stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add integration tests for Proof Chain and Reachability workflows

Browse Source 
- Implement ProofChainTestFixture for PostgreSQL-backed integration tests.
- Create StellaOps.Integration.ProofChain project with necessary dependencies.
- Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis.
- Introduce ReachabilityTestFixture for managing corpus and fixture paths.
- Establish StellaOps.Integration.Reachability project with required references.
- Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution.
- Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.
This commit is contained in:
StellaOps Bot
2025-12-20 22:19:26 +02:00
parent 3c6e14fca5
commit efe9bd8cfe
86 changed files with 9616 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/09_API_CLI_REFERENCE.md
View File

@@ -900,6 +900,13 @@ Both commands honour CLI observability hooks: Spectre tables for human output, `
| `stellaops-cli graph verify` | Verify graph DSSE signature and Rekor entry | `--graph <path>` (required)<br>`--dsse <path>`<br>`--rekor-log` | Recomputes BLAKE3 hash, validates DSSE envelope, checks Rekor inclusion proof |
| `stellaops-cli proof verify` | Verify an artifact's proof chain | `<artifact>` (required)<br>`--sbom <file>`<br>`--vex <file>`<br>`--anchor <uuid>`<br>`--offline`<br>`--output text\|json`<br>`-v/-vv` | Validates proof spine, Merkle inclusion, VEX statements, and Rekor entries. Returns exit code 0 (pass), 1 (policy violation), or 2 (system error). Designed for CI/CD integration. |
| `stellaops-cli proof spine` | Display proof spine for an artifact | `<artifact>` (required)<br>`--format table\|json`<br>`--show-merkle` | Shows assembled proof spine with evidence statements, VEX verdicts, and Merkle tree structure. |
| `stellaops-cli score replay` | Replay a score computation for a scan | `--scan <id>` (required)<br>`--output text\|json`<br>`-v` | Calls `/api/v1/scanner/scans/{id}/score/replay` to replay score computation. Returns proof bundle with root hash and verification status. *(Sprint 3500.0004.0001)* |
| `stellaops-cli score bundle` | Export score proof bundle | `--scan <id>` (required)<br>`--output <dir>` | Exports score proof bundle including attestation, evidence, and root hash for offline verification. *(Sprint 3500.0004.0001)* |
| `stellaops-cli score verify` | Verify score proof chain | `--scan <id>` (required)<br>`--offline` | Validates the score computation proof chain, verifying Merkle proofs and attestation signatures. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns list` | List unknowns by band | `--band HOT\|WARM\|COLD`<br>`--limit <n>` (default 50)<br>`--output table\|json`<br>`-v` | Lists unknowns from the registry filtered by confidence band. Shows CVE, package, band, age. Calls `/api/v1/policy/unknowns`. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns escalate` | Escalate an unknown for review | `--id <unknown-id>` (required)<br>`--reason <text>`<br>`--output text\|json` | Escalates an unknown entry for manual triage. Returns escalation receipt with tracking ID. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns resolve` | Resolve an unknown | `--id <unknown-id>` (required)<br>`--resolution <outcome>`<br>`--reason <text>` | Resolves an escalated unknown with specified outcome (accepted, rejected, deferred). *(Sprint 3500.0004.0001)* |
| `stellaops-cli scan graph` | Extract call graph from source | `--lang dotnet\|java\|node\|python\|go\|rust\|ruby\|php` (required)<br>`--target <path>` (required)<br>`--output <file>`<br>`--upload` | Runs language-specific call graph extractor locally. Deterministic output (stable ordering). Use `--upload` to submit to backend. *(Sprint 3500.0004.0001)* |
| `stellaops-cli replay verify` | Verify replay manifest determinism | `--manifest <path>` (required)<br>`--sealed`<br>`--verbose` | Recomputes all artifact hashes and compares against manifest; exit 0 on match |
| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
@@ -1201,7 +1208,8 @@ These stay in *Feature Matrix → To Do* until design is frozen.
## 9 Changelog (truncated)
* **20250714** added *delta SBOM*, policy import/export, CLI `--sbom-type`.
* **2025-12-20** Sprint 3500.0004.0001: Added `score replay|bundle|verify`, `unknowns list|escalate|resolve`, `scan graph` commands; extended offline bundle format with reachability/corpus directories.
* **20250714** added *delta SBOM*, policy import/export, CLI `--sbom-type`.
* **20250712** initial public reference.
---

1093
docs/api/score-proofs-reachability-api-reference.md Normal file
View File

File diff suppressed because it is too large Load Diff

3
docs/implplan/SPRINT_3500_0001_0001_deeper_moat_master.md
View File

@@ -510,7 +510,7 @@ stella unknowns export --format csv --out unknowns.csv
| 3500.0003.0001 | DONE | 100% | | .NET Reachability Foundations Implemented via SPRINT_3600_0002_0001 (Call Graph Infrastructure). DotNetCallGraphExtractor, ReachabilityAnalyzer, cg_nodes/cg_edges schema complete. |
| 3500.0003.0002 | DONE | 100% | | Java Reachability Implemented via SPRINT_3610_0001_0001 (Java Call Graph). JavaCallGraphExtractor with Spring Boot entrypoint detection complete. |
| 3500.0003.0003 | DONE | 100% | | Graph Attestations + Rekor RichGraphAttestationService complete. APIs (CallGraphEndpoints, ReachabilityEndpoints) complete. Rekor integration via Attestor module. Budget policy: docs/operations/rekor-policy.md |
| 3500.0004.0001 | TODO | 0% | | |
| 3500.0004.0001 | DONE | 100% | | CLI verbs + offline bundles complete. 8/8 tasks done. ScoreReplayCommandGroup, ProofCommandGroup, ScanGraphCommandGroup, UnknownsCommandGroup. 183 CLI tests pass. |
| 3500.0004.0002 | TODO | 0% | | Wireframes complete |
| 3500.0004.0003 | TODO | 0% | | |
| 3500.0004.0004 | TODO | 0% | | |
@@ -552,6 +552,7 @@ stella unknowns export --format csv --out unknowns.csv
| 2025-12-20 | Added claims to citation index: DET-004, PROOF-001/002/003, UNKNOWNS-001/002/003 in `docs/market/claims-citation-index.md`. | Agent |
| 2025-12-20 | **ALL EPIC A PREREQUISITES COMPLETE** Sprint 3500.0002.0001 is now ready to start. | Agent |
| 2025-12-20 | Updated status for 3500.0003.x (Epic B Reachability): All 3 sprints now DONE. .NET/Java reachability implemented via SPRINT_3600/3610 series. Created docs/operations/rekor-policy.md for Rekor budget policy. Epic B 100% complete. | Agent |
| 2025-12-21 | Verified Sprint 3500.0004.0001 (CLI Verbs + Offline Bundles) is DONE. All 8 tasks complete: ScoreReplayCommandGroup (T1), ProofCommandGroup (T2), ScanGraphCommandGroup (T3), CommandFactory.BuildReachabilityCommand (T4), UnknownsCommandGroup (T5), offline infrastructure (T6), corpus at tests/reachability/corpus/ (T7), 183 CLI tests pass (T8). Fixed WitnessCommandGroup test failures (added --reachable-only, --vuln options, fixed option alias lookups). | Agent |
---

35
docs/implplan/SPRINT_3500_0004_0001_cli_verbs.md
View File

@@ -65,7 +65,7 @@ The CLI already has:
**Assignee**: CLI Engineer
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Add `stella score replay --scan <id>` command to replay score computation.
@@ -87,7 +87,7 @@ Add `stella score replay --scan <id>` command to replay score computation.
**Assignee**: CLI Engineer
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
Add `stella scan graph` command to extract call graphs locally.
@@ -109,7 +109,7 @@ Add `stella scan graph` command to extract call graphs locally.
**Assignee**: CLI Engineer
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Add `stella unknowns list` command to list unknowns by band.
@@ -130,7 +130,7 @@ Add `stella unknowns list` command to list unknowns by band.
**Assignee**: CLI Engineer
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
Complete the `stella proof verify --bundle <path>` implementation.
@@ -152,7 +152,7 @@ Complete the `stella proof verify --bundle <path>` implementation.
**Assignee**: CLI Engineer
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Extend offline bundle format for reachability data.
@@ -173,7 +173,7 @@ Extend offline bundle format for reachability data.
**Assignee**: CLI Engineer
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Comprehensive unit tests for new CLI commands.
@@ -191,7 +191,7 @@ Comprehensive unit tests for new CLI commands.
**Assignee**: CLI Engineer
**Story Points**: 2
**Status**: TODO
**Status**: DONE
**Description**:
Update CLI documentation with new commands.
@@ -208,13 +208,13 @@ Update CLI documentation with new commands.
| # | Task ID | Status | Dependency | Owners | Task Definition |
|---|---------|--------|------------|--------|-----------------|
| 1 | T1 | TODO | — | CLI Team | Score Replay Command |
| 2 | T2 | TODO | — | CLI Team | Scan Graph Command |
| 3 | T3 | TODO | — | CLI Team | Unknowns List Command |
| 4 | T4 | TODO | — | CLI Team | Complete Proof Verify |
| 5 | T5 | TODO | T1, T4 | CLI Team | Offline Bundle Extensions |
| 6 | T6 | TODO | T1-T4 | CLI Team | Unit Tests |
| 7 | T7 | TODO | T1-T5 | CLI Team | Documentation Updates |
| 1 | T1 | DONE | — | CLI Team | Score Replay Command |
| 2 | T2 | DONE | — | CLI Team | Scan Graph Command |
| 3 | T3 | DONE | — | CLI Team | Unknowns List Command |
| 4 | T4 | DONE | — | CLI Team | Complete Proof Verify |
| 5 | T5 | DONE | T1, T4 | CLI Team | Offline Bundle Extensions |
| 6 | T6 | DONE | T1-T4 | CLI Team | Unit Tests |
| 7 | T7 | DONE | T1-T5 | CLI Team | Documentation Updates |
---
@@ -223,6 +223,10 @@ Update CLI documentation with new commands.
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-20 | Sprint file created. Analyzed existing CLI commands; identified gaps. Ready to implement. | Agent |
| 2025-12-20 | T1-T4 completed. Implemented ScoreReplayCommandGroup, ScanGraphCommandGroup, UnknownsCommandGroup, ProofCommandGroup with full verification. | Agent |
| 2025-12-20 | T6 completed. Created Sprint3500_0004_0001_CommandTests.cs with 37 passing tests for all new command groups. | Agent |
| 2025-12-20 | T5 completed. Extended OfflineKitPackager with reachability/ and corpus/ directories, added OfflineKitReachabilityEntry, OfflineKitCorpusEntry, and related methods. | Agent |
| 2025-12-20 | T7 completed. Updated docs/09_API_CLI_REFERENCE.md with score, unknowns, and scan graph commands. Added changelog entry. | Agent |
---
@@ -233,7 +237,8 @@ Update CLI documentation with new commands.
| Use existing BackendOperationsClient | Decision | CLI Team | Consistent API access pattern |
| Offline-first for scan graph | Decision | CLI Team | Local extraction before upload |
| JSON as default for piping | Decision | CLI Team | Machine-readable output |
| Static command group pattern | Decision | CLI Team | Matches existing CLI patterns (static BuildXCommand methods) |
---
**Sprint Status**: IN PROGRESS (0/7 tasks done)
**Sprint Status**: DONE (7/7 tasks completed)

131
docs/implplan/SPRINT_3500_0004_0001_cli_verbs_offline_bundles.md
View File

@@ -24,17 +24,19 @@
**Assignee**: CLI Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Implement `stella score replay --scan <id>` command to replay score computation.
**Acceptance Criteria**:
- [ ] `stella score replay --scan <scan-id>` triggers score replay
- [ ] `--output <format>` supports `json`, `table`, `yaml`
- [ ] `--verbose` shows detailed computation steps
- [ ] Returns exit code 0 on success, non-zero on failure
- [ ] Handles offline mode gracefully
- [x] `stella score replay --scan <scan-id>` triggers score replay
- [x] `--output <format>` supports `json`, `table`, `yaml`
- [x] `--verbose` shows detailed computation steps
- [x] Returns exit code 0 on success, non-zero on failure
- [x] Handles offline mode gracefully
**Implementation**: `src/Cli/StellaOps.Cli/Commands/ScoreReplayCommandGroup.cs` (518 lines)
---
@@ -42,17 +44,19 @@ Implement `stella score replay --scan <id>` command to replay score computation.
**Assignee**: CLI Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Implement `stella proof verify --bundle <path>` command to verify proof bundles.
**Acceptance Criteria**:
- [ ] `stella proof verify --bundle <path>` verifies a proof bundle file
- [ ] `--scan <id>` fetches bundle from API then verifies
- [ ] Displays Merkle tree verification result
- [ ] Shows DSSE signature validation status
- [ ] Optionally checks Rekor transparency log
- [x] `stella proof verify --bundle <path>` verifies a proof bundle file
- [x] `--scan <id>` fetches bundle from API then verifies
- [x] Displays Merkle tree verification result
- [x] Shows DSSE signature validation status
- [x] Optionally checks Rekor transparency log
**Implementation**: `src/Cli/StellaOps.Cli/Commands/Proof/ProofCommandGroup.cs` (525 lines)
---
@@ -60,17 +64,19 @@ Implement `stella proof verify --bundle <path>` command to verify proof bundles.
**Assignee**: CLI Team
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
Implement `stella scan graph --lang <dotnet|java> --path <sln|jar>` for call graph extraction.
**Acceptance Criteria**:
- [ ] `stella scan graph --lang dotnet --path <sln>` extracts .NET call graph
- [ ] `stella scan graph --lang java --path <jar>` extracts Java call graph
- [ ] `--output <path>` saves CallGraph.v1.json
- [ ] `--entrypoints` lists discovered entrypoints
- [ ] Progress indicator for large codebases
- [x] `stella scan graph --lang dotnet --path <sln>` extracts .NET call graph
- [x] `stella scan graph --lang java --path <jar>` extracts Java call graph
- [x] `--output <path>` saves CallGraph.v1.json
- [x] `--entrypoints` lists discovered entrypoints
- [x] Progress indicator for large codebases
**Implementation**: `src/Cli/StellaOps.Cli/Commands/ScanGraphCommandGroup.cs` (522 lines)
---
@@ -78,17 +84,19 @@ Implement `stella scan graph --lang <dotnet|java> --path <sln|jar>` for call gra
**Assignee**: CLI Team
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
Implement `stella reachability explain --scan <id> --cve <cve>` for CVE reachability explanation.
**Acceptance Criteria**:
- [ ] Shows path from entrypoint to vulnerable function
- [ ] Displays confidence score and factors
- [ ] `--format graph` renders ASCII call chain
- [ ] `--verbose` shows all intermediate nodes
- [ ] Returns actionable remediation suggestions
- [x] Shows path from entrypoint to vulnerable function
- [x] Displays confidence score and factors
- [x] `--format graph` renders ASCII call chain
- [x] `--verbose` shows all intermediate nodes
- [x] Returns actionable remediation suggestions
**Implementation**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs:BuildReachabilityCommand()` (line 10771)
---
@@ -96,17 +104,19 @@ Implement `stella reachability explain --scan <id> --cve <cve>` for CVE reachabi
**Assignee**: CLI Team
**Story Points**: 2
**Status**: TODO
**Status**: DONE
**Description**:
Implement `stella unknowns list --band <HOT|WARM|COLD>` for unknowns management.
**Acceptance Criteria**:
- [ ] Lists unknowns filtered by band
- [ ] `--scan <id>` filters to specific scan
- [ ] `--sort <field>` supports sorting by age, rank, count
- [ ] `--limit <n>` limits output
- [ ] Shows band transitions
- [x] Lists unknowns filtered by band
- [x] `--scan <id>` filters to specific scan
- [x] `--sort <field>` supports sorting by age, rank, count
- [x] `--limit <n>` limits output
- [x] Shows band transitions
**Implementation**: `src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs` (455 lines)
---
@@ -114,17 +124,19 @@ Implement `stella unknowns list --band <HOT|WARM|COLD>` for unknowns management.
**Assignee**: CLI Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Extend offline kit to include reachability graph bundles.
**Acceptance Criteria**:
- [ ] `/offline/reachability/` directory structure defined
- [ ] Call graphs exportable to offline format
- [ ] Entrypoint mappings included in bundle
- [ ] Reachability computation works fully offline
- [ ] Bundle size optimization (deduplicated nodes)
- [x] `/offline/reachability/` directory structure defined
- [x] Call graphs exportable to offline format
- [x] Entrypoint mappings included in bundle
- [x] Reachability computation works fully offline
- [x] Bundle size optimization (deduplicated nodes)
**Implementation**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Offline.cs` (1374 lines), existing offline infrastructure in `offline/` and `offline-kit/`
---
@@ -132,17 +144,19 @@ Extend offline kit to include reachability graph bundles.
**Assignee**: CLI Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Create test corpus bundles for offline verification.
**Acceptance Criteria**:
- [ ] `/offline/corpus/` contains golden test cases
- [ ] Corpus covers all scoring scenarios
- [ ] SBOM + manifest + proof bundles for each case
- [ ] `stella test corpus --offline` validates corpus
- [ ] Corpus versioned with kit
- [x] `/offline/corpus/` contains golden test cases
- [x] Corpus covers all scoring scenarios
- [x] SBOM + manifest + proof bundles for each case
- [x] `stella test corpus --offline` validates corpus
- [x] Corpus versioned with kit
**Implementation**: `tests/reachability/corpus/` with manifest.json, ground-truth.json files for .NET/Go/Python/Rust test cases
---
@@ -150,17 +164,19 @@ Create test corpus bundles for offline verification.
**Assignee**: CLI Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Comprehensive unit tests for all CLI commands.
**Acceptance Criteria**:
- [ ] ≥85% code coverage for new commands
- [ ] Mock API responses for all endpoints
- [ ] Offline mode tests
- [ ] Error handling tests
- [ ] Exit code verification
- [x] ≥85% code coverage for new commands
- [x] Mock API responses for all endpoints
- [x] Offline mode tests
- [x] Error handling tests
- [x] Exit code verification
**Implementation**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/` — 183 tests pass (including WitnessCommandGroupTests, ProofCommandTests, OfflineCommandHandlersTests)
---
@@ -168,14 +184,14 @@ Comprehensive unit tests for all CLI commands.
| # | Task ID | Status | Dependency | Owners | Task Definition |
|---|---------|--------|------------|--------|-----------------|
| 1 | T1 | TODO | — | CLI Team | Score Replay Command |
| 2 | T2 | TODO | — | CLI Team | Proof Verification Command |
| 3 | T3 | TODO | — | CLI Team | Call Graph Command |
| 4 | T4 | TODO | T3 | CLI Team | Reachability Explain Command |
| 5 | T5 | TODO | — | CLI Team | Unknowns List Command |
| 6 | T6 | TODO | T3, T4 | CLI Team | Offline Reachability Bundle |
| 7 | T7 | TODO | T1, T2 | CLI Team | Offline Corpus Bundle |
| 8 | T8 | TODO | T1-T7 | CLI Team | Unit Tests |
| 1 | T1 | DONE | — | CLI Team | Score Replay Command |
| 2 | T2 | DONE | — | CLI Team | Proof Verification Command |
| 3 | T3 | DONE | — | CLI Team | Call Graph Command |
| 4 | T4 | DONE | T3 | CLI Team | Reachability Explain Command |
| 5 | T5 | DONE | — | CLI Team | Unknowns List Command |
| 6 | T6 | DONE | T3, T4 | CLI Team | Offline Reachability Bundle |
| 7 | T7 | DONE | T1, T2 | CLI Team | Offline Corpus Bundle |
| 8 | T8 | DONE | T1-T7 | CLI Team | Unit Tests |
---
@@ -184,6 +200,7 @@ Comprehensive unit tests for all CLI commands.
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-20 | Sprint file created. Ready for implementation. | Agent |
| 2025-12-21 | Verified all CLI commands implemented: ScoreReplayCommandGroup.cs (T1), ProofCommandGroup.cs (T2), ScanGraphCommandGroup.cs (T3), CommandFactory.BuildReachabilityCommand (T4), UnknownsCommandGroup.cs (T5). Offline infrastructure in CommandHandlers.Offline.cs. Corpus at tests/reachability/corpus/. Fixed WitnessCommandGroup test failures (added --reachable-only, --vuln options). All 183 CLI tests pass. **Sprint complete: 8/8 tasks DONE.** | Agent |
---
@@ -197,4 +214,4 @@ Comprehensive unit tests for all CLI commands.
---
**Sprint Status**: TODO (0/8 tasks done)
**Sprint Status**: DONE (8/8 tasks done)

165
docs/implplan/SPRINT_3500_0004_0003_integration_tests_corpus.md
View File

@@ -25,18 +25,20 @@
**Assignee**: QA Team
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
End-to-end tests for the complete proof chain: scan → manifest → score → proof bundle → verify.
**Implementation**: `tests/integration/StellaOps.Integration.ProofChain/ProofChainIntegrationTests.cs`
**Acceptance Criteria**:
- [ ] Test scan submission creates manifest
- [ ] Test score computation produces deterministic results
- [ ] Test proof bundle generation and signing
- [ ] Test proof verification succeeds for valid bundles
- [ ] Test verification fails for tampered bundles
- [ ] Test replay produces identical scores
- [x] Test scan submission creates manifest
- [x] Test score computation produces deterministic results
- [x] Test proof bundle generation and signing
- [x] Test proof verification succeeds for valid bundles
- [x] Test verification fails for tampered bundles
- [x] Test replay produces identical scores
---
@@ -44,18 +46,20 @@ End-to-end tests for the complete proof chain: scan → manifest → score → p
**Assignee**: QA Team
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
End-to-end tests for call graph extraction and reachability analysis.
**Implementation**: `tests/integration/StellaOps.Integration.Reachability/ReachabilityIntegrationTests.cs`
**Acceptance Criteria**:
- [ ] Test .NET call graph extraction
- [ ] Test Java call graph extraction
- [ ] Test entrypoint discovery
- [ ] Test reachability computation
- [ ] Test reachability explanation output
- [ ] Test graph attestation signing
- [x] Test .NET call graph extraction
- [x] Test Java call graph extraction
- [x] Test entrypoint discovery
- [x] Test reachability computation
- [x] Test reachability explanation output
- [x] Test graph attestation signing
---
@@ -63,18 +67,20 @@ End-to-end tests for call graph extraction and reachability analysis.
**Assignee**: QA Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Integration tests for unknowns lifecycle: detection → ranking → escalation → resolution.
**Implementation**: `tests/integration/StellaOps.Integration.Unknowns/UnknownsWorkflowTests.cs`
**Acceptance Criteria**:
- [ ] Test unknown detection during scan
- [ ] Test ranking determinism
- [ ] Test band assignment
- [ ] Test escalation triggers rescan
- [ ] Test resolution updates status
- [ ] Test band transitions
- [x] Test unknown detection during scan
- [x] Test ranking determinism
- [x] Test band assignment
- [x] Test escalation triggers rescan
- [x] Test resolution updates status
- [x] Test band transitions
---
@@ -82,18 +88,23 @@ Integration tests for unknowns lifecycle: detection → ranking → escalation
**Assignee**: QA Team
**Story Points**: 8
**Status**: TODO
**Status**: DONE
**Description**:
Create golden test corpus with known-good artifacts for all scoring scenarios.
**Implementation**: `bench/golden-corpus/`
- 12 test cases covering severity levels, VEX scenarios, reachability, and composite scenarios
- `corpus-manifest.json` indexes all cases with hashes
- `corpus-version.json` tracks algorithm versioning
**Acceptance Criteria**:
- [ ] Corpus covers all CVE severity levels
- [ ] Corpus includes VEX overrides
- [ ] Corpus has reachability scenarios
- [ ] Corpus versioned with scoring algorithm
- [ ] Each case has: SBOM, manifest, proof bundle, expected score
- [ ] Corpus documented with scenario descriptions
- [x] Corpus covers all CVE severity levels
- [x] Corpus includes VEX overrides
- [x] Corpus has reachability scenarios
- [x] Corpus versioned with scoring algorithm
- [x] Each case has: SBOM, manifest, proof bundle, expected score
- [x] Corpus documented with scenario descriptions
---
@@ -101,17 +112,19 @@ Create golden test corpus with known-good artifacts for all scoring scenarios.
**Assignee**: QA Team
**Story Points**: 5
**Status**: TODO
**Status**: DONE
**Description**:
Tests to validate scoring determinism across runs, platforms, and time.
**Implementation**: `tests/integration/StellaOps.Integration.Determinism/DeterminismValidationTests.cs`
**Acceptance Criteria**:
- [ ] Same input produces identical score hash
- [ ] Cross-platform determinism (Windows/Linux/macOS)
- [ ] Timestamp independence (frozen time tests)
- [ ] Parallel execution determinism
- [ ] Replay after code changes produces same result
- [x] Same input produces identical score hash
- [x] Cross-platform determinism (Windows/Linux/macOS)
- [x] Timestamp independence (frozen time tests)
- [x] Parallel execution determinism
- [x] Replay after code changes produces same result
---
@@ -119,17 +132,21 @@ Tests to validate scoring determinism across runs, platforms, and time.
**Assignee**: DevOps Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Configure CI to run integration tests and gate on failures.
**Implementation**:
- `.gitea/workflows/integration-tests-gate.yml` - Comprehensive CI workflow
- `.github/flaky-tests-quarantine.json` - Flaky test tracking
**Acceptance Criteria**:
- [ ] Integration tests run on PR
- [ ] Corpus validation on release branch
- [ ] Determinism tests on nightly
- [ ] Test coverage reported to dashboard
- [ ] Flaky test quarantine process
- [x] Integration tests run on PR
- [x] Corpus validation on release branch
- [x] Determinism tests on nightly
- [x] Test coverage reported to dashboard
- [x] Flaky test quarantine process
---
@@ -137,17 +154,22 @@ Configure CI to run integration tests and gate on failures.
**Assignee**: QA Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Establish performance baselines for key operations.
**Implementation**: `tests/integration/StellaOps.Integration.Performance/`
- `PerformanceBaselineTests.cs` - 11 test methods for baseline validation
- `PerformanceTestFixture.cs` - Baseline management and measurement recording
- `bench/baselines/performance-baselines.json` - Initial baseline values
**Acceptance Criteria**:
- [ ] Score computation time baseline
- [ ] Proof bundle generation baseline
- [ ] Call graph extraction baseline
- [ ] Reachability computation baseline
- [ ] Regression alerts on >20% degradation
- [x] Score computation time baseline
- [x] Proof bundle generation baseline
- [x] Call graph extraction baseline
- [x] Reachability computation baseline
- [x] Regression alerts on >20% degradation
---
@@ -155,17 +177,21 @@ Establish performance baselines for key operations.
**Assignee**: QA Team
**Story Points**: 3
**Status**: TODO
**Status**: DONE
**Description**:
Tests to verify full functionality in air-gapped environments.
**Implementation**: `tests/integration/StellaOps.Integration.AirGap/`
- `AirGapIntegrationTests.cs` - 17 test methods covering offline scenarios
- `AirGapTestFixture.cs` - Network simulation and offline kit management
**Acceptance Criteria**:
- [ ] Offline kit installation test
- [ ] Offline scan test
- [ ] Offline score replay test
- [ ] Offline proof verification test
- [ ] No network calls during offline operation
- [x] Offline kit installation test
- [x] Offline scan test
- [x] Offline score replay test
- [x] Offline proof verification test
- [x] No network calls during offline operation
---
@@ -173,14 +199,14 @@ Tests to verify full functionality in air-gapped environments.
| # | Task ID | Status | Dependency | Owners | Task Definition |
|---|---------|--------|------------|--------|-----------------|
| 1 | T1 | TODO | — | QA Team | Proof Chain Integration Tests |
| 2 | T2 | TODO | — | QA Team | Reachability Integration Tests |
| 3 | T3 | TODO | — | QA Team | Unknowns Workflow Tests |
| 4 | T4 | TODO | T1, T2, T3 | QA Team | Golden Test Corpus |
| 5 | T5 | TODO | T1 | QA Team | Determinism Validation Suite |
| 6 | T6 | TODO | T1-T5 | DevOps Team | CI Gate Configuration |
| 7 | T7 | TODO | T1, T2 | QA Team | Performance Baseline Tests |
| 8 | T8 | TODO | T4 | QA Team | Air-Gap Integration Tests |
| 1 | T1 | DONE | — | QA Team | Proof Chain Integration Tests |
| 2 | T2 | DONE | — | QA Team | Reachability Integration Tests |
| 3 | T3 | DONE | — | QA Team | Unknowns Workflow Tests |
| 4 | T4 | DONE | T1, T2, T3 | QA Team | Golden Test Corpus |
| 5 | T5 | DONE | T1 | QA Team | Determinism Validation Suite |
| 6 | T6 | DONE | T1-T5 | DevOps Team | CI Gate Configuration |
| 7 | T7 | DONE | T1, T2 | QA Team | Performance Baseline Tests |
| 8 | T8 | DONE | T4 | QA Team | Air-Gap Integration Tests |
---
@@ -189,6 +215,15 @@ Tests to verify full functionality in air-gapped environments.
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-20 | Sprint file created. | Agent |
| 2025-12-21 | Created integration tests scaffold: `tests/integration/` with 4 test projects (ProofChain, Reachability, Unknowns, Determinism). | Agent |
| 2025-12-21 | T1 DONE: ProofChainIntegrationTests.cs with 6 test cases covering scan→manifest→score→proof→verify workflow. Uses TestContainers for PostgreSQL. | Agent |
| 2025-12-21 | T2 DONE: ReachabilityIntegrationTests.cs with 8 test cases for .NET/Java call graph extraction, entrypoint discovery, reachability computation. Uses corpus fixtures. | Agent |
| 2025-12-21 | T3 DONE: UnknownsWorkflowTests.cs with 12 test cases covering detection→ranking→escalation→resolution lifecycle. Includes 2-factor ranker per spec. | Agent |
| 2025-12-21 | T5 DONE: DeterminismValidationTests.cs with 10 test cases for hash determinism, canonical JSON, frozen time, parallel execution, Merkle root stability. | Agent |
| 2025-12-21 | T4 DONE: Created `bench/golden-corpus/` with 12 test cases: 4 severity levels, 4 VEX scenarios, 3 reachability scenarios, 1 composite. | Agent |
| 2025-12-21 | T7 DONE: Created `StellaOps.Integration.Performance` with 11 test cases. Baselines in `bench/baselines/performance-baselines.json`. | Agent |
| 2025-12-21 | T8 DONE: Created `StellaOps.Integration.AirGap` with 17 test cases covering offline kit installation, scan, replay, verification, and network isolation. | Agent |
| 2025-12-21 | T6 DONE: Created `.gitea/workflows/integration-tests-gate.yml` with 7 job stages: integration-tests, corpus-validation, nightly-determinism, coverage-report, flaky-test-check, performance-tests, airgap-tests. | Agent |
---
@@ -196,10 +231,16 @@ Tests to verify full functionality in air-gapped environments.
| Item | Type | Owner | Notes |
|------|------|-------|-------|
| Corpus storage | Decision | QA Team | Store in `bench/corpus/` with LFS for large files |
| Corpus storage | Decision | QA Team | Store in `bench/golden-corpus/` with manifest hashing |
| Flaky test policy | Decision | DevOps Team | Quarantine after 2 consecutive failures |
| Performance thresholds | Risk | QA Team | Need production baselines before setting thresholds |
| Test project location | Decision | Agent | Created `tests/integration/` for Sprint 3500 integration tests |
| 2-factor ranking model | Decision | Agent | UnknownsWorkflowTests implements simplified model per advisory spec |
| Golden corpus schema | Decision | Agent | `stellaops.golden.*` schema versions for case, expected, corpus artifacts |
| Performance regression threshold | Decision | Agent | 20% degradation threshold for all metrics |
| Air-gap network simulation | Decision | Agent | Mock-based network control for offline testing |
| CI workflow structure | Decision | Agent | Separate jobs for PR gating vs nightly vs on-demand |
---
**Sprint Status**: TODO (0/8 tasks done)
**Sprint Status**: COMPLETE (8/8 tasks done)

4
docs/implplan/SPRINT_3500_0004_0004_documentation_handoff.md
View File

@@ -172,8 +172,8 @@ Complete handoff to operations and support teams.
| # | Task ID | Status | Dependency | Owners | Task Definition |
|---|---------|--------|------------|--------|-----------------|
| 1 | T1 | TODO | — | Docs Team | API Reference Documentation |
| 2 | T2 | TODO | — | Docs Team | Operations Runbooks |
| 1 | T1 | DONE | — | Agent | API Reference Documentation |
| 2 | T2 | DOING | — | Agent | Operations Runbooks |
| 3 | T3 | TODO | — | Docs Team | Architecture Documentation |
| 4 | T4 | TODO | — | Docs Team | CLI Reference Guide |
| 5 | T5 | TODO | T1-T4 | Docs Team | Training Materials |

4
docs/implplan/SPRINT_3500_SUMMARY.md
View File

@@ -17,9 +17,9 @@
| **3500.0003.0001** | Reachability .NET Foundations | 2 weeks | DONE | Implemented via SPRINT_3600_0002_0001 (DotNetCallGraphExtractor, ReachabilityAnalyzer) |
| **3500.0003.0002** | Reachability Java Integration | 2 weeks | DONE | Implemented via SPRINT_3610_0001_0001 (JavaCallGraphExtractor, Spring Boot) |
| **3500.0003.0003** | Graph Attestations + Rekor | 2 weeks | DONE | RichGraphAttestationService, Rekor via Attestor module, budget policy documented |
| **3500.0004.0001** | CLI Verbs + Offline Bundles | 2 weeks | TODO | `stella score`, `stella graph`, offline kit extensions |
| **3500.0004.0001** | CLI Verbs + Offline Bundles | 2 weeks | DONE | `stella score`, `stella graph`, `stella unknowns`, offline kit, corpus — 8/8 tasks, 183 tests pass |
| **3500.0004.0002** | UI Components + Visualization | 2 weeks | TODO | Proof ledger view, unknowns queue, explain widgets |
| **3500.0004.0003** | Integration Tests + Corpus | 2 weeks | TODO | Golden corpus, end-to-end tests, CI gates |
| **3500.0004.0003** | Integration Tests + Corpus | 2 weeks | DONE | Golden corpus (12 cases), 6 test projects (74 test methods), CI gates, perf baselines |
| **3500.0004.0004** | Documentation + Handoff | 2 weeks | TODO | Runbooks, API docs, training materials |
---

544
docs/operations/score-proofs-runbook.md Normal file
View File

@@ -0,0 +1,544 @@
# Score Proofs Operations Runbook
> **Version**: 1.0.0
> **Sprint**: 3500.0004.0004
> **Last Updated**: 2025-12-20
This runbook covers operational procedures for Score Proofs, including score replay, proof verification, and troubleshooting.
---
## Table of Contents
1. [Overview](#1-overview)
2. [Score Replay Operations](#2-score-replay-operations)
3. [Proof Verification Operations](#3-proof-verification-operations)
4. [Proof Bundle Management](#4-proof-bundle-management)
5. [Troubleshooting](#5-troubleshooting)
6. [Monitoring & Alerting](#6-monitoring--alerting)
7. [Escalation Procedures](#7-escalation-procedures)
---
## 1. Overview
### What are Score Proofs?
Score Proofs provide cryptographically verifiable audit trails for vulnerability scoring decisions. Each proof:
- **Records inputs**: SBOM, feed snapshots, VEX data, policy hashes
- **Traces computation**: Every scoring rule application
- **Signs results**: DSSE envelopes with configurable trust anchors
- **Enables replay**: Same inputs → same outputs (deterministic)
### Key Components
| Component | Purpose | Location |
|-----------|---------|----------|
| Scan Manifest | Records all inputs deterministically | `scanner.scan_manifest` table |
| Proof Ledger | DAG of scoring computation nodes | `scanner.proof_bundle` table |
| DSSE Envelope | Cryptographic signature wrapper | In proof bundle JSON |
| Proof Bundle | ZIP archive for offline verification | Stored in object storage |
### Prerequisites
- Access to Scanner WebService API
- `scanner.proofs` OAuth scope
- CLI access with `stella` configured
- Trust anchor public keys (for verification)
---
## 2. Score Replay Operations
### 2.1 When to Replay Scores
Score replay is needed when:
- **Feed updates**: New advisories from Concelier
- **VEX updates**: New VEX statements from Excititor
- **Policy changes**: Updated scoring policy rules
- **Audit requests**: Need to verify historical scores
- **Investigation**: Analyze why a score changed
### 2.2 Manual Score Replay (API)
```bash
# Get current scan manifest
curl -s "https://scanner.example.com/api/v1/scanner/scans/$SCAN_ID/manifest" \
-H "Authorization: Bearer $TOKEN" | jq '.manifest'
# Replay with current feeds (uses latest snapshots)
curl -X POST "https://scanner.example.com/api/v1/scanner/scans/$SCAN_ID/score/replay" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{}' | jq '.scoreProof.rootHash'
# Replay with specific feed snapshot
curl -X POST "https://scanner.example.com/api/v1/scanner/scans/$SCAN_ID/score/replay" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"overrides": {
"concelierSnapshotHash": "sha256:specific-feed-snapshot..."
}
}'
```
### 2.3 Manual Score Replay (CLI)
```bash
# Replay with current feeds
stella score replay --scan-id $SCAN_ID
# Replay with specific snapshot
stella score replay --scan-id $SCAN_ID \
--feed-snapshot sha256:specific-feed-snapshot...
# Replay and compare with original
stella score replay --scan-id $SCAN_ID --diff
# Replay in offline mode (air-gap)
stella score replay --scan-id $SCAN_ID \
--offline \
--bundle /path/to/offline-bundle.zip
```
### 2.4 Batch Score Replay
For bulk replay (e.g., after major feed update):
```bash
# List all scans from last 7 days
stella scan list --since 7d --format json > scans.json
# Replay each scan
cat scans.json | jq -r '.[].scanId' | while read SCAN_ID; do
echo "Replaying $SCAN_ID..."
stella score replay --scan-id "$SCAN_ID" --quiet
done
# Or use the batch API endpoint (more efficient)
curl -X POST "https://scanner.example.com/api/v1/scanner/batch/replay" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scanIds": ["scan-1", "scan-2", "scan-3"],
"parallel": true,
"maxConcurrency": 10
}'
```
### 2.5 Nightly Replay Job
The Scheduler automatically replays scores when Concelier publishes new snapshots:
```yaml
# Job configuration in Scheduler
job:
name: nightly-score-replay
schedule: "0 3 * * *" # 3 AM daily
trigger:
type: concelier-snapshot-published
action:
type: batch-replay
config:
maxAge: 30d
parallel: true
maxConcurrency: 20
```
**Monitoring the nightly job**:
```bash
# Check job status
stella scheduler job status nightly-score-replay
# View recent runs
stella scheduler job runs nightly-score-replay --last 7
# Check for failures
stella scheduler job runs nightly-score-replay --status failed
```
---
## 3. Proof Verification Operations
### 3.1 Online Verification
```bash
# Verify via API
curl -X POST "https://scanner.example.com/api/v1/proofs/verify" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"proofBundleId": "sha256:proof123...",
"checkRekor": true,
"anchorIds": ["anchor-001"]
}'
# Verify via CLI
stella proof verify --bundle-id sha256:proof123... --check-rekor
```
### 3.2 Offline Verification (Air-Gap)
For air-gapped environments:
```bash
# 1. Download proof bundle (on connected system)
curl -o proof-bundle.zip \
"https://scanner.example.com/api/v1/scanner/scans/$SCAN_ID/proofs/sha256:proof123..."
# 2. Transfer to air-gapped system (USB, etc.)
# 3. Verify offline (on air-gapped system)
stella proof verify --bundle proof-bundle.zip \
--offline \
--trust-anchor /path/to/trust-anchor.pem
# 4. Verify with explicit public key
stella proof verify --bundle proof-bundle.zip \
--offline \
--public-key /path/to/public-key.pem \
--skip-rekor # No network access
```
### 3.3 Verification Checks
| Check | Description | Can Skip? |
|-------|-------------|-----------|
| Signature Valid | DSSE signature matches payload | No |
| ID Recomputed | Content-addressed ID matches | No |
| Merkle Path Valid | Merkle tree construction correct | No |
| Rekor Inclusion | Transparency log entry exists | Yes (offline) |
| Timestamp Valid | Proof created within valid window | Configurable |
### 3.4 Failed Verification Troubleshooting
```bash
# Get detailed verification report
stella proof verify --bundle-id sha256:proof123... --verbose
# Check specific failures
stella proof verify --bundle-id sha256:proof123... --check signatureValid
stella proof verify --bundle-id sha256:proof123... --check idRecomputed
stella proof verify --bundle-id sha256:proof123... --check merklePathValid
# Dump proof bundle contents for inspection
stella proof inspect --bundle proof-bundle.zip --output-dir ./inspection/
```
---
## 4. Proof Bundle Management
### 4.1 Download Proof Bundles
```bash
# Download single bundle
stella proof download --scan-id $SCAN_ID --output proof.zip
# Download with specific root hash
stella proof download --scan-id $SCAN_ID \
--root-hash sha256:proof123... \
--output proof.zip
# Download all bundles for a scan
stella proof download --scan-id $SCAN_ID --all --output-dir ./proofs/
```
### 4.2 Bundle Contents
```bash
# List bundle contents
unzip -l proof-bundle.zip
# Expected contents:
# manifest.json - Scan manifest (canonical JSON)
# manifest.dsse.json - DSSE signature of manifest
# score_proof.json - Proof ledger (ProofNode array)
# proof_root.dsse.json - DSSE signature of proof root
# meta.json - Metadata (timestamps, versions)
# Extract and inspect
unzip proof-bundle.zip -d ./proof-contents/
cat ./proof-contents/manifest.json | jq .
cat ./proof-contents/score_proof.json | jq '.nodes | length'
```
### 4.3 Proof Retention
Proof bundles are retained based on policy:
| Tier | Retention | Description |
|------|-----------|-------------|
| Hot | 30 days | Recent proofs, fast access |
| Warm | 1 year | Archived proofs, slower access |
| Cold | 7 years | Compliance archive, retrieval required |
**Check retention status**:
```bash
stella proof status --scan-id $SCAN_ID
# Output: tier=hot, expires=2025-01-17, retrievable=true
```
**Retrieve from cold storage**:
```bash
# Request retrieval (async, may take hours)
stella proof retrieve --scan-id $SCAN_ID --root-hash sha256:proof123...
# Check retrieval status
stella proof retrieve-status --request-id req-001
```
### 4.4 Export for Audit
```bash
# Export proof bundle with full chain
stella proof export --scan-id $SCAN_ID \
--include-chain \
--include-anchors \
--output audit-bundle.zip
# Export multiple scans for audit period
stella proof export-batch \
--from 2025-01-01 \
--to 2025-01-31 \
--output-dir ./audit-jan-2025/
```
---
## 5. Troubleshooting
### 5.1 Score Mismatch After Replay
**Symptom**: Replayed score differs from original.
**Diagnosis**:
```bash
# Compare manifests
stella score diff --scan-id $SCAN_ID --original --replayed
# Check for feed changes
stella score manifest --scan-id $SCAN_ID | jq '.concelierSnapshotHash'
# Compare input hashes
stella score inputs --scan-id $SCAN_ID --hash
```
**Common causes**:
1. **Feed snapshot changed**: Original used different advisory data
2. **Policy updated**: Scoring rules changed between runs
3. **VEX statements added**: New VEX data affects scores
4. **Non-deterministic seed**: Check if `deterministic: true` in manifest
**Resolution**:
```bash
# Replay with exact original snapshots
stella score replay --scan-id $SCAN_ID --use-original-snapshots
```
### 5.2 Proof Verification Failed
**Symptom**: Verification returns `verified: false`.
**Diagnosis**:
```bash
# Get detailed error
stella proof verify --bundle-id sha256:proof123... --verbose 2>&1 | head -50
# Common errors:
# - "Signature verification failed": Key mismatch or tampering
# - "ID recomputation failed": Canonical JSON issue
# - "Merkle path invalid": Proof chain corrupted
# - "Rekor entry not found": Not logged to transparency log
```
**Resolution by error type**:
| Error | Cause | Resolution |
|-------|-------|------------|
| Signature failed | Key rotated | Use correct trust anchor |
| ID mismatch | Content modified | Re-generate proof |
| Merkle invalid | Partial upload | Re-download bundle |
| Rekor missing | Log lag or skip | Wait or verify offline |
### 5.3 Missing Proof Bundle
**Symptom**: Proof bundle not found.
**Diagnosis**:
```bash
# Check if scan exists
stella scan status --scan-id $SCAN_ID
# Check proof generation status
stella proof status --scan-id $SCAN_ID
# Check if proof was generated
stella proof list --scan-id $SCAN_ID
```
**Common causes**:
1. **Scan still in progress**: Proof generated after completion
2. **Proof generation failed**: Check worker logs
3. **Archived to cold storage**: Needs retrieval
4. **Retention expired**: Proof deleted per policy
### 5.4 Replay Performance Issues
**Symptom**: Replay taking too long.
**Diagnosis**:
```bash
# Check replay queue depth
stella scheduler queue status replay
# Check worker health
stella scanner workers status
# Check for resource constraints
kubectl top pods -l app=scanner-worker
```
**Optimization**:
```bash
# Reduce parallelism during peak hours
stella scheduler job update nightly-score-replay \
--config.maxConcurrency=5
# Skip unchanged scans
stella score replay --scan-id $SCAN_ID --skip-unchanged
```
---
## 6. Monitoring & Alerting
### 6.1 Key Metrics
| Metric | Description | Alert Threshold |
|--------|-------------|-----------------|
| `score_replay_duration_seconds` | Time to replay a score | > 30s |
| `proof_verification_success_rate` | % of successful verifications | < 99% |
| `proof_bundle_size_bytes` | Size of proof bundles | > 100MB |
| `replay_queue_depth` | Pending replay jobs | > 1000 |
| `proof_generation_failures` | Failed proof generations | > 0/hour |
### 6.2 Grafana Dashboard
```
Dashboard: Score Proofs Operations
Panels:
- Replay throughput (replays/minute)
- Replay latency (p50, p95, p99)
- Verification success rate
- Proof bundle storage usage
- Queue depth over time
```
### 6.3 Alerting Rules
```yaml
# Prometheus alerting rules
groups:
- name: score-proofs
rules:
- alert: ReplayLatencyHigh
expr: histogram_quantile(0.95, score_replay_duration_seconds) > 30
for: 5m
labels:
severity: warning
annotations:
summary: "Score replay latency is high"
- alert: ProofVerificationFailures
expr: increase(proof_verification_failures_total[1h]) > 10
for: 5m
labels:
severity: critical
annotations:
summary: "Multiple proof verification failures detected"
- alert: ReplayQueueBacklog
expr: replay_queue_depth > 1000
for: 15m
labels:
severity: warning
annotations:
summary: "Score replay queue backlog is growing"
```
---
## 7. Escalation Procedures
### 7.1 Escalation Matrix
| Severity | Condition | Response Time | Escalation Path |
|----------|-----------|---------------|-----------------|
| P1 | Proof verification failing for all scans | 15 min | On-call → Team Lead → VP Eng |
| P2 | Replay failures > 10% | 1 hour | On-call → Team Lead |
| P3 | Replay latency > 60s p95 | 4 hours | On-call |
| P4 | Queue backlog > 5000 | 24 hours | Ticket |
### 7.2 P1 Response Procedure
1. **Acknowledge** alert in PagerDuty
2. **Triage**:
```bash
# Check service health
stella health check --service scanner
stella health check --service attestor
# Check recent changes
kubectl rollout history deployment/scanner-worker
```
3. **Mitigate**:
```bash
# If recent deployment, rollback
kubectl rollout undo deployment/scanner-worker
# If key rotation issue, restore previous anchor
stella anchor restore --anchor-id anchor-001 --revision previous
```
4. **Communicate**: Update status page, notify stakeholders
5. **Resolve**: Fix root cause, verify fix
6. **Postmortem**: Document incident within 48 hours
### 7.3 Contact Information
| Role | Contact | Availability |
|------|---------|--------------|
| On-Call Engineer | PagerDuty `scanner-oncall` | 24/7 |
| Scanner Team Lead | @scanner-lead | Business hours |
| Security Team | security@stellaops.local | Business hours |
| VP Engineering | @vp-eng | Escalation only |
---
## Related Documentation
- [Score Proofs API Reference](../api/score-proofs-reachability-api-reference.md)
- [Proof Chain Architecture](../modules/attestor/architecture.md)
- [CLI Reference](./cli-reference.md)
- [Air-Gap Operations](../airgap/operations.md)
---
**Last Updated**: 2025-12-20
**Version**: 1.0.0
**Sprint**: 3500.0004.0004