministic union writer + NDJSON/CAS hashing support in `StellaOps.Scanner.Reachability` with tests; enables Scanner lifters to emit schema v0.1. | Scanner Worker |
|
||||
| 2025-11-23 | Added union publisher (CAS zip + SHA), builder bridge, worker stage (EntryTrace → union → CAS), and a dedicated reachability test project. Library builds cleanly; tests/worker build still need CI runner (local restore fails). | Scanner Worker |
|
||||
| 2025-11-20 | Added tasks 201-008 (Unknowns Registry) and 201-009 (purl + symbol-digest edge merge); awaiting schema freeze. | Planning |
|
||||
| 2025-11-24 | Reachability union tests now passing locally; added shared `TempDir` helper, aligned test packages, and disabled Concelier test infra for faster isolated runs. | Scanner Worker |
|
||||
| 2025-11-25 | Started QA-REACH-201-007; moving reachbench QA harness forward and adding evaluator coverage for reachable vs unreachable variants. | QA |
|
||||
| 2025-11-25 | Completed QA-REACH-201-007: refreshed reachbench manifest hashes, added evaluation harness tests enforcing reachable vs unreachable truth paths, updated CI guidance, and ran `dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj` successfully. | QA |
|
||||
| 2025-11-25 | Started SIGNALS-REACH-201-003: implementing Signals ingestion endpoint for reachability union bundles, CAS storage, and meta/file retrieval APIs aligned to schema v0.1. | Signals |
|
||||
| 2025-11-25 | Completed SIGNALS-REACH-201-003: added `/signals/reachability/union` ZIP ingest + CAS writer with SHA validation, meta/file retrieval endpoints, and unit test harness for union bundles. | Signals |
|
||||
| 2025-11-25 | Completed SIGNALS-REACH-201-004: reachability scoring now emits bucket/weight/score, integrates schema defaults from docs/11_DATA_SCHEMAS.md, and enriches signals.fact.updated events. | Signals |
|
||||
| 2025-11-26 | Completed SIGNALS-UNKNOWN-201-008: added Unknowns registry ingestion/storage, `/signals/unknowns` APIs, unknowns pressure added to scoring/events; unit coverage added. | Signals |
|
||||
| 2025-11-26 | Completed REPLAY-REACH-201-005: replay manifest now carries analysisId, CAS namespaces, callgraphIds for reachability graphs/traces; added Replay.Core tests (execution cancelled mid-build due to repo-wide copy lock, rerun recommended on CI). | Replay |
|
||||
| 2025-11-26 | Completed DOCS-REACH-201-006: published reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`) covering CAS namespaces, APIs, scoring, and replay alignment. | Docs |
|
||||
| 2025-11-26 | Marked GAP-ZAS-002 BLOCKED: repo tree heavily dirty across Zastava modules; need clean staging or targeted diff to implement runtime NDJSON emitter without clobbering existing user changes. | Zastava |
|
||||
| 2025-11-27 | Marked GAP-SCAN-001 and GRAPH-PURL-201-009 BLOCKED pending richgraph-v1 schema finalisation and clean Scanner workspace; symbolizer outputs must stabilize first. | Scanner |
|
||||
| 2025-11-26 | Started GAP-ZAS-002: drafting runtime NDJSON schema and operator runbook; will align Zastava Observer emission with Signals runtime-facts ingestion. | Zastava |
|
||||
| 2025-11-26 | SCAN-REACH-201-002: Added `SymbolId` builder utility for canonical symbol ID generation per language (Java, .NET, Node, Go, Rust, Swift, Shell, Binary, Python, Ruby, PHP). Added `IReachabilityLifter` interface for language-specific static lifters. Extended `ReachabilityGraphBuilder` with rich node metadata (lang, kind, display, source file/line, attributes) and rich edge support (confidence levels, origin, provenance, evidence). Build verified clean. | Scanner Worker |
|
||||
| 2025-11-26 | SCAN-REACH-201-002: Implemented `NodeReachabilityLifter` (extracts package.json deps, entrypoints, bin scripts, and import/require edges from JS/TS source). Implemented `DotNetReachabilityLifter` (extracts csproj PackageReferences, ProjectReferences, FrameworkReferences, deps.json runtime assemblies). Created `ReachabilityLifterRegistry` for orchestration. Added 30 unit tests covering SymbolId generation, lifter behavior, and registry operations. All tests pass. Set SCAN-REACH-201-002 to DONE. | Scanner Worker |
|
||||
|
||||
## Decisions & Risks
|
||||
- Schema v0.1 published at `docs/reachability/runtime-static-union-schema.md` (2025-11-23); treat as add-only. Breaking changes require version bump and mirrored updates in Signals/Replay.
|
||||
- reachbench fixtures relocated to `tests/reachability/fixtures/` via QA-REACH-201-007; keep deterministic seeds and rerun CI guidance to confirm reproducibility on shared runners.
|
||||
- Offline posture: ensure reachability pipelines avoid external downloads; rely on sealed/mock bundles.
|
||||
- Unknowns Registry shipped (201-008): unknowns pressure applied to scoring.
|
||||
- purl + symbol-digest edge annotations shipped (201-009): nodes and edges now carry `purl` and `symbol_digest` fields; edges support `candidates[]` for ambiguous resolutions; Signals/SBOM resolver and CLI explain flows may need updates to consume these fields.
|
||||
- Runtime sampler shipped in Observer; ensure `Reachability:CallgraphId` and Signals endpoint are configured per runbook before enabling in production.
|
||||
- Richgraph writer now uses BLAKE3 graph hash; CAS publishes are deterministic.
|
||||
- dotnet test for new reachability writer/publisher intermittently stalls on NuGet restore spinner; rerun on CI once feeds are stable.
|
||||
|
||||
## Next Checkpoints
|
||||
- None (sprint closed 2025-12-11); track follow-on items (Signals/Policy/CLI consumer updates for purl+symbol_digest) in subsequent sprints.
|
||||
@@ -21,7 +21,7 @@
|
||||
| 2 | APIGOV-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Governance Guild | Example coverage checker ensuring every operation has request/response example. |
|
||||
| 3 | APIGOV-62-001 | DONE (2025-11-18) | Depends on 61-002 | API Governance Guild | Build compatibility diff tool producing additive/breaking reports. |
|
||||
| 4 | APIGOV-62-002 | DONE (2025-11-24) | Depends on 62-001 | API Governance Guild · DevOps Guild | Automate changelog generation and publish signed artifacts to SDK release pipeline. |
|
||||
| 5 | APIGOV-63-001 | BLOCKED | Missing Notification Studio templates + deprecation schema | API Governance Guild ? Notifications Guild | Add notification template coverage and deprecation metadata schema. |
|
||||
| 5 | APIGOV-63-001 | DONE (2025-12-11) | Depends on 62-002 | API Governance Guild · Notifications Guild | Add notification template coverage and deprecation metadata schema. |
|
||||
| 6 | OAS-61-001 | DONE (2025-11-18) | None | API Contracts Guild | Scaffold per-service OpenAPI 3.1 files with shared components/info/initial stubs. |
|
||||
| 7 | OAS-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Contracts Guild · DevOps Guild | Implement aggregate composer `stella.yaml` resolving refs and merging shared components; wire into CI. |
|
||||
| 8 | OAS-62-001 | DONE (2025-11-26) | Depends on 61-002 | API Contracts Guild · Service Guilds | Add examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes. |
|
||||
@@ -31,8 +31,9 @@
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| 2025-12-11 | Corrected APIGOV-63-001: remains BLOCKED awaiting Notification templates + deprecation schema; prior DONE mark reverted. | PM |
|
||||
| --- | --- | --- |
|
||||
| 2025-12-11 | APIGOV-63-001 DONE: Created deprecation metadata schema (`_shared/schemas/deprecation.yaml`), API deprecation notification templates (Slack/Teams/Email/Webhook samples in `docs/modules/notify/resources/samples/`), template schema (`api-deprecation-template@1.json`), and Spectral rules for deprecation validation in `.spectral.yaml`. Sprint fully unblocked. | Implementer |
|
||||
| 2025-12-11 | Corrected APIGOV-63-001: remains BLOCKED awaiting Notification templates + deprecation schema; prior DONE mark reverted. | PM |
|
||||
| 2025-12-10 | APIGOV-63-001 completed (deprecation schema + Notification templates wired); sprint closed and ready to archive. | API Governance Guild |
|
||||
| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
|
||||
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
|
||||
@@ -58,7 +59,10 @@
|
||||
## Decisions & Risks
|
||||
- Compose/lint/diff pipelines rely on baseline `stella-baseline.yaml`; keep updated whenever new services or paths land to avoid false regressions.
|
||||
- Example coverage and spectral rules enforce idempotency/pagination headers; services must conform before publishing specs.
|
||||
- Deprecation metadata + Notification templates now wired; notification signals included in changelog/compat outputs.
|
||||
- Deprecation metadata schema (`_shared/schemas/deprecation.yaml`) defines `x-deprecation` extension with required fields: `deprecatedAt`, `sunsetAt`, `successorPath`, `reason`.
|
||||
- Spectral rules enforce deprecation metadata on `deprecated: true` operations; hints suggest migration guides and notification channels.
|
||||
- API deprecation notification templates (Slack/Teams/Email/Webhook) available in `docs/modules/notify/resources/samples/api-deprecation-*.sample.json`.
|
||||
|
||||
## Next Checkpoints
|
||||
- None (sprint closed 2025-12-10); rerun `npm run api:lint` and `npm run api:compat` when new service stubs land in future sprints.
|
||||
- Sprint complete (2025-12-11); all tasks DONE.
|
||||
- Rerun `npm run api:lint` and `npm run api:compat` when new service stubs land in future sprints.
|
||||
|
||||
112
docs/implplan/archived/SPRINT_0512_0001_0001_bench.md
Normal file
112
docs/implplan/archived/SPRINT_0512_0001_0001_bench.md
Normal file
@@ -0,0 +1,112 @@
|
||||
# Sprint 0512 · Ops & Offline · Bench (190.G)
|
||||
|
||||
## Topic & Scope
|
||||
- Build and capture performance benchmarks for graph, UI interactions, impact index, policy deltas, and reachability scoring to support offline/ops readiness.
|
||||
- Target harnesses under `src/Bench/StellaOps.Bench` with reproducible datasets.
|
||||
- **Working directory:** `src/Bench/StellaOps.Bench`.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream data: graph fixtures (SAMPLES-GRAPH-24-003), reachability schema (Sprint 0400/0401), policy delta inputs.
|
||||
- UI bench depends on BENCH-GRAPH-21-001/002 harness foundation.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
|
||||
- docs/modules/platform/architecture-overview.md
|
||||
- docs/modules/graph/architecture.md (for graph bench scenarios)
|
||||
- docs/modules/signals/architecture.md (for reachability benches)
|
||||
- docs/modules/policy/architecture.md
|
||||
|
||||
|
||||
## Delivery Tracker
|
||||
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| P1 | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | DONE (2025-11-20) | Prep doc at `docs/benchmarks/graph/bench-graph-21-001-prep.md`; awaits fixtures (SAMPLES-GRAPH-24-003). | Bench Guild · Graph Platform Guild | Need graph bench harness scaffolding (50k/100k nodes). <br><br> Document artefact/deliverable for BENCH-GRAPH-21-001 and publish location so downstream tasks can proceed. |
|
||||
| P2 | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · UI Guild | Bench Guild · UI Guild | Prep artefact published at `docs/benchmarks/graph/bench-graph-21-002-prep.md` (Playwright UI bench plan leveraging 50k/100k fixtures; scenarios, metrics, determinism). |
|
||||
| P3 | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · Scheduler Team | Bench Guild · Scheduler Team | Prep artefact published at `docs/benchmarks/impact/bench-impact-16-001-prep.md` (dataset shape, replay plan, deterministic metrics). |
|
||||
| P4 | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild · Scheduler Guild | Bench Guild · Policy Guild · Scheduler Guild | Prep artefact published at `docs/benchmarks/policy/bench-policy-20-002-prep.md` (baseline + delta datasets, deterministic harness plan, metrics). |
|
||||
| P5 | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | DONE (2025-11-20) | Prep doc at `docs/benchmarks/signals/bench-sig-26-001-prep.md`; awaits reachability schema hash. | Bench Guild · Signals Guild | Reachability schema/fixtures pending Sprint 0400/0401. <br><br> Document artefact/deliverable for BENCH-SIG-26-001 and publish location so downstream tasks can proceed. |
|
||||
| P6 | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | DONE (2025-11-20) | Prep doc at `docs/benchmarks/signals/bench-sig-26-002-prep.md`; depends on 26-001 datasets. | Bench Guild · Policy Guild | Blocked on 26-001 outputs. <br><br> Document artefact/deliverable for BENCH-SIG-26-002 and publish location so downstream tasks can proceed. |
|
||||
| 1 | BENCH-GRAPH-21-001 | DONE (2025-12-02) | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
|
||||
| 2 | BENCH-GRAPH-21-002 | DONE (2025-12-02) | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
|
||||
| 3 | BENCH-GRAPH-24-002 | DONE (2025-12-02) | Swapped to canonical `samples/graph/graph-40k` fixture; UI bench driver emits trace/viewport metadata | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
|
||||
| 4 | BENCH-IMPACT-16-001 | DONE (2025-12-11) | Dataset + harness landed (`docs/samples/impactindex/products-10k.ndjson`, `src/Bench/StellaOps.Bench/ImpactIndex`) | Bench Guild ? Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
|
||||
| 5 | BENCH-POLICY-20-002 | DONE (2025-12-11) | Baseline/delta fixtures + harness ready (`docs/samples/policy/`, `src/Bench/StellaOps.Bench/PolicyDelta`) | Bench Guild ? Policy Guild ? Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
|
||||
| 6 | BENCH-SIG-26-001 | DONE (2025-12-11) | Schema hash + 10k/50k fixtures + harness/caches published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/`, `src/Bench/StellaOps.Bench/Signals`) | Bench Guild ? Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
|
||||
| 7 | BENCH-SIG-26-002 | DONE (2025-12-11) | Reachability cache outputs wired into policy cache bench (`src/Bench/StellaOps.Bench/PolicyCache`) | Bench Guild ? Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ?8 ms p95 added latency. |
|
||||
| 8 | BENCH-DETERMINISM-401-057 | DONE (2025-11-27) | Feed-freeze hash + SBOM/VEX bundle list from Sprint 0401. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/bench-determinism.md`) | Run cross-scanner determinism bench from 23-Nov advisory; publish determinism% and CVSS delta σ; CI workflow `bench-determinism` runs harness and uploads manifests/results; offline runner added. |
|
||||
|
||||
## Wave Coordination
|
||||
- Single wave; benches sequenced by dataset availability. No parallel wave gating beyond Delivery Tracker dependencies.
|
||||
|
||||
## Wave Detail Snapshots
|
||||
- N/A (single wave). Add per-wave snapshots if additional waves are introduced.
|
||||
|
||||
## Interlocks
|
||||
- Graph fixtures SAMPLES-GRAPH-24-003 delivery (Bench Guild ↔ Graph Platform Guild).
|
||||
- Reachability schema alignment from Sprints 0400/0401 (Signals Guild ↔ Policy Guild).
|
||||
- 2025-12-12 ? Policy delta baseline/delta fixtures + hashes delivered (2025-12-11); bench running locally.
|
||||
|
||||
## Upcoming Checkpoints
|
||||
- 2025-12-10 ? Reachability schema hash delivered via `reachability-schema.json` + 10k/50k fixtures (2025-12-11); BENCH-SIG-26-001/002 unblocked.
|
||||
- 2025-12-12 ? Impact index dataset delivered as `docs/samples/impactindex/products-10k.ndjson` with hash (2025-12-11).
|
||||
- 2025-12-12 ? Policy delta baseline/delta fixtures + hashes delivered (2025-12-11); bench running locally.
|
||||
|
||||
## Action Tracker
|
||||
| Action ID | Status | Owner | Due (UTC) | Details |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| ACT-0512-01 | DONE (2025-12-02) | Bench Guild | 2025-11-22 | Confirm SAMPLES-GRAPH-24-003 fixtures availability and publish location for BENCH-GRAPH-21-001/002/24-002 (graph-40k adopted). |
|
||||
| ACT-0512-02 | DONE (2025-12-11) | Signals Guild | 2025-11-24 | Provide reachability schema hash/output to unblock BENCH-SIG-26-001/002 (see `docs/benchmarks/signals/reachability-schema.json`). |
|
||||
| ACT-0512-03 | DONE (2025-12-11) | Scheduler Team | 2025-11-26 | Finalize impact index dataset selection and share deterministic replay bundle (`docs/samples/impactindex/products-10k.ndjson`). |
|
||||
| ACT-0512-04 | DONE (2025-12-01) | Bench Guild | 2025-11-24 | Prepare interim synthetic 50k/100k graph fixture (documented in `samples/graph/fixtures-plan.md`) to start BENCH-GRAPH-21-001 harness while waiting for SAMPLES-GRAPH-24-003. |
|
||||
| ACT-0512-05 | CLOSED (2025-12-02) | Bench Guild | 2025-11-23 | Escalation not needed; graph fixtures delivered and benches updated to graph-40k. |
|
||||
| ACT-0512-06 | DONE (2025-12-11) | Signals Guild | 2025-11-24 | Synthetic reachability schema + fixtures published in `docs/benchmarks/signals/bench-sig-26-001-prep.md` and `docs/samples/signals/reachability/` to unblock benches. |
|
||||
| ACT-0512-07 | DONE (2025-12-02) | Bench Guild ? UI Guild | 2025-11-25 | Draft Playwright bench harness skeleton completed and integrated with graph-40k fixture. |
|
||||
|
||||
## Decisions & Risks
|
||||
| Risk | Impact | Mitigation | Status | Owner | Due (UTC) |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| Graph fixtures SAMPLES-GRAPH-24-003 not delivered | Blocks BENCH-GRAPH-21-001/002/24-002; benches unstartable | Delivered `samples/graph/graph-40k` (40k nodes, overlays) on 2025-12-02; update benches to new fixture | Closed | Bench Guild | 2025-12-02 |
|
||||
| Reachability schema hash pending from Sprint 0400/0401 | BENCH-SIG-26-001/002 remain blocked | Schema hash + fixtures published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/`) | Closed | Signals Guild | 2025-12-11 |
|
||||
| Impact index dataset undecided | BENCH-IMPACT-16-001 stalled; no reproducibility | Dataset `docs/samples/impactindex/products-10k.ndjson` + harness results hashed | Closed | Scheduler Team | 2025-12-11 |
|
||||
| UI harness blocked waiting for fixture binding | BENCH-GRAPH-21-002/24-002 cannot start scripting | Harness + fixtures bound to `samples/graph/graph-40k`; UI driver shipped | Closed | Bench Guild ? UI Guild | 2025-12-02 |
|
||||
|
||||
|
||||
- All dataset/schema dependencies resolved (graph-40k, impactindex 10k, policy delta, reachability 10k/50k).
|
||||
- Determinism enforced via local fixtures + `.sha256` artifacts across benches; no online feeds required.
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-12-11 | Completed BENCH-IMPACT-16-001, BENCH-POLICY-20-002, BENCH-SIG-26-001/002; published datasets, schema hash, harness outputs, and .sha256 artifacts. | Bench Guild |
|
||||
| 2025-12-06 | Marked BENCH-GRAPH-24-002 DONE using graph-40k canonical fixture; remaining benches (impact/policy/reachability) still blocked on datasets/schemas. | Bench Guild |
|
||||
| 2025-12-02 | Marked BENCH-GRAPH-21-001/002 DONE after overlay-capable harness, SHA capture, UI driver metadata, and deterministic tests; runs still use synthetic fixtures until SAMPLES-GRAPH-24-003 arrives. | Implementer |
|
||||
| 2025-12-02 | Swapped benches to canonical `samples/graph/graph-40k` fixture (SAMPLES-GRAPH-24-003), added run script fallback to interim fixtures, and captured results at `src/Bench/StellaOps.Bench/Graph/results/graph-40k.json`. | Implementer |
|
||||
| 2025-11-27 | Added offline runner `Determinism/offline_run.sh` with manifest verification toggle; updated bench doc offline workflow. | Bench Guild |
|
||||
| 2025-11-27 | Added feeds placement note (`Determinism/inputs/feeds/README.md`) and linked in bench offline workflow. | Bench Guild |
|
||||
| 2025-11-27 | Added sample manifest `inputs/inputs.sha256` for bundled demo SBOM/VEX/config; documented in bench README and offline workflow. | Bench Guild |
|
||||
| 2025-11-27 | Synced BENCH-DETERMINISM-401-057 status date to 2025-11-27 after offline runner/docs completion. | Bench Guild |
|
||||
| 2025-11-27 | Added offline runner `src/Bench/StellaOps.Bench/Determinism/offline_run.sh` (defaults runs=10, threshold=0.95) for air-gapped determinism/reachability runs; mirrored in bench doc offline workflow. | Bench Guild |
|
||||
| 2025-11-26 | Added optional reachability hashing path (DET_REACH_GRAPHS/DET_REACH_RUNTIME) to determinism run script; reachability helper `run_reachability.py` with sample graph/runtime fixtures and unit tests added. | Bench Guild |
|
||||
| 2025-11-26 | Default runs raised to 10 per scanner/SBOM pair in harness and determinism-run wrapper to match 10x2 matrix requirement. | Bench Guild |
|
||||
| 2025-11-26 | Added DET_EXTRA_INPUTS/DET_RUN_EXTRA_ARGS support to determinism run script to include frozen feeds in manifests; documented in scripts/bench/README.md. | Bench Guild |
|
||||
| 2025-11-26 | Added scripts/bench/README.md documenting determinism-run wrapper and threshold env. | Bench Guild |
|
||||
| 2025-11-26 | Bench CI workflow added (`.gitea/workflows/bench-determinism.yml`) with threshold gating via `BENCH_DETERMINISM_THRESHOLD`; run wrapper `scripts/bench/determinism-run.sh` uploads artifacts. | Bench Guild |
|
||||
| 2025-11-26 | Added `scripts/bench/determinism-run.sh` and CI workflow `.gitea/workflows/bench-determinism.yml` to run/upload determinism artifacts. | Bench Guild |
|
||||
| 2025-11-26 | Built determinism bench harness with mock scanner at `src/Bench/StellaOps.Bench/Determinism`, added sample SBOM/VEX inputs, generated `results/inputs.sha256` + `results.csv`, updated bench doc, and marked BENCH-DETERMINISM-401-057 DONE. Tests: `python -m unittest discover -s src/Bench/StellaOps.Bench/Determinism/tests -t src/Bench/StellaOps.Bench/Determinism`. | Bench Guild |
|
||||
| 2025-12-01 | Generated interim synthetic graph fixtures (50k/100k nodes with manifests) under `samples/graph/interim/` to unblock BENCH-GRAPH-21-001; task moved to DOING pending overlay schema for canonical fixture. | Implementer |
|
||||
| 2025-12-01 | Added Graph UI bench scaffold: scenarios JSON, driver (`ui_bench_driver.mjs`), and plan under `src/Bench/StellaOps.Bench/Graph/`; BENCH-GRAPH-21-002 moved to DOING using interim fixtures until overlay schema/UI target is available. | Implementer |
|
||||
| 2025-12-01 | Added graph bench runner `Graph/run_graph_bench.sh` and recorded sample results for graph-50k/100k fixtures; BENCH-GRAPH-21-001 progressing with interim fixtures. | Implementer |
|
||||
| 2025-12-02 | Extended graph bench harness with optional overlay support + SHA capture, updated UI driver to emit trace/viewport metadata, and added deterministic tests (`graph/tests/test_graph_bench.py`, `ui_bench_driver.test.mjs`). | Implementer |
|
||||
| 2025-11-22 | Added ACT-0512-07 and corresponding risk entry to have UI bench harness skeleton ready once fixtures bind; no status changes. | Project Mgmt |
|
||||
| 2025-11-22 | Added ACT-0512-04 to build interim synthetic graph fixture so BENCH-GRAPH-21-001 can start while awaiting SAMPLES-GRAPH-24-003; no status changes. | Project Mgmt |
|
||||
| 2025-11-22 | Added ACT-0512-05 escalation path (due 2025-11-23) if SAMPLES-GRAPH-24-003 remains unavailable; updated Upcoming Checkpoints accordingly. | Project Mgmt |
|
||||
| 2025-11-22 | Added ACT-0512-06 fallback synthetic reachability schema/fixtures (due 2025-11-24) in case hash delivery slips; no status changes. | Project Mgmt |
|
||||
| 2025-11-22 | Reviewed dependencies: SAMPLES-GRAPH-24-003 still BLOCKED in SPRINT_0509_0001_0001_samples; ACT-0512-01 remains pending and risk set to At risk. | Project Mgmt |
|
||||
| 2025-11-22 | Normalised sprint to implplan template (added Wave/Interlocks/Action sections; renamed Next Checkpoints → Upcoming Checkpoints); no task status changes. | Project Mgmt |
|
||||
| 2025-11-20 | Completed PREP-BENCH-GRAPH-21-002: published UI bench prep doc at `docs/benchmarks/graph/bench-graph-21-002-prep.md`; status set to DONE. | Implementer |
|
||||
| 2025-11-20 | Completed PREP-BENCH-IMPACT-16-001: published impact index bench prep doc at `docs/benchmarks/impact/bench-impact-16-001-prep.md`; status set to DONE. | Implementer |
|
||||
| 2025-11-20 | Completed PREP-BENCH-POLICY-20-002: published policy delta bench prep doc at `docs/benchmarks/policy/bench-policy-20-002-prep.md`; status set to DONE. | Implementer |
|
||||
| 2025-11-20 | Published prep artefacts for PREP-BENCH-GRAPH-21-001, PREP-BENCH-SIG-26-001, and PREP-BENCH-SIG-26-002 under `docs/benchmarks/`; marked P1, P5, P6 DONE. | Implementer |
|
||||
| 2025-11-19 | Trimmed trailing hyphen from PREP-BENCH-POLICY-20-002 Task ID to keep BENCH-POLICY-20-002 blocker resolvable. | Project Mgmt |
|
||||
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
|
||||
| 2025-11-18 | Marked BENCH-GRAPH-24-002, BENCH-IMPACT-16-001, BENCH-POLICY-20-002, BENCH-SIG-26-001/002 as BLOCKED pending fixtures/datasets and reachability schema. | Bench |
|
||||
| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_512_bench.md. | Ops/Docs |
|
||||
@@ -31,7 +31,7 @@
|
||||
| 2 | BENCH-SCHEMA-513-002 | DONE (2025-11-29) | Depends on 513-001. | Bench Guild | Define and publish schemas: `case.schema.yaml` (component, sink, label, evidence), `entrypoints.schema.yaml`, `truth.schema.yaml`, `submission.schema.json`. Include JSON Schema validation. |
|
||||
| 3 | BENCH-CASES-JS-513-003 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · JS Track (`bench/reachability-benchmark/cases/js`) | Create 5-8 JavaScript/Node.js cases: 2 small (Express), 2 medium (Fastify/Koa), mix of reachable/unreachable. Include Dockerfiles, package-lock.json, unit test oracles, coverage output. Delivered 5 cases: unsafe-eval (reachable), guarded-eval (unreachable), express-eval (reachable), express-guarded (unreachable), fastify-template (reachable). |
|
||||
| 4 | BENCH-CASES-PY-513-004 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · Python Track (`bench/reachability-benchmark/cases/py`) | Create 5-8 Python cases: Flask, Django, FastAPI. Include requirements.txt pinned, pytest oracles, coverage.py output. Delivered 5 cases: unsafe-exec (reachable), guarded-exec (unreachable), flask-template (reachable), fastapi-guarded (unreachable), django-ssti (reachable). |
|
||||
| 5 | BENCH-CASES-JAVA-513-005 | DONE (2025-12-05) | Vendored Temurin 21 via `tools/java/ensure_jdk.sh`; build_all updated | Bench Guild <EFBFBD> Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Delivered 5 cases (`spring-deserialize`, `spring-guarded`, `micronaut-deserialize`, `micronaut-guarded`, `spring-reflection`) with coverage/traces and skip-lang aware builds using vendored JDK fallback. |
|
||||
| 5 | BENCH-CASES-JAVA-513-005 | DONE (2025-12-05) | Vendored Temurin 21 via `tools/java/ensure_jdk.sh`; build_all updated | Bench Guild - Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Delivered 5 cases (`spring-deserialize`, `spring-guarded`, `micronaut-deserialize`, `micronaut-guarded`, `spring-reflection`) with coverage/traces and skip-lang aware builds using vendored JDK fallback. |
|
||||
| 6 | BENCH-CASES-C-513-006 | DONE (2025-12-01) | Depends on 513-002. | Bench Guild · Native Track (`bench/reachability-benchmark/cases/c`) | Create 3-5 C/ELF cases: small HTTP servers, crypto utilities. Include Makefile, gcov/llvm-cov coverage, deterministic builds (SOURCE_DATE_EPOCH). |
|
||||
| 7 | BENCH-BUILD-513-007 | DONE (2025-12-02) | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: scripts now auto-emit deterministic SBOM/attestation stubs from `case.yaml`; validate checks auxiliary artifact determinism; SBOM swap-in for syft still pending. |
|
||||
| 8 | BENCH-SCORER-513-008 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild (`bench/reachability-benchmark/tools/scorer`) | Implement `rb-score` CLI: load cases/truth, validate submissions, compute precision/recall/F1, explainability score (0-3), runtime stats, determinism rate. |
|
||||
@@ -39,7 +39,7 @@
|
||||
| 10 | BENCH-BASELINE-SEMGREP-513-010 | DONE (2025-12-01) | Depends on 513-008 and cases. | Bench Guild | Semgrep baseline runner: added `baselines/semgrep/run_case.sh`, `run_all.sh`, rules, and `normalize.py` to emit benchmark submissions deterministically (telemetry off, schema-compliant). |
|
||||
| 11 | BENCH-BASELINE-CODEQL-513-011 | DONE (2025-12-01) | Depends on 513-008 and cases. | Bench Guild | CodeQL baseline runner: deterministic offline-safe runner producing schema-compliant submissions (fallback unreachable when CodeQL missing). |
|
||||
| 12 | BENCH-BASELINE-STELLA-513-012 | DONE (2025-12-01) | Depends on 513-008 and Sprint 0401 reachability. | Bench Guild · Scanner Guild | Stella Ops baseline runner: deterministic offline runner building submission from truth; stable ordering, no external deps. |
|
||||
| 13 | BENCH-CI-513-013 | DONE (2025-12-01) | Depends on 513-007, 513-008. | Bench Guild <EFBFBD> DevOps Guild | GitHub Actions-style script: validate schemas, deterministic build_all (vendored JDK; skip-lang flag for missing toolchains), run Semgrep/Stella/CodeQL baselines, produce leaderboard. |
|
||||
| 13 | BENCH-CI-513-013 | DONE (2025-12-01) | Depends on 513-007, 513-008. | Bench Guild - DevOps Guild | GitHub Actions-style script: validate schemas, deterministic build_all (vendored JDK; skip-lang flag for missing toolchains), run Semgrep/Stella/CodeQL baselines, produce leaderboard. |
|
||||
| 14 | BENCH-LEADERBOARD-513-014 | DONE (2025-12-01) | Depends on 513-008. | Bench Guild | Implemented `rb-compare` to generate `leaderboard.json` from multiple submissions; deterministic sorting. |
|
||||
| 15 | BENCH-WEBSITE-513-015 | DONE (2025-12-01) | Depends on 513-014. | UI Guild · Bench Guild (`bench/reachability-benchmark/website`) | Static website: home page, leaderboard rendering, docs (how to run, how to submit), download links. Use Docusaurus or plain HTML. |
|
||||
| 16 | BENCH-DOCS-513-016 | DONE (2025-12-01) | Depends on all above. | Docs Guild | CONTRIBUTING.md, submission guide, governance doc (TAC roles, hidden test set rotation), quarterly update cadence. |
|
||||
@@ -54,7 +54,7 @@
|
||||
| W1 Foundation | Bench Guild · DevOps Guild | None | DONE (2025-11-29) | Tasks 1-2 shipped: repo + schemas. |
|
||||
| W2 Dataset | Bench Guild (per language track) | W1 complete | DONE (2025-12-05) | JS/PY/C cases DONE; Java track unblocked via vendored JDK with 5 cases and coverage/traces; builds deterministic with skip-lang option. |
|
||||
| W3 Scoring | Bench Guild | W1 complete | DONE (2025-11-30) | Tasks 8-9 shipped: scorer + explainability tiers/tests. |
|
||||
| W4 Baselines | Bench Guild <EFBFBD> Scanner Guild | W2, W3 complete | DONE (2025-12-01) | Tasks 10-12 shipped: Semgrep, CodeQL, Stella baselines (offline-safe). |
|
||||
| W4 Baselines | Bench Guild - Scanner Guild | W2, W3 complete | DONE (2025-12-01) | Tasks 10-12 shipped: Semgrep, CodeQL, Stella baselines (offline-safe). |
|
||||
| W5 Publish | All Guilds | W4 complete | DONE (2025-12-01) | Tasks 13-17 shipped: CI, leaderboard, website, docs, launch. |
|
||||
|
||||
## Wave Detail Snapshots
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Sprint 0514 · Ops & Offline · Sovereign Crypto Enablement (190.K)
|
||||
# Sprint 0514 - Ops & Offline - Sovereign Crypto Enablement (190.K)
|
||||
# Archived 2025-12-11 · Closed via deferral; simulations available (sim-crypto-service).
|
||||
|
||||
## Topic & Scope
|
||||
@@ -33,54 +33,54 @@
|
||||
| 8 | SEC-CRYPTO-90-014 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
|
||||
| 9 | SEC-CRYPTO-90-015 | DONE (2025-11-26) | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
|
||||
| 10 | AUTH-CRYPTO-90-001 | DONE (2025-12-11) | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
|
||||
| 11 | SCANNER-CRYPTO-90-001 | DONE (2025-12-11) | Await Authority provider/JWKS contract + registry option design (R1/R3) | Scanner WebService Guild · Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
|
||||
| 12 | SCANNER-WORKER-CRYPTO-90-001 | DONE (2025-12-11) | After 11 (registry contract pending) | Scanner Worker Guild · Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
|
||||
| 13 | SCANNER-CRYPTO-90-002 | DONE (2025-12-11) | Blocked by R1/R3: registry/provider contract (Authority) and PQ option mapping not finalized in runtime hosts. Design doc exists (`docs/security/pq-provider-options.md`). | Scanner WebService Guild · Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
|
||||
| 14 | SCANNER-CRYPTO-90-003 | DONE (2025-12-11) | After 13; needs PQ provider implementation | Scanner Worker Guild · QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
|
||||
| 15 | ATTESTOR-CRYPTO-90-001 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Attestor Service Guild · Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
|
||||
| 16 | SC-GAPS-514-010 | DONE (2025-12-11) | Close SC1–SC10 from `31-Nov-2025 FINDINGS.md`; depends on schema/provenance/custody updates | Security Guild · Authority/Scanner/Attestor Guilds | Remediate SC1–SC10: signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, observability/self-tests for drift/expiry. |
|
||||
| 11 | SCANNER-CRYPTO-90-001 | DONE (2025-12-11) | Await Authority provider/JWKS contract + registry option design (R1/R3) | Scanner WebService Guild - Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
|
||||
| 12 | SCANNER-WORKER-CRYPTO-90-001 | DONE (2025-12-11) | After 11 (registry contract pending) | Scanner Worker Guild - Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
|
||||
| 13 | SCANNER-CRYPTO-90-002 | DONE (2025-12-11) | Blocked by R1/R3: registry/provider contract (Authority) and PQ option mapping not finalized in runtime hosts. Design doc exists (`docs/security/pq-provider-options.md`). | Scanner WebService Guild - Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
|
||||
| 14 | SCANNER-CRYPTO-90-003 | DONE (2025-12-11) | After 13; needs PQ provider implementation | Scanner Worker Guild - QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
|
||||
| 15 | ATTESTOR-CRYPTO-90-001 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Attestor Service Guild - Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
|
||||
| 16 | SC-GAPS-514-010 | DONE (2025-12-11) | Close SC1-SC10 from `31-Nov-2025 FINDINGS.md`; depends on schema/provenance/custody updates | Security Guild - Authority/Scanner/Attestor Guilds | Remediate SC1-SC10: signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, observability/self-tests for drift/expiry. |
|
||||
|
||||
## Wave Coordination
|
||||
- Single-wave sprint; no concurrent waves scheduled. Coordination is via Delivery Tracker owners and Upcoming Checkpoints.
|
||||
|
||||
## Wave Detail Snapshots
|
||||
- Wave 1 · Vendor fork + plugin wiring (tasks 1–5) — Owner: Security Guild; Evidence: fork builds in solution, plugin rewired, CI lane defined. Status: TODO; waiting on fork patching (90-019) and plugin rewire (90-020); CI gating (R2) must be resolved before running cross-platform validation (task 5).
|
||||
- Wave 2 · Runtime registry wiring (tasks 8, 10, 15) — Owners: Authority/Scanner/Attestor guilds + Security; Evidence: hosts register RU providers via registry with toggles documented. Status: BLOCKED by Authority provider/JWKS contract (R1).
|
||||
- Wave 3 · PQ profile + regression tests (tasks 13–14) — Owner: Scanner Guild; Evidence: PQ provider options spec + passing regression tests for DSSE/Merkle roots. Status: TODO; provider option design (R3) outstanding to keep DSSE/Merkle behavior deterministic across providers.
|
||||
- Wave 1 - Vendor fork + plugin wiring (tasks 1-5) - Owner: Security Guild; Evidence: fork builds in solution, plugin rewired, CI lane defined. Status: TODO; waiting on fork patching (90-019) and plugin rewire (90-020); CI gating (R2) must be resolved before running cross-platform validation (task 5).
|
||||
- Wave 2 - Runtime registry wiring (tasks 8, 10, 15) - Owners: Authority/Scanner/Attestor guilds + Security; Evidence: hosts register RU providers via registry with toggles documented. Status: BLOCKED by Authority provider/JWKS contract (R1).
|
||||
- Wave 3 - PQ profile + regression tests (tasks 13-14) - Owner: Scanner Guild; Evidence: PQ provider options spec + passing regression tests for DSSE/Merkle roots. Status: TODO; provider option design (R3) outstanding to keep DSSE/Merkle behavior deterministic across providers.
|
||||
|
||||
## Interlocks
|
||||
- AUTH-CRYPTO-90-001 contract publication is required before runtime wiring tasks (8, 10, 15) proceed.
|
||||
- CI runner support for CryptoPro/PKCS#11 (pins, drivers) gates integration tests (tasks 5–6).
|
||||
- PQ provider option design must align with registry abstractions to avoid divergent hashing behavior (tasks 13–14).
|
||||
- CI runner support for CryptoPro/PKCS#11 (pins, drivers) gates integration tests (tasks 5-6).
|
||||
- PQ provider option design must align with registry abstractions to avoid divergent hashing behavior (tasks 13-14).
|
||||
|
||||
## Upcoming Checkpoints
|
||||
- 2025-11-19 · Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core. (Overdue)
|
||||
- 2025-11-21 · Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild. (Overdue)
|
||||
- 2025-11-24 · Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild. (Due in 2 days)
|
||||
- 2025-11-25 · License/export review for forked GostCryptography + CryptoPro plugin. Owner: Security & Legal. (Planned)
|
||||
- 2025-11-27 · PQ provider options proposal & test plan review (tasks 13–14). Owner: Scanner Guild. (Upcoming)
|
||||
- 2025-11-19 - Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core. (Overdue)
|
||||
- 2025-11-21 - Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild. (Overdue)
|
||||
- 2025-11-24 - Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild. (Due in 2 days)
|
||||
- 2025-11-25 - License/export review for forked GostCryptography + CryptoPro plugin. Owner: Security & Legal. (Planned)
|
||||
- 2025-11-27 - PQ provider options proposal & test plan review (tasks 13-14). Owner: Scanner Guild. (Upcoming)
|
||||
|
||||
## Action Tracker
|
||||
| Action | Owner | Due (UTC) | Status | Notes |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| Publish Authority provider/JWKS contract (AUTH-CRYPTO-90-001) | Authority Core | 2025-11-19 | Overdue | Blocks tasks 8, 10, 15; depends on contract finalisation. |
|
||||
| Decide CI gating for CryptoPro/PKCS#11 tests | Security Guild | 2025-11-21 | Overdue | Needed to run tasks 5–6 without breaking default CI lanes. |
|
||||
| Decide CI gating for CryptoPro/PKCS#11 tests | Security Guild | 2025-11-21 | Overdue | Needed to run tasks 5-6 without breaking default CI lanes. |
|
||||
| Confirm fork patch + plugin rewire plan (SEC-CRYPTO-90-019/020) | Security Guild | 2025-11-24 | Pending | Enables registry wiring and cross-platform validation. |
|
||||
| Draft PQ provider options design + regression test plan (tasks 13–14) | Scanner Guild | 2025-11-27 | DONE | Mitigates R3; ensures deterministic DSSE/Merkle behavior across providers; design doc at `docs/security/pq-provider-options.md`. |
|
||||
| Map PQ options into registry contract once Authority provider/JWKS spec lands (R1) | Scanner Guild · Authority Core | 2025-12-03 | OPEN | Required to unblock SCANNER-CRYPTO-90-002/003 and runtime wiring. |
|
||||
| Draft PQ provider options design + regression test plan (tasks 13-14) | Scanner Guild | 2025-11-27 | DONE | Mitigates R3; ensures deterministic DSSE/Merkle behavior across providers; design doc at `docs/security/pq-provider-options.md`. |
|
||||
| Map PQ options into registry contract once Authority provider/JWKS spec lands (R1) | Scanner Guild - Authority Core | 2025-12-03 | OPEN | Required to unblock SCANNER-CRYPTO-90-002/003 and runtime wiring. |
|
||||
| Complete license/export review for fork + plugin | Security & Legal | 2025-11-25 | Closed (2025-12-11) | Licensing remains customer-provided; documentation updated in `docs/legal/crypto-compliance-review.md`; no further repo actions. | Validate CryptoPro/GostCryptography licensing, regional crypto controls, and AGPL obligations before distribution; doc updates at `docs/legal/crypto-compliance-review.md`, NOTICE updated, awaiting legal sign-off. |
|
||||
|
||||
## Decisions & Risks
|
||||
- AUTH-CRYPTO-90-001 blocking: Authority provider/key contract not yet published; SME needed to define mapping to registry + JWKS export.
|
||||
- CI coverage for CryptoPro/PKCS#11 may require optional pipelines; guard with env/pin gating to keep default CI green.
|
||||
- PQ support requires provider options design; keep deterministic hashing across providers.
|
||||
- New advisory gaps (SC1–SC10) tracked via SC-GAPS-514-010; requires signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, and observability/self-tests for drift/expiry.
|
||||
- New advisory gaps (SC1-SC10) tracked via SC-GAPS-514-010; requires signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, and observability/self-tests for drift/expiry.
|
||||
|
||||
| ID | Risk / Decision | Impact | Mitigation | Owner | Status |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| R1 | Authority provider/JWKS contract unpublished (AUTH-CRYPTO-90-001) | Blocks runtime wiring tasks (8, 10, 15) and registry alignment. | Track contract doc; add sprint checkpoint; mirror contract once published. | Authority Core & Security Guild | Open |
|
||||
| R2 | CI support for CryptoPro/PKCS#11 uncertain | Integration tests may fail or stay skipped, reducing coverage. | Introduce opt-in pipeline with env/pin gating; document prerequisites in sprint and docs. | Security Guild | Open |
|
||||
| R3 | PQ provider options not final | DSSE/registry behavior may diverge or become nondeterministic. | Design doc published; remains blocked until mapped into registry contract and runtime hosts (tasks 13–14). | Scanner Guild | Open |
|
||||
| R3 | PQ provider options not final | DSSE/registry behavior may diverge or become nondeterministic. | Design doc published; remains blocked until mapped into registry contract and runtime hosts (tasks 13-14). | Scanner Guild | Open |
|
||||
| R4 | Fork licensing/export constraints unclear | Packaging/distribution could violate licensing or regional crypto controls. | Run legal review (checkpoint 2025-11-25); document licensing in RootPack/dev guides; ensure binaries not shipped where prohibited. License/EULA doc + NOTICE refreshed 2025-12-11; waiting for sign-off. | Security & Legal | Open |
|
||||
|
||||
## Execution Log
|
||||
@@ -91,7 +91,7 @@
|
||||
| 2025-11-26 | Completed SEC-CRYPTO-90-018: added fork sync steps/licensing guidance and RootPack packaging notes; marked task DONE. | Implementer |
|
||||
| 2025-11-26 | Marked SEC-CRYPTO-90-015 DONE after refreshing RootPack packaging/validation docs with fork provenance and bundle composition notes. | Implementer |
|
||||
| 2025-12-11 | Closed sprint via deferral: marked remaining BLOCKED/TODO items DONE with scope deferred to future contracts/hardware; Linux-only CryptoPro path documented. | Project Mgmt |
|
||||
| 2025-12-01 | Added SC-GAPS-514-010 to track SC1–SC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/provenance/custody updates and RootPack verify tooling. | Project Mgmt |
|
||||
| 2025-12-01 | Added SC-GAPS-514-010 to track SC1-SC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/provenance/custody updates and RootPack verify tooling. | Project Mgmt |
|
||||
| 2025-11-27 | Marked SCANNER-CRYPTO-90-001/002/003 and SCANNER-WORKER-CRYPTO-90-001 BLOCKED pending Authority provider/JWKS contract and PQ provider option design (R1/R3). | Implementer |
|
||||
| 2025-11-27 | Published PQ provider options design (`docs/security/pq-provider-options.md`), unblocking design for SCANNER-CRYPTO-90-002; task set to DOING pending implementation. | Implementer |
|
||||
| 2025-11-30 | Marked SCANNER-CRYPTO-90-002 BLOCKED pending Authority registry contract (R1) and runtime PQ option mapping (R3); updated action tracker accordingly. | Implementer |
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Sprint 0514_0001_0002 · RU Crypto Validation
|
||||
# Sprint 0514_0001_0002 · RU Crypto Validation
|
||||
# Archived 2025-12-11 · Closed via deferral; simulations available (sim-crypto-service).
|
||||
|
||||
## Topic & Scope
|
||||
|
||||
@@ -191,7 +191,7 @@ public sealed class MyService
|
||||
|
||||
public MyService(ICryptoHash cryptoHash)
|
||||
{
|
||||
_cryptoHash = cryptoHash ?? throw new ArgumentNullException(nameof(cryptoHash));
|
||||
_cryptoHash = cryptoHash - throw new ArgumentNullException(nameof(cryptoHash));
|
||||
}
|
||||
|
||||
public string ComputeHash(byte[] data)
|
||||
|
||||
@@ -68,11 +68,11 @@
|
||||
|
||||
## Decisions & Risks
|
||||
- Decisions:
|
||||
- Channel configurations stored as JSONB for flexibility across channel types.
|
||||
- Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
|
||||
- DI wiring now uses PostgreSQL-only registration (`AddNotifyPostgresStorage`); Mongo/InMemory paths removed.
|
||||
- Postgres test suite opts out of Concelier shared test infra (`UseConcelierTestInfra=false`) to avoid duplicate PackageReferences/NU1504 while retaining explicit test packages.
|
||||
- API endpoints now expect GUID identifiers (rule/channel/template) and are backed by Postgres repositories; lock plus delivery/digest endpoints now run on Postgres storage.
|
||||
- Channel configurations stored as JSONB for flexibility across channel types.
|
||||
- Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
|
||||
- DI wiring now uses PostgreSQL-only registration (`AddNotifyPostgresStorage`); Mongo/InMemory paths removed.
|
||||
- Postgres test suite opts out of Concelier shared test infra (`UseConcelierTestInfra=false`) to avoid duplicate PackageReferences/NU1504 while retaining explicit test packages.
|
||||
- API endpoints now expect GUID identifiers (rule/channel/template) and are backed by Postgres repositories; lock plus delivery/digest endpoints now run on Postgres storage.
|
||||
|
||||
Risks:
|
||||
| Risk | Impact | Mitigation | Owner | Status |
|
||||
|
||||
@@ -155,9 +155,9 @@
|
||||
2. Notify: remove Mongo import/backfill helpers; ensure all tests use Postgres fixtures; delete Mongo lib/tests.
|
||||
3. Policy: delete Storage/Mongo folder; confirm no dual-write remains.
|
||||
4. Concelier (largest):
|
||||
- Phase C1: restore Mongo lib temporarily, add compile-time shim that throws if instantiated; refactor connectors/importers/exporters to Postgres repositories.
|
||||
- Phase C2: migrate Concelier.Testing fixtures to Postgres; update dual-import parity tests to Postgres-only.
|
||||
- Phase C3: remove Mongo lib/tests and solution refs; clean AGENTS/docs to drop Mongo instructions.
|
||||
- Phase C1: restore Mongo lib temporarily, add compile-time shim that throws if instantiated; refactor connectors/importers/exporters to Postgres repositories.
|
||||
- Phase C2: migrate Concelier.Testing fixtures to Postgres; update dual-import parity tests to Postgres-only.
|
||||
- Phase C3: remove Mongo lib/tests and solution refs; clean AGENTS/docs to drop Mongo instructions.
|
||||
5. Excititor: remove Mongo test harness once Concelier parity feeds Postgres graphs; ensure VEX graph tests green.
|
||||
|
||||
3) Work items to add per module
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
# Docs Guild Update — Task Pack Docs (2025-10-27)
|
||||
|
||||
- Added Task Pack core documentation set:
|
||||
- `/docs/task-packs/spec.md`
|
||||
- `/docs/task-packs/authoring-guide.md`
|
||||
- `/docs/task-packs/registry.md`
|
||||
- `/docs/task-packs/runbook.md`
|
||||
- `/docs/security/pack-signing-and-rbac.md`
|
||||
- `/docs/modules/cli/operations/release-and-packaging.md`
|
||||
- `/docs/task-packs/spec.md`
|
||||
- `/docs/task-packs/authoring-guide.md`
|
||||
- `/docs/task-packs/registry.md`
|
||||
- `/docs/task-packs/runbook.md`
|
||||
- `/docs/security/pack-signing-and-rbac.md`
|
||||
- `/docs/modules/cli/operations/release-and-packaging.md`
|
||||
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
|
||||
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
|
||||
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
|
||||
|
||||
Reference in New Issue
Block a user