stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 18:08:55 +02:00
parent 6e45066e37
commit f1a39c4ce3
234 changed files with 24038 additions and 6910 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/implplan/SPRINT_0300_0001_0001_documentation_process.md
View File

@@ -121,7 +121,8 @@
| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
| 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-05 | Repository-wide sprint filename normalization: removed legacy `_0000_` sprint files and repointed references to canonical `_0001_` names across docs/implplan, advisories, and module docs. | Project Mgmt |
| 2025-12-05 | Repository-wide sprint filename normalization: removed legacy `_0000_` sprint files and repointed references to canonical `_0001_` names across docs/implplan, advisories, and module docs. | Project Mgmt |
| 2025-12-13 | Normalised archived sprint filenames (100/110/125/130/137/300/301/302) to the standard `SPRINT_####_####_####_<topic>.md` format and updated cross-references. | Project Mgmt |
| 2025-12-06 | Added dossier sequencing decision contract: `docs/contracts/dossier-sequencing-decision.md` (DECISION-DOCS-001) establishes Md.I → Md.X ordering with parallelism rules; unblocks module dossier planning. | Project Mgmt |
| 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild |
| 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 1823; set DONE/next steps; capture residual blockers. | Docs Guild |
@@ -129,4 +130,4 @@
| 2025-12-12 | Md.II readiness checkpoint | Confirm Docs Tasks ladder at Md.II, collect Ops evidence, and flip DOCS-DOSSIERS-200.B to DOING if unblocked. | Docs Guild · Ops Guild |
## Appendix
- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`.
- Prior version archived at `docs/implplan/archived/updates/2025-11-13-sprint-0300-documentation-process.md`.

23
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -36,12 +36,12 @@
| --- | --- | --- | --- | --- | --- |
| 1 | GRAPH-CAS-401-001 | DONE (2025-12-11) | richgraph-v1 schema finalized; BLAKE3 graph_hash via RichGraphWriter; CAS paths now use `cas://reachability/graphs/{blake3}`; tests passing. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{blake3}`, update adapters/fixtures. |
| 2 | GAP-SYM-007 | DONE (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild - Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
| 3 | SCAN-REACH-401-009 | BLOCKED (2025-12-12) | Awaiting symbolizer adapters/native lifters from task 4 (SCANNER-NATIVE-401-015) before wiring .NET/JVM callgraph generators. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
| 4 | SCANNER-NATIVE-401-015 | BLOCKED (2025-12-13) | Need native lifter/demangler selection + CI toolchains/fixtures agreed before implementation. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
| 3 | SCAN-REACH-401-009 | DONE (2025-12-13) | Complete: Implemented Java and .NET callgraph builders with reachability graph models at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Callgraph/` and `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Callgraph/`. Files: `JavaReachabilityGraph.cs`, `JavaCallgraphBuilder.cs`, `DotNetReachabilityGraph.cs`, `DotNetCallgraphBuilder.cs`. Includes method nodes, call edges, synthetic roots (Main, static initializers, controllers, test methods, Azure Functions, AWS Lambda), unknowns, and deterministic graph hashing. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
| 4 | SCANNER-NATIVE-401-015 | DONE (2025-12-13) | Complete: Added demangler infrastructure with `ISymbolDemangler` interface, `CompositeDemangler` with Itanium ABI, Rust, and heuristic demanglers at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/`. ELF/PE/Mach-O parsers implemented with build-ID extraction. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
| 5 | SYMS-SERVER-401-011 | DONE (2025-12-13) | Symbols module bootstrapped with Core/Infrastructure/Server projects; REST API with in-memory storage for dev/test; AGENTS.md created; `src/Symbols/StellaOps.Symbols.Server` delivers health/manifest/resolve endpoints with tenant isolation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
| 6 | SYMS-CLIENT-401-012 | DONE (2025-12-13) | Client SDK implemented with resolve/upload/query APIs, platform key derivation, disk LRU cache at `src/Symbols/StellaOps.Symbols.Client`. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
| 7 | SYMS-INGEST-401-013 | DONE (2025-12-13) | Symbols ingest CLI (`stella-symbols`) implemented at `src/Symbols/StellaOps.Symbols.Ingestor.Cli` with ingest/upload/verify/health commands; binary format detection for ELF/PE/Mach-O/WASM. | Symbols Guild - DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
| 8 | SIGNALS-RUNTIME-401-002 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 19 (GAP-REP-004). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 8 | SIGNALS-RUNTIME-401-002 | DONE (2025-12-13) | Complete: Added `SignalsRetentionOptions` for TTL/cleanup policy, extended `IReachabilityFactRepository` with GetExpiredAsync/DeleteAsync/GetRuntimeFactsCountAsync/TrimRuntimeFactsAsync, implemented `RuntimeFactsRetentionService` background cleanup, added `ReachabilityFactCacheDecorator` passthrough methods, and RBAC/tenant isolation tests. | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
| 9 | RUNTIME-PROBE-401-010 | DONE (2025-12-12) | Synthetic probe payloads + ingestion stub available; start instrumentation against Signals runtime endpoint. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
| 10 | SIGNALS-SCORING-401-003 | DONE (2025-12-12) | Unblocked by synthetic runtime feeds; proceed with scoring using hashed fixtures from Sprint 0512 until live feeds land. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
| 11 | REPLAY-401-004 | DONE (2025-12-12) | CAS registration policy adopted (BLAKE3 per CONTRACT-RICHGRAPH-V1-015); proceed with manifest v2 + deterministic tests. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
@@ -74,7 +74,7 @@
| 38 | UNCERTAINTY-SCHEMA-401-024 | DONE (2025-12-13) | Implemented UncertaintyTier enum (T1-T4), tier calculator, and integrated into ReachabilityScoringService. Documents extended with AggregateTier, RiskScore, and per-state tiers. See `src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs`. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
| 39 | UNCERTAINTY-SCORER-401-025 | DONE (2025-12-13) | Complete: reachability risk score now uses configurable entropy weights (`SignalsScoringOptions.UncertaintyEntropyMultiplier` / `UncertaintyBoostCeiling`) and matches `UncertaintyDocument.RiskScore`; added unit coverage in `src/Signals/__Tests/StellaOps.Signals.Tests/ReachabilityScoringServiceTests.cs`. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
| 40 | UNCERTAINTY-POLICY-401-026 | DONE (2025-12-13) | Complete: Added uncertainty gates section (§12) to `docs/policy/dsl.md` with U1/U2/U3 gate types, tier-aware compound rules, remediation actions table, and YAML configuration examples. Updated `docs/uncertainty/README.md` with policy guidance (§8) and remediation actions (§9) including CLI commands and automated remediation flow. | Policy Guild - Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
| 41 | UNCERTAINTY-UI-401-027 | TODO | Unblocked: Tasks 38/39 complete with UncertaintyTier (T1-T4) and entropy-aware scoring. Ready to implement UI/CLI uncertainty display. | UI Guild - CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
| 41 | UNCERTAINTY-UI-401-027 | DONE (2025-12-13) | Complete: Added CLI uncertainty display with Tier/Risk columns in policy findings table, uncertainty fields in details view, color-coded tier formatting (T1=red, T2=yellow, T3=blue, T4=green), and entropy states display (code=entropy format). Files: `PolicyFindingsModels.cs` (models), `PolicyFindingsTransport.cs` (wire format), `BackendOperationsClient.cs` (mapping), `CommandHandlers.cs` (rendering). | UI Guild - CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
| 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild - Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild - Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject->Rekor map drafted. |
| 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
@@ -83,12 +83,12 @@
| 47 | UI-VEX-401-032 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13-15, 21. | UI Guild - CLI Guild - Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
| 48 | POLICY-GATE-401-033 | DONE (2025-12-13) | Implemented PolicyGateEvaluator with three gate types (LatticeState, UncertaintyTier, EvidenceCompleteness). See `src/Policy/StellaOps.Policy.Engine/Gates/`. Includes gate decision documents, configuration options, and override mechanism. | Policy Guild - Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
| 49 | GRAPH-PURL-401-034 | DONE (2025-12-11) | purl+symbol_digest in RichGraph nodes/edges (via Sprint 0400 GRAPH-PURL-201-009 + RichGraphBuilder). | Scanner Worker Guild - Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
| 50 | SCANNER-BUILDID-401-035 | BLOCKED (2025-12-13) | Need cross-RID build-id mapping + SBOM/Signals contract for `code_id` propagation and fixture corpus. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
| 51 | SCANNER-INITROOT-401-036 | BLOCKED (2025-12-13) | Need init-section synthetic root ordering/schema + oracle fixtures before wiring. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
| 52 | QA-PORACLE-401-037 | TODO | Unblocked: Tasks 1/53 complete with richgraph-v1 schema and graph-level DSSE. Ready to add patch-oracle fixtures and harness. | QA Guild - Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 50 | SCANNER-BUILDID-401-035 | DONE (2025-12-13) | Complete: Added build-ID prefix formatting per CONTRACT-BUILDID-PROPAGATION-401. ELF build-IDs now use `gnu-build-id:{hex}` prefix in `ElfReader.ExtractBuildId` and `NativeFormatDetector.ParseElfNote`. Mach-O UUIDs use `macho-uuid:{hex}` prefix in `NativeFormatDetector.DetectFormatAsync`. PE/COFF uses existing `pe-guid:{guid}` format. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
| 51 | SCANNER-INITROOT-401-036 | DONE (2025-12-13) | Complete: Added `NativeRootPhase` enum (Load=0, PreInit=1, Init=2, Main=3, Fini=4), extended `NativeSyntheticRoot` with Source/BuildId/Phase/IsResolved/TargetAddress fields, updated `ComputeRootId` to contract format `root:{phase}:{order}:{target_id}`, updated `NativeCallgraphBuilder` to use phase enum and Source field. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
| 52 | QA-PORACLE-401-037 | DONE (2025-12-13) | Complete: Added JSON-based patch-oracle harness with `patch-oracle/v1` schema (JSON Schema at `tests/reachability/fixtures/patch-oracles/schema/`), sample oracles for curl/log4j/kestrel CVEs, `PatchOracleComparer` class comparing RichGraph against oracle expectations (expected/forbidden functions/edges, confidence thresholds, wildcard patterns, strict mode), `PatchOracleLoader` for loading oracles from fixtures, and `PatchOracleHarnessTests` with 19 passing tests. Updated `docs/reachability/patch-oracles.md` with combined JSON and YAML harness documentation. | QA Guild - Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 53 | GRAPH-HYBRID-401-053 | DONE (2025-12-13) | Complete: richgraph publisher now stores the canonical `richgraph-v1.json` body at `cas://reachability/graphs/{blake3Hex}` and emits deterministic DSSE envelopes at `cas://reachability/graphs/{blake3Hex}.dsse` (with `DsseCasUri`/`DsseDigest` returned in `RichGraphPublishResult`); added unit coverage validating DSSE payload and signature (`src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs`). | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering -> BLAKE3 graph hash -> DSSE envelope -> Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
| 54 | EDGE-BUNDLE-401-054 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 51/53. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (<=512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 54. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 54 | EDGE-BUNDLE-401-054 | DONE (2025-12-13) | Complete: Implemented edge-bundle DSSE envelopes with `EdgeBundle.cs` and `EdgeBundlePublisher.cs` at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Features: `EdgeBundleReason` enum (RuntimeHits/InitArray/StaticInit/ThirdParty/Contested/Revoked/Custom), `EdgeReason` enum (RuntimeHit/InitArray/TlsInit/StaticConstructor/ModuleInit/ThirdPartyCall/LowConfidence/Revoked/TargetRemoved), `BundledEdge` with per-edge reason/revoked flag, `EdgeBundleBuilder` (max 512 edges), `EdgeBundleExtractor` for runtime/init/third-party/contested/revoked extraction, `EdgeBundlePublisher` with deterministic DSSE envelope generation, `EdgeBundlePublisherOptions` for Rekor cap (default 5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. 19 tests passing in `EdgeBundleTests.cs`. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (<=512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | TODO | Unblocked: Task 54 (edge-bundle DSSE) complete (2025-12-13). Ready to implement edge-bundle ingestion in Signals/Policy. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 53-55. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild - Signals Guild - Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
| 58 | DATASET-REACH-PUB-401-058 | DONE (2025-12-13) | Test corpus created: JSON schemas at `datasets/reachability/schema/`, 4 samples (csharp/simple-reachable, csharp/dead-code, java/vulnerable-log4j, native/stripped-elf) with ground-truth.json files; test harness at `src/Signals/__Tests/StellaOps.Signals.Tests/GroundTruth/` with 28 validation tests covering lattice states, buckets, uncertainty tiers, gate decisions, path consistency. | QA Guild - Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
@@ -153,6 +153,11 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-13 | Completed Tasks 3 and 54: (1) Task 3 SCAN-REACH-401-009: Implemented Java and .NET callgraph builders with reachability graph models. Created `JavaReachabilityGraph.cs` (JavaMethodNode, JavaCallEdge, JavaSyntheticRoot, JavaUnknown, JavaGraphMetadata, enums for edge types/root types/phases), `JavaCallgraphBuilder.cs` (JAR analysis, bytecode parsing, invoke* detection, synthetic root extraction). Created `DotNetReachabilityGraph.cs` (DotNetMethodNode, DotNetCallEdge, DotNetSyntheticRoot, DotNetUnknown, DotNetGraphMetadata, enums for IL edge types/root types/phases), `DotNetCallgraphBuilder.cs` (PE/metadata reader, IL opcode parsing for call/callvirt/newobj/ldftn, synthetic root detection for Main/cctor/ModuleInitializer/Controllers/Tests/AzureFunctions/Lambda). Both builders emit deterministic graph hashing. (2) Task 54 EDGE-BUNDLE-401-054: Implemented edge-bundle DSSE envelopes at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Created `EdgeBundle.cs` with EdgeBundleReason/EdgeReason enums, BundledEdge record, EdgeBundle/EdgeBundleBuilder/EdgeBundleExtractor classes (max 512 edges, canonical sorting). Created `EdgeBundlePublisher.cs` with IEdgeBundlePublisher interface, deterministic DSSE envelope generation, EdgeBundlePublisherOptions (Rekor cap=5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. Added `EdgeBundleTests.cs` with 19 tests. Unblocked Task 55 (SIG-POL-HYBRID-401-055). | Implementer |
| 2025-12-13 | Completed Tasks 4, 8, 50, 51: (1) Task 4 SCANNER-NATIVE-401-015: Created demangler infrastructure with `ISymbolDemangler`, `CompositeDemangler`, `ItaniumAbiDemangler`, `RustDemangler`, and `HeuristicDemangler` at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/`. (2) Task 8 SIGNALS-RUNTIME-401-002: Added `SignalsRetentionOptions`, extended `IReachabilityFactRepository` with retention methods, implemented `RuntimeFactsRetentionService` background cleanup, updated `ReachabilityFactCacheDecorator`. (3) Task 50 SCANNER-BUILDID-401-035: Added build-ID prefixes (`gnu-build-id:`, `macho-uuid:`) per CONTRACT-BUILDID-PROPAGATION-401 in `ElfReader.ExtractBuildId` and `NativeFormatDetector`. (4) Task 51 SCANNER-INITROOT-401-036: Added `NativeRootPhase` enum, extended `NativeSyntheticRoot`, updated `ComputeRootId` format per CONTRACT-INIT-ROOTS-401. Unblocked Task 3 (SCAN-REACH-401-009) and Task 54 (EDGE-BUNDLE-401-054). Tests: Signals 164/164 pass, Scanner Native 221/224 pass (3 pre-existing failures). | Implementer |
| 2025-12-13 | **Unblocked 4 tasks via contract/decision definitions:** (1) Task 4 SCANNER-NATIVE-401-015 → TODO: Created `docs/contracts/native-toolchain-decision.md` (DECISION-NATIVE-TOOLCHAIN-401) defining pure-C# ELF/PE/Mach-O parsers, per-language demanglers (Demangler.Net, Iced, Capstone.NET), pre-built test fixtures, and callgraph extraction methods. (2) Task 8 SIGNALS-RUNTIME-401-002 → TODO: Identified dependencies already complete (CONTRACT-RICHGRAPH-V1-015 adopted 2025-12-10, Task 19 GAP-REP-004 done 2025-12-13). (3) Task 50 SCANNER-BUILDID-401-035 → TODO: Created `docs/contracts/buildid-propagation.md` (CONTRACT-BUILDID-PROPAGATION-401) defining build-id formats (ELF/PE/Mach-O), code_id for stripped binaries, cross-RID variant mapping, SBOM/Signals integration. (4) Task 51 SCANNER-INITROOT-401-036 → TODO: Created `docs/contracts/init-section-roots.md` (CONTRACT-INIT-ROOTS-401) defining synthetic root phases (preinit/init/main/fini), init_array/ctors handling, DT_NEEDED deps, patch-oracle integration. These unblock cascading dependencies: Task 4 → Task 3; Tasks 50/51 → Task 54 → Task 55 → Tasks 16/25/56. | Implementer |
| 2025-12-13 | Completed QA-PORACLE-401-037: Added JSON-based patch-oracle harness for CI graph validation. Created: (1) `patch-oracle/v1` JSON Schema at `tests/reachability/fixtures/patch-oracles/schema/patch-oracle-v1.json` defining expected/forbidden functions, edges, roots with wildcard patterns and confidence thresholds. (2) Sample oracle fixtures for curl-CVE-2023-38545 (reachable/unreachable), log4j-CVE-2021-44228, dotnet-kestrel-CVE-2023-44487. (3) `PatchOracleModels.cs` with `PatchOracleDefinition`, `ExpectedFunction`, `ExpectedEdge`, `ExpectedRoot` models. (4) `PatchOracleComparer.cs` comparing RichGraph against oracle expectations (missing/forbidden elements, confidence thresholds, strict mode). (5) `PatchOracleLoader.cs` for loading oracles from fixtures. (6) `PatchOracleHarnessTests.cs` with 19 tests covering all comparison scenarios. Updated `docs/reachability/patch-oracles.md` with combined JSON + YAML harness documentation. | Implementer |
| 2025-12-13 | Completed UNCERTAINTY-UI-401-027: Added CLI uncertainty display with Tier/Risk columns in policy findings table (`RenderPolicyFindingsTable`), uncertainty fields in details view (`RenderPolicyFindingDetails`), color-coded tier formatting (T1=red/High, T2=yellow/Medium, T3=blue/Low, T4=green/Negligible), and entropy states display (code=entropy format). Updated models: `PolicyFindingsModels.cs` (added `PolicyFindingUncertainty`, `PolicyFindingUncertaintyState` records), `PolicyFindingsTransport.cs` (added DTO classes), `BackendOperationsClient.cs` (added mapping logic), `CommandHandlers.cs` (added `FormatUncertaintyTier`, `FormatUncertaintyTierPlain`, `FormatUncertaintyStates` helpers). Also fixed pre-existing package conflict (NetEscapades.Configuration.Yaml 2.1.0→3.1.0) and pre-existing missing using directive in `ISemanticEntrypointAnalyzer.cs`. | Implementer |
| 2025-12-13 | Unblocked tasks 40/41/52: (1) Task 40 (UNCERTAINTY-POLICY-401-026) now TODO - dependencies 38/39 complete with UncertaintyTier (T1-T4) and entropy-aware scoring. (2) Task 41 (UNCERTAINTY-UI-401-027) now TODO - same dependencies. (3) Task 52 (QA-PORACLE-401-037) now TODO - dependencies 1/53 complete with richgraph-v1 schema and graph-level DSSE. | Implementer |
| 2025-12-13 | Completed CORPUS-MERGE-401-060: migrated `tests/reachability/corpus` from legacy `expect.yaml` to `ground-truth.json` (Reachbench truth schema v1) with updated deterministic manifest generator (`tests/reachability/scripts/update_corpus_manifest.py`) and fixture validation (`tests/reachability/StellaOps.Reachability.FixtureTests/CorpusFixtureTests.cs`). Added cross-dataset coverage gates (`tests/reachability/StellaOps.Reachability.FixtureTests/FixtureCoverageTests.cs`), a deterministic manifest runner for corpus + public samples + reachbench (`tests/reachability/runners/run_all.{sh,ps1}`), and updated corpus map documentation (`docs/reachability/corpus-plan.md`). Fixture tests passing. | Implementer |
| 2025-12-13 | Started CORPUS-MERGE-401-060: unifying `tests/reachability/corpus` and `tests/reachability/samples-public` on a single ground-truth/manifest contract, adding deterministic runners + coverage gates, and updating `docs/reachability/corpus-plan.md`. | Implementer |

81
docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md
View File

@@ -1,81 +0,0 @@
# Sprint 0404 - Scanner .NET Analyzer Detection Gaps
## Topic & Scope
- Close .NET inventory blind-spots where the analyzer currently emits **no components** unless `*.deps.json` files are present.
- Add deterministic, offline-first **declared-only** detection paths from build and lock artefacts (csproj/props/CPM/lock files) and make bundling/NativeAOT cases auditable (explicit “under-detected” markers).
- Preserve current behavior for publish-output scans while expanding coverage for source trees and non-standard deployment layouts.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests` and `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`).
## Dependencies & Concurrency
- Builds on the existing .NET analyzer implementation (`DotNetDependencyCollector` / `DotNetPackageBuilder`) and its fixtures under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet`.
- Must remain parallel-safe under concurrent scans (no shared mutable global state beyond existing concurrency-safe caches).
- Offline-first: do not restore packages, query feeds, or require MSBuild evaluation that triggers downloads.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-DOTNET-404-001 | TODO | Decide declared-vs-installed merge rules (Action 1). | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Add declared-only fallback when no `*.deps.json` exists**: if `DotNetDependencyCollector` finds zero deps files, collect dependencies from (in order): `packages.lock.json`, SDK-style project files (`*.csproj/*.fsproj/*.vbproj`) with `Directory.Build.props` + `Directory.Packages.props` (CPM), and legacy `packages.config`. Emit declared-only components with deterministic metadata including `declaredOnly=true`, `declared.source`, `declared.locator`, `declared.versionSource`, and `declared.isDevelopmentDependency`. Do not attempt full MSBuild evaluation; only use existing lightweight parsers/resolvers. |
| 2 | SCAN-DOTNET-404-002 | TODO | Requires Action 2 decision on PURL/keying when version unknown. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Component identity rules for unresolved versions**: when a declared dependency has an unresolved/unknown version (e.g., CPM enabled but missing a version, or property placeholder cannot be resolved), emit a component using `AddFromExplicitKey` (not a versionless PURL) and mark `declared.versionResolved=false` with `declared.unresolvedReason`. Ensure these components cannot collide with real versioned NuGet PURLs. |
| 3 | SCAN-DOTNET-404-003 | TODO | After task 1/2, implement merge logic and tests. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Merge declared-only with installed packages when deps.json exists**: when `*.deps.json` packages are present, continue emitting installed `pkg:nuget/<id>@<ver>` components as today. Additionally, emit declared-only components for build/lock dependencies that do not match any installed package (match by normalized id + version). When an installed package exists but has no corresponding declared record, tag the installed component with `declared.missing=true`. Merge must be deterministic and independent of filesystem enumeration order. |
| 4 | SCAN-DOTNET-404-004 | TODO | Define bounds and target paths (Interlock 2). | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Surface bundling signals as explicit metadata**: integrate `SingleFileAppDetector` and `ILMergedAssemblyDetector` so scans can record “inventory may be incomplete” signals. Minimum requirement: when a likely bundle is detected, emit metadata on the *entrypoint component(s)* (or a synthetic “bundle” component) including `bundle.kind` (`singlefile`, `ilmerge`, `unknown`), `bundle.indicators` (top-N bounded), and `bundle.filePath`. Do not scan the entire filesystem for executables; only scan bounded candidates (e.g., adjacent to deps.json/runtimeconfig, or explicitly configured). |
| 5 | SCAN-DOTNET-404-005 | TODO | After task 3, decide if edges should include declared edges by default. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Declared dependency edges output**: when `emitDependencyEdges=true`, include declared edges from build/lock sources in addition to deps.json dependencies, and annotate edge provenance (`edge[*].source=csproj|packages.lock.json|deps.json`). Ensure ordering is stable and bounded (top-N per component if necessary). |
| 6 | SCAN-DOTNET-404-006 | TODO | Parallel with tasks 15; fixtures first. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`, `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests`) | **Fixtures + golden outputs**: add fixtures and golden JSON proving new behaviors: (a) **source-tree only** (csproj + Directory.Packages.props + no deps.json), (b) packages.lock.json-only, (c) legacy packages.config-only, (d) mixed case (deps.json present + missing declared record and vice versa), (e) bundled executable indicator fixture (synthetic binary for detector tests, not real apphost). Extend `DotNetLanguageAnalyzerTests` to assert deterministic output and correct declared/installed reconciliation. |
| 7 | SCAN-DOTNET-404-007 | TODO | After core behavior lands, update docs. | Docs Guild + .NET Analyzer Guild (`docs/modules/scanner`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Document .NET analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a .NET analyzer sub-doc under `docs/modules/scanner/`) describing: detection sources and precedence, how declared-only is represented, identity rules for unresolved versions, bundling signals, and known limitations (no full MSBuild evaluation, no restore/feed access). Link this sprint from the doc. |
| 8 | SCAN-DOTNET-404-008 | TODO | Optional; only if perf regression risk materializes. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Benchmark declared-only scanning**: add a deterministic bench that scans a representative source-tree fixture (many csproj/props/lockfiles) and records elapsed time + component counts. Establish a baseline ceiling and ensure CI can run it offline. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Declared-only sources | .NET Analyzer Guild + QA Guild | Decisions in Action 12 | TODO | Enable detection without deps.json. |
| B: Reconciliation & edges | .NET Analyzer Guild + QA Guild | Wave A | TODO | Declared vs installed merge + edge provenance. |
| C: Bundling signals | .NET Analyzer Guild + QA Guild | Interlock 2 | TODO | Make bundling/under-detection auditable. |
| D: Docs & bench | Docs Guild + Bench Guild | Waves AC | TODO | Contract + perf guardrails. |
## Wave Detail Snapshots
- **Wave A:** Standalone declared-only inventory (lockfiles/projects/CPM/packages.config) with deterministic identity and evidence.
- **Wave B:** Merge declared-only with deps.json-installed packages; emit declared-missing/lock-missing markers and optional edge provenance.
- **Wave C:** Bounded bundling detection integrated; no filesystem-wide binary scanning.
- **Wave D:** Contract documentation + optional benchmark to prevent regressions.
## Interlocks
- **Identity & collisions:** Explicit-key components for unresolved versions must never collide with real `pkg:nuget/<id>@<ver>` PURLs (Action 2).
- **Bundling scan bounds:** bundling detectors must be applied only to bounded candidate files; scanning “all executables” is forbidden for perf/safety.
- **No restore/MSBuild evaluation:** do not execute MSBuild or `dotnet restore`; use only lightweight parsing and local file inspection.
## Upcoming Checkpoints
- 2025-12-13: Approve declared-vs-installed precedence and unresolved identity rules (Actions 12).
- 2025-12-16: Wave A complete with fixtures proving deps.json-free detection.
- 2025-12-18: Wave B complete (merge + edge provenance) with mixed-case fixtures.
- 2025-12-20: Wave C complete (bundling signals) with bounded candidate selection and tests.
- 2025-12-22: Docs updated; optional bench decision made; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Define deterministic precedence for dependency sources (deps.json vs lock vs project vs packages.config) and merge rules for “declared missing / installed missing”. | Project Mgmt + .NET Analyzer Guild | 2025-12-13 | Open | Must be testable via fixtures; no traversal-order dependence. |
| 2 | Decide component identity strategy when version cannot be resolved (explicit key scheme + required metadata fields). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must avoid false matches and collisions with PURLs. |
| 3 | Define which files qualify as “bundling detector candidates” (adjacent to deps.json/runtimeconfig, configured paths, size limits). | .NET Analyzer Guild + Security Guild | 2025-12-13 | Open | Prevent scanning untrusted large binaries broadly. |
## Decisions & Risks
- **Decision (pending):** precedence + identity strategy (see Action Tracker 12).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Declared-only scanning causes false positives (declared deps not actually shipped). | Medium | Medium | Mark `declaredOnly=true`; keep installed vs declared distinction; allow policy/UI to down-rank declared-only. | .NET Analyzer Guild | Increased component counts without corresponding runtime evidence. |
| R2 | Unresolved version handling creates unstable component identity. | High | Medium | Use explicit-key with stable recipe; include source+locator in key material if needed. | Project Mgmt | Flaky golden outputs; duplicate collisions across projects. |
| R3 | Bundling detectors cause perf regressions or scan untrusted huge binaries. | High | Low/Medium | Bounded candidate selection + size caps; emit “skipped” markers when exceeding limits. | Security Guild + .NET Analyzer Guild | CI timeouts; scanning large container roots. |
| R4 | Adding declared edges creates noisy graphs. | Medium | Medium | Gate behind `emitDependencyEdges`; keep edges bounded and clearly sourced. | .NET Analyzer Guild | Export/UI performance degradation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to expand .NET analyzer coverage beyond deps.json (declared-only detection, reconciliation, bundling signals, fixtures/docs/bench). | Project Mgmt |

98
docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md
View File

@@ -1,98 +0,0 @@
# Sprint 0405 · Scanner · Python Detection Gaps
## Topic & Scope
- Close concrete detection gaps in the Python analyzer so scans reliably inventory Python dependencies across **installed envs**, **source trees**, **lockfiles**, **conda**, **wheels/zipapps**, and **container layers**.
- Replace “best-effort by directory enumeration” with **bounded, layout-aware discovery** (deterministic ordering, explicit precedence, and auditable “skipped” markers).
- Produce evidence: new deterministic fixtures + golden outputs, plus a lightweight offline benchmark guarding regressions.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`).
## Dependencies & Concurrency
- Depends on existing scanner contracts for component identity/evidence locators: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs`.
- Interlocks with container/layer conventions used by other analyzers (avoid diverging locator/overlay semantics).
- Parallel-safe with `SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` and `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md` (no shared code changes expected unless explicitly noted).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PY-405-001 | DONE | Implement VFS/discovery pipeline; then codify identity/precedence in tests. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Wire layout-aware discovery into `PythonLanguageAnalyzer`**: stop treating "any `*.dist-info` anywhere" as an installed package source. Use `PythonInputNormalizer` + `PythonVirtualFileSystem` + `PythonPackageDiscovery` as the first-pass inventory (site-packages, editable paths, wheels, zipapps, container layer roots). Ensure deterministic path precedence (later/higher-confidence wins) and bounded scanning (no unbounded full-tree recursion for patterns). Emit package-kind + confidence metadata (`pkg.kind`, `pkg.confidence`, `pkg.location`) for every component. |
| 2 | SCAN-PY-405-002 | BLOCKED | Blocked on Action 1 identity scheme for non-versioned explicit keys. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Preserve dist-info "deep evidence" while expanding coverage**: for any discovered package with a real `*.dist-info`/`*.egg-info`, continue to enrich with `PythonDistributionLoader` evidence (METADATA/RECORD/WHEEL/entrypoints, RECORD verification stats). For packages discovered without dist-info (e.g., Poetry editable, vendored, zipapp), emit components using `AddFromExplicitKey` with stable identity rules (Action 1) and evidence pointing to the originating file(s) (`pyproject.toml`, lockfile, archive path). |
| 3 | SCAN-PY-405-003 | BLOCKED | Await Action 2 (lock/requirements precedence + supported formats scope). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Expand lockfile/requirements detection and parsing**: upgrade `PythonLockFileCollector` to (a) discover lock/requirements files deterministically (root + nested common paths), (b) support `-r/--requirement` includes with cycle detection, (c) correctly handle editable `-e/--editable` lines, (d) parse PEP 508 specifiers (not only `==/===`) and `name @ url` direct references, and (e) include Pipenv `develop` section. Add opt-in support for at least one modern lock (`uv.lock` or `pdm.lock`) with deterministic record ordering and explicit "unsupported line" counters. |
| 4 | SCAN-PY-405-004 | BLOCKED | Await Action 3 (container overlay handling contract). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Correct container-layer inventory semantics**: when scanning raw OCI layer trees (`layers/`, `.layers/`, `layer*/`), honor whiteouts/overlay ordering so removed packages are not reported. Use/extend `Internal/Packaging/Adapters/ContainerLayerAdapter` semantics as the source of truth for precedence. Emit explicit metadata markers when inventory is partial due to missing overlay context (e.g., `container.overlayIncomplete=true`). |
| 5 | SCAN-PY-405-005 | BLOCKED | Await Action 4 (vendored deps representation contract). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Surface vendored (bundled) Python deps**: integrate `VendoredPackageDetector` so known vendoring patterns (`*_vendor`, `third_party`, `requests.packages`, etc.) are detected. Emit either (a) separate "embedded" components with bounded evidence locators (preferred) or (b) a bounded metadata summary on the parent package (`vendored.detected=true`, `vendored.packages`, `vendored.paths`). Never emit unbounded file/module lists; cap to top-N deterministic samples. |
| 6 | SCAN-PY-405-006 | BLOCKED | Await Interlock 4 decision on "used-by-entrypoint" semantics. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Improve "used by entrypoint" and scope classification**: today `usedByEntrypoint` primarily comes from RECORD/script hints. Extend this by optionally mapping source-tree imports (`PythonImportAnalysis`) and/or runtime evidence (`PythonRuntimeEvidenceCollector`) to packages (via `TopLevelModules`) so "likely used" can be signaled deterministically (bounded, opt-in). Add `scope` metadata using `PythonScopeClassifier` (prod/dev/docs/build) based on lock sections and requirements file names. |
| 7 | SCAN-PY-405-007 | BLOCKED | Blocked on Actions 2-4 for remaining fixtures (requirements/includes/editables, whiteouts, vendoring). | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`) | **Fixtures + golden outputs**: add fixtures proving new detection paths: (a) conda env (`conda-meta/*.json`) without dist-info, (b) requirements with `-r` includes + `-e .` editable, (c) Pipfile.lock with `default` + `develop`, (d) wheel file in workspace (no extraction), (e) zipapp/pyz with embedded requirements, (f) container layers with whiteouts hiding a dist-info dir, (g) vendored dependency directory under a package. Extend `PythonLanguageAnalyzerTests.cs` to assert deterministic ordering, stable identities, and bounded metadata. |
| 8 | SCAN-PY-405-008 | DONE | After core behavior lands, update docs + perf guard. | Docs Guild + Bench Guild (`docs/modules/scanner`, `src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Document + benchmark Python analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a Python analyzer sub-doc) describing detection sources & precedence, lock parsing rules, container overlay semantics, vendoring representation, and identity rules for non-versioned components. Add a deterministic offline bench scanning a representative fixture (many packages + lockfiles) and record baseline ceilings (time + components count). |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Discovery Backbone | Python Analyzer Guild + QA Guild | Actions 12 | TODO | Wire input normalization + package discovery; reduce false positives. |
| B: Lock Coverage | Python Analyzer Guild + QA Guild | Action 2 | TODO | Requirements/includes/editables + modern locks + Pipenv develop. |
| C: Containers & Vendoring | Python Analyzer Guild + QA Guild | Actions 34 | TODO | Whiteouts/overlay correctness + vendored packages surfaced. |
| D: Usage & Scope | Python Analyzer Guild + QA Guild | Interlock 4 | TODO | Improve “used by entrypoint” + scope classification (opt-in). |
| E: Docs & Bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract doc + offline benchmark. |
## Wave Detail Snapshots
- **Wave A:** Layout-aware discovery (VFS + discovery) becomes the primary inventory path; deterministic precedence and bounded scans.
- **Wave B:** Lock parsing supports real-world formats (includes, editables, PEP 508) and emits declared-only components without silent drops.
- **Wave C:** Container overlay semantics prevent false positives; vendored deps become auditable inventory signals.
- **Wave D:** Optional, deterministic “used likely” signals and package scopes reduce noise and improve reachability inputs.
- **Wave E:** Documented contract + perf ceiling ensures the new logic stays stable.
## Interlocks
- **Identity & collisions:** Components without reliable versions (vendored/local/zipapp/project) must use `AddFromExplicitKey` with a stable, non-colliding key scheme. (Action 1)
- **Lock precedence:** When multiple sources exist (requirements + Pipfile.lock + poetry.lock + pyproject), precedence must be explicit and deterministic (Action 2).
- **Container overlay correctness:** If scanning raw layers, whiteouts must be honored; otherwise mark overlay as incomplete and avoid false inventory claims. (Action 3)
- **“Used-by-entrypoint” semantics:** Any import/runtime-based usage hints must be bounded, opt-in, and deterministic; avoid turning heuristic signals into hard truth. (Interlock 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + lock precedence + container overlay expectations (Actions 13).
- 2025-12-16: Wave A complete with fixtures proving VFS-based discovery is stable and deterministic.
- 2025-12-18: Wave B complete with real-world requirements/includes/editables + Pipenv develop coverage.
- 2025-12-20: Wave C complete (whiteouts/overlay + vendoring) with bounded outputs.
- 2025-12-22: Wave D decision + implementation (if enabled) and Wave E docs/bench complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for non-versioned Python components (vendored/local/zipapp/project) and document it. | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must avoid collisions with `pkg:pypi/<name>@<ver>` PURLs; prefer explicit-key when uncertain. |
| 2 | Decide lock/requirements precedence order + dedupe rules and document them as a contract. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | Open | Must not depend on filesystem traversal order; include “unsupported line count” requirement. |
| 3 | Decide container overlay handling contract for raw `layers/` inputs (whiteouts, ordering, “merged vs raw” expectations). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | If upstream provides merged rootfs, clarify whether Python analyzer should still scan raw layers. |
| 4 | Decide how vendored deps are represented (separate embedded components vs parent-only metadata) and how to avoid false vuln matches. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | Open | Prefer separate components only when identity/version is defensible; otherwise bounded metadata summary. |
## Decisions & Risks
- **Decision (pending):** Identity scheme for non-versioned components, lock precedence, and container overlay expectations (Action Tracker 1-3).
- **BLOCKED:** `SCAN-PY-405-002` needs an approved explicit-key identity scheme (Action Tracker 1) before emitting non-versioned components (vendored/local/zipapp/project).
- **BLOCKED:** `SCAN-PY-405-003` awaits lock/requirements precedence + supported formats scope (Action Tracker 2).
- **BLOCKED:** `SCAN-PY-405-004` awaits container overlay handling contract for raw `layers/` inputs (Action Tracker 3).
- **BLOCKED:** `SCAN-PY-405-005` awaits vendored deps representation contract (Action Tracker 4).
- **BLOCKED:** `SCAN-PY-405-006` awaits Interlock 4 decision on "used-by-entrypoint" semantics (avoid turning heuristics into truth).
- **BLOCKED:** `SCAN-PY-405-007` awaits Actions 2-4 to fixture remaining semantics (includes/editables, overlay/whiteouts, vendoring).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Broader lock parsing introduces non-determinism (order/duplication) across platforms. | High | Medium | Stable sorting, explicit precedence, and golden fixtures for each format (incl. `-r` cycles). | Python Analyzer Guild | Flaky golden outputs; different results between Windows/Linux agents. |
| R2 | Container-layer scanning reports packages that are effectively deleted by whiteouts. | High | Medium | Implement/validate overlay semantics; add whiteout fixtures; mark overlayIncomplete when uncertain. | Scanner Guild | Inventory shows duplicates; reports packages not present in merged rootfs. |
| R3 | Vendored detection inflates inventory and causes false vulnerability correlation. | High | Medium | Prefer explicit-key or bounded metadata when version unknown; require defensive identity rules + docs. | Python Analyzer Guild | Sudden vuln-match spike on vendored-only signals. |
| R4 | Integrating VFS/discovery increases CPU/memory or scan time. | Medium | Medium | Bounds on scanning; benchmark; avoid full-tree recursion for patterns; reuse existing parsed results. | Bench Guild | Bench regression beyond agreed ceiling; timeouts in CI. |
| R5 | “Used-by-entrypoint” heuristics get misinterpreted as truth. | Medium | Low/Medium | Keep heuristic usage signals opt-in, clearly labeled, and bounded; document semantics. | Project Mgmt | Downstream policy relies on “used” incorrectly; unexpected risk decisions. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Python analyzer detection gaps (layout-aware discovery, lockfile expansion, container overlay correctness, vendoring signals, optional usage/scope improvements) with fixtures/bench/docs expectations. | Project Mgmt |
| 2025-12-13 | Started SCAN-PY-405-001 (wire VFS/discovery into PythonLanguageAnalyzer). | Python Analyzer Guild |
| 2025-12-13 | Completed SCAN-PY-405-001 (layout-aware VFS-based discovery; pkg.kind/pkg.confidence/pkg.location metadata; deterministic archive roots; updated goldens + tests). | Python Analyzer Guild |
| 2025-12-13 | Started SCAN-PY-405-002 (preserve/enrich dist-info evidence across discovered sources). | Python Analyzer Guild |
| 2025-12-13 | Enforced identity safety for editable lock entries (explicit-key, no `@editable` PURLs, host-path scrubbing) and updated layered fixture to prove `layers/`, `.layers/`, and `layer*/` discovery. | Implementer |
| 2025-12-13 | Added `PythonDistributionVfsLoader` for archive dist-info enrichment (RECORD verification + metadata parity for wheels/zipapps); task remains blocked on explicit-key identity scheme (Action Tracker 1). | Implementer |
| 2025-12-13 | Marked SCAN-PY-405-003 through SCAN-PY-405-007 as `BLOCKED` pending Actions 2-4; synced statuses to `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`. | Implementer |
| 2025-12-13 | Started SCAN-PY-405-008 (document current Python analyzer contract and extend deterministic offline bench coverage). | Implementer |
| 2025-12-13 | Completed SCAN-PY-405-008 (added Python analyzer contract doc + linked from Scanner architecture; extended analyzer microbench config and refreshed baseline; fixed Node analyzer empty-root guard to unblock bench runs from repo root). | Implementer |

98
docs/implplan/SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md
View File

@@ -1,98 +0,0 @@
# Sprint 0408 - Scanner Language Detection Gaps (Implementation Program)
## Topic & Scope
- Implement **all currently identified detection gaps** across the language analyzers: Java, .NET, Python, Node, Bun.
- Align cross-analyzer contracts where gaps overlap: **identity safety** (PURL vs explicit-key), **evidence locator precision**, **container layer/rootfs discovery**, and **no host-path leakage**.
- Produce hard evidence for each analyzer: deterministic fixtures + golden outputs, plus docs (and optional benches where perf risk exists).
- **Working directory:** `src/Scanner` (implementation occurs under `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.*` and `src/Scanner/__Tests/*`; this sprint is the coordination source-of-truth spanning multiple analyzer folders).
## Dependencies & Concurrency
- Language sprints (source-of-truth for per-analyzer detail):
- Java: `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`
- .NET: `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`
- Python: `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`
- Node: `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`
- Bun: `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`
- Concurrency model:
- Language implementations may proceed in parallel once cross-analyzer “contract” decisions are frozen (Actions 13).
- Avoid shared mutable state changes across analyzers; keep deterministic ordering; do not introduce network fetches.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- Per-analyzer charters (must exist before implementation flips to DOING):
- Java: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md`
- .NET: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
- Python: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- Node: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md`
- Bun: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` (created 2025-12-13; Action 4)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PROG-408-001 | DOING | Requires Action 1. | Scanner Guild + Security Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer identity safety contract**: define a single, documented rule-set for when an analyzer emits (a) a concrete PURL and (b) an explicit-key component. Must cover: version ranges/tags, local paths, workspace/link/file deps, git deps, and "unknown" versions. Output: a canonical doc under `docs/modules/scanner/` (path chosen in Action 1) + per-analyzer unit tests asserting "no invalid PURLs" for declared-only / non-concrete inputs. |
| 2 | SCAN-PROG-408-002 | DOING | Requires Action 2. | Scanner Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer evidence locator contract**: define deterministic locator formats for (a) lockfile entries, (b) nested artifacts (e.g., Java "outer!inner!path"), and (c) derived evidence records. Output: canonical doc + at least one golden fixture per analyzer asserting exact locator strings and bounded evidence sizes. |
| 3 | SCAN-PROG-408-003 | DOING | Requires Action 3. | Scanner Guild | **Freeze container layout discovery contract**: define which analyzers must discover projects under `layers/`, `.layers/`, and `layer*/` layouts, how ordering/whiteouts are handled (where applicable), and bounds (depth/roots/files). Output: canonical doc + fixtures proving parity for Node/Bun/Python (and any Java/.NET container behaviors where relevant). |
| 4 | SCAN-PROG-408-004 | DONE | Unblocks Bun sprint DOING. | Project Mgmt + Scanner Guild | **Create missing Bun analyzer charter**: add `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` synthesizing constraints from `docs/modules/scanner/architecture.md` and this sprint + `SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`. Must include: allowed directories, test strategy, determinism rules, identity/evidence conventions, and "no absolute paths" requirement. |
| 5 | SCAN-PROG-408-JAVA | TODO | Actions 12 recommended before emission format changes. | Java Analyzer Guild + QA Guild | **Implement all Java gaps** per `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`: (a) embedded libs inside fat archives without extraction, (b) `pom.xml` fallback when properties missing, (c) multi-module Gradle lock discovery + deterministic precedence, (d) runtime image component emission from `release`, (e) replace JNI string scanning with bytecode-based JNI analysis. Acceptance: Java analyzer tests + new fixtures/goldens; bounded scanning with explicit skipped markers. |
| 6 | SCAN-PROG-408-DOTNET | TODO | Actions 12 recommended before adding declared-only identities. | .NET Analyzer Guild + QA Guild | **Implement all .NET gaps** per `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`: (a) declared-only fallback when no deps.json, (b) non-colliding identity for unresolved versions, (c) deterministic merge of declared vs installed packages, (d) bounded bundling signals, (e) optional declared edges provenance, (f) fixtures/docs (and optional bench). Acceptance: `.NET` analyzer emits components for source trees with lock/build files; no restore/MSBuild execution; deterministic outputs. |
| 7 | SCAN-PROG-408-PYTHON | TODO | Actions 13 recommended before overlay/identity changes. | Python Analyzer Guild + QA Guild | **Implement all Python gaps** per `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`: (a) layout-aware discovery (avoid “any dist-info anywhere”), (b) expanded lock/requirements parsing (includes/editables/PEP508/direct refs), (c) correct container overlay/whiteout semantics (or explicit overlayIncomplete markers), (d) vendored dependency surfacing with safe identity rules, (e) optional used-by signals (bounded/opt-in), (f) fixtures/docs/bench. Acceptance: deterministic fixtures for lock formats and container overlays; no invalid “editable-as-version” PURLs per Action 1. |
| 8 | SCAN-PROG-408-NODE | TODO | Actions 13 recommended before declared-only emission + locators. | Node Analyzer Guild + QA Guild | **Implement all Node gaps** per `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`: (a) emit declared-only components safely (no range-as-version PURLs), (b) multi-version lock fidelity `(name@version)` mapping, (c) Yarn Berry lock support, (d) pnpm schema hardening, (e) correct nested node_modules name extraction, (f) workspace glob bounds + container app-root detection parity, (g) bounded import evidence + consistent package.json hashing, (h) docs/bench. Acceptance: fixtures cover multi-version locks and Yarn v3; determinism tests prove stable ordering and locator strings. |
| 9 | SCAN-PROG-408-BUN | TODO | Actions 13 recommended before identity/scope changes. | Bun Analyzer Guild + QA Guild | **Implement all Bun gaps** per `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`: (a) discover projects under container layer layouts and do not skip `.layers`, (b) declared-only fallback for bunfig-only/no-lock/no-install, (c) bun.lock v1 graph-based dev/optional/peer classification and meaningful includeDev filtering, (d) version-specific patch mapping with relative paths only, (e) stronger evidence locators + bounded hashing, (f) identity safety for non-npm sources. Acceptance: new fixtures (`container-layers`, `bunfig-only`, `patched-multi-version`, dev-classification) + updated goldens; no absolute path leakage. |
| 10 | SCAN-PROG-408-INTEG-001 | TODO | After tasks 59 land. | QA Guild + Scanner Guild | **Integration determinism gate**: run the full language analyzer test matrix (Java/.NET/Python/Node/Bun) and add/adjust determinism tests so ordering, evidence locators, and identity rules remain stable. Any “skipped” work due to bounds must be explicit and deterministic (no silent drops). |
| 11 | SCAN-PROG-408-DOCS-001 | TODO | After Actions 13 are frozen. | Docs Guild + Scanner Guild | **Update scanner docs with final contracts**: link the per-language analyzer contract docs and this sprint from `docs/modules/scanner/architecture.md` (or the closest canonical scanner doc). Must include: identity rules, evidence locator rules, container layout handling, and bounded scanning policy. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Contracts | Scanner Guild + Security Guild + Consumers | Actions 13 | TODO | Freeze identity/evidence/container contracts first to avoid rework. |
| B: Language Implementation | Analyzer Guilds + QA Guild | Wave A recommended | TODO | Java/.NET/Python/Node/Bun run in parallel once contracts are stable. |
| C: Integration & Docs | QA Guild + Docs Guild | Wave B | TODO | Determinism gates + contract documentation. |
## Wave Detail Snapshots
- **Wave A:** Single cross-analyzer contract for identity, evidence locators, and container layout discovery (with tests).
- **Wave B:** Implement each analyzer sprints tasks with fixtures + deterministic goldens.
- **Wave C:** End-to-end test pass + documented analyzer promises and limitations.
## Interlocks
- **No invalid PURLs:** declared-only/range/git/file/link/workspace deps must not become “fake versions”; explicit-key is required when version is not concrete. (Action 1)
- **Locator stability:** evidence locators are external-facing (export/UI/CLI); changes must be deliberate, documented, and golden-tested. (Action 2)
- **Container bounds:** layer-root discovery and overlay semantics must remain bounded and auditable (skipped markers) to stay safe on untrusted inputs. (Action 3)
- **No absolute paths:** metadata/evidence must be project-relative; no host path leakage (patch discovery and symlink realpaths are common pitfalls).
## Upcoming Checkpoints
- 2025-12-13: Freeze Actions 13 (contracts) and Action 4 (Bun AGENTS).
- 2025-12-16: Java + .NET waves reach “fixtures passing” milestone.
- 2025-12-18: Python + Node waves reach “fixtures passing” milestone.
- 2025-12-20: Bun wave reaches “fixtures passing” milestone; all language sprints ready for integration run.
- 2025-12-22: Integration determinism gate + docs complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Choose canonical doc path + define explicit-key identity recipe across analyzers. | Project Mgmt + Scanner Guild + Security Guild | 2025-12-13 | In Progress | Doc: `docs/modules/scanner/language-analyzers-contract.md`; Node/Bun/Python updated to emit explicit-key for non-concrete identities with tests/fixtures. |
| 2 | Define evidence locator formats (lock entries, nested artifacts, derived evidence) and required hashing rules/bounds. | Project Mgmt + Scanner Guild + Export/UI/CLI Consumers | 2025-12-13 | In Progress | Doc: `docs/modules/scanner/language-analyzers-contract.md`; Node/Bun/Python fixtures assert locator formats (lock entries, nested artifacts, derived evidence). |
| 3 | Define container layer/rootfs discovery + overlay semantics contract and bounds. | Project Mgmt + Scanner Guild | 2025-12-13 | In Progress | Doc: `docs/modules/scanner/language-analyzers-contract.md`; fixtures now cover Node/Bun/Python parity for `layers/`, `.layers/`, and `layer*/`. |
| 4 | Create `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` and link it from Bun sprint prerequisites. | Project Mgmt | 2025-12-13 | Done | Created `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`; updated Bun sprint prerequisites. |
## Decisions & Risks
- **Decision (pending):** cross-analyzer identity/evidence/container contracts (Actions 13).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Identity mistakes cause false vulnerability matches. | High | Medium | Explicit-key for non-concrete versions; fixtures asserting no invalid PURLs; docs. | Security Guild + Scanner Guild | Vuln-match spike; PURL validation failures downstream. |
| R2 | Evidence locator churn breaks export/UI/CLI consumers. | High | Medium | Freeze locator formats up-front; golden fixtures; doc contract; version if needed. | Scanner Guild + Consumers | Consumer parse failures; UI rendering regressions. |
| R3 | Container scanning becomes a perf trap on untrusted roots. | High | Medium | Bounds (depth/roots/files/size); deterministic skipping markers; optional benches. | Scanner Guild + Bench Guild | CI timeouts; high CPU scans. |
| R4 | Non-determinism appears via filesystem order or parser tolerance. | Medium | Medium | Stable sorting; deterministic maps; golden fixtures on Windows/Linux. | QA Guild | Flaky tests; differing outputs across agents. |
| R5 | Absolute path leakage appears in metadata/evidence. | Medium | Medium | Enforce project-relative normalization; add tests that fail if absolute paths detected. | Scanner Guild | Golden diffs with host-specific paths. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Program sprint created to coordinate implementation of all language analyzer detection gaps (Java/.NET/Python/Node/Bun) with shared contracts and acceptance evidence. | Project Mgmt |
| 2025-12-13 | Created Bun analyzer charter (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`); updated Bun sprint prerequisites; marked SCAN-PROG-408-004 complete. | Project Mgmt |
| 2025-12-13 | Set SCAN-PROG-408-001..003 to DOING; started Actions 1-3 (identity/evidence/container contracts). | Scanner Guild |
| 2025-12-13 | Implemented Node/Python contract compliance (explicit-key for declared-only, tarball/git/file/workspace classification; Python editable lock entries now explicit-key with host-path scrubbing) and extended fixtures for `.layers`/`layers`/`layer*`; Node + Python test suites passing. | Implementer |

183
docs/implplan/SPRINT_3412_0001_0001_postgres_durability_phase2.md Normal file
View File

@@ -0,0 +1,183 @@
# Sprint 3412 - PostgreSQL Durability Phase 2
## Topic & Scope
- Implement PostgreSQL storage for modules currently using in-memory/filesystem storage after MongoDB removal
- Complete Excititor PostgreSQL migration (Provider, Observation, Attestation, Timeline stores still in-memory)
- Restore production durability for AirGap, TaskRunner, Signals, Graph, PacksRegistry, SbomService
- Complete Notify Postgres repository implementation for missing repos
- Fix Graph.Indexer determinism test failures
- **Working directory:** cross-module; all modules with in-memory/filesystem storage
## Dependencies & Concurrency
- Upstream: Sprint 3410 (MongoDB Final Removal) - COMPLETE
- Upstream: Sprint 3411 (Notifier Architectural Cleanup) - COMPLETE
- Each module can be implemented independently; modules can be worked in parallel
- Prefer Excititor, AirGap.Controller and TaskRunner first due to HIGH production risk
## Documentation Prerequisites
- docs/db/SPECIFICATION.md
- docs/operations/postgresql-guide.md
- Module AGENTS.md files
- Existing Postgres storage implementations (Authority, Scheduler, Concelier) as reference patterns
## Database Abstraction Layer Requirements
**All implementations MUST follow the established pattern:**
```
DataSourceBase (Infrastructure.Postgres)
└── ModuleDataSource : DataSourceBase
└── RepositoryBase<TDataSource>
└── ConcreteRepository : RepositoryBase<ModuleDataSource>, IRepository
```
### Reference Implementations
| Pattern | Reference Location |
|---------|-------------------|
| DataSourceBase | `src/__Libraries/StellaOps.Infrastructure.Postgres/Connections/DataSourceBase.cs` |
| RepositoryBase | `src/__Libraries/StellaOps.Infrastructure.Postgres/Repositories/RepositoryBase.cs` |
| Module DataSource | `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/AuthorityDataSource.cs` |
| Repository Example | `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/Repositories/ApiKeyRepository.cs` |
| Test Fixture | `src/__Libraries/StellaOps.Infrastructure.Postgres.Testing/PostgresIntegrationFixture.cs` |
### Implementation Checklist
Each new Postgres repository MUST:
- [ ] Inherit from `RepositoryBase<TModuleDataSource>`
- [ ] Implement module-specific interface (e.g., `IVexProviderStore`)
- [ ] Accept `tenantId` as first parameter in all queries
- [ ] Use base class helpers: `QueryAsync`, `QuerySingleOrDefaultAsync`, `ExecuteAsync`
- [ ] Use `AddParameter`, `AddJsonbParameter` for safe parameter binding
- [ ] Include static mapper function for data mapping
- [ ] Be registered as **Scoped** in DI (DataSource is Singleton)
- [ ] Include embedded SQL migrations
- [ ] Have integration tests using `PostgresIntegrationFixture`
## Delivery Tracker
### T12.0: Excititor PostgreSQL Completion (HIGH PRIORITY)
**Context:** Excititor has partial PostgreSQL implementation. Core stores (raw docs, linksets, checkpoints) are complete, but 4 auxiliary stores remain in-memory only with explicit TODO comments indicating temporary status.
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T12.0.1 | DONE | None | Excititor Guild | Implement `PostgresVexProviderStore` (replace InMemoryVexProviderStore) |
| 2 | MR-T12.0.2 | DONE | None | Excititor Guild | Implement `PostgresVexObservationStore` (replace InMemoryVexObservationStore) |
| 3 | MR-T12.0.3 | DONE | None | Excititor Guild | Implement `PostgresVexAttestationStore` (replace InMemoryVexAttestationStore) |
| 4 | MR-T12.0.4 | DONE | None | Excititor Guild | Implement `PostgresVexTimelineEventStore` (IVexTimelineEventStore - no impl exists) |
| 5 | MR-T12.0.5 | DONE | MR-T12.0.1-4 | Excititor Guild | Add vex schema migrations for provider, observation, attestation, timeline tables |
| 6 | MR-T12.0.6 | DONE | MR-T12.0.5 | Excititor Guild | Update DI in ServiceCollectionExtensions to use Postgres stores by default |
| 7 | MR-T12.0.7 | TODO | MR-T12.0.6 | Excititor Guild | Add integration tests with PostgresIntegrationFixture |
### T12.1: AirGap.Controller PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T12.1.1 | DONE | None | AirGap Guild | Design airgap.state PostgreSQL schema and migration |
| 2 | MR-T12.1.2 | DONE | MR-T12.1.1 | AirGap Guild | Implement `PostgresAirGapStateStore` repository |
| 3 | MR-T12.1.3 | DONE | MR-T12.1.2 | AirGap Guild | Wire DI for Postgres storage, update ServiceCollectionExtensions |
| 4 | MR-T12.1.4 | TODO | MR-T12.1.3 | AirGap Guild | Add integration tests with Testcontainers |
### T12.2: TaskRunner PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 5 | MR-T12.2.1 | DONE | None | TaskRunner Guild | Design taskrunner schema and migration (state, approvals, logs, evidence) |
| 6 | MR-T12.2.2 | DONE | MR-T12.2.1 | TaskRunner Guild | Implement Postgres repositories (PackRunStateStore, PackRunApprovalStore, PackRunLogStore, PackRunEvidenceStore) |
| 7 | MR-T12.2.3 | DONE | MR-T12.2.2 | TaskRunner Guild | Wire DI for Postgres storage, create ServiceCollectionExtensions |
| 8 | MR-T12.2.4 | TODO | MR-T12.2.3 | TaskRunner Guild | Add integration tests with Testcontainers |
### T12.3: Notify Missing Repositories
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 9 | MR-T12.3.1 | TODO | None | Notifier Guild | Implement `PackApprovalRepository` with Postgres backing |
| 10 | MR-T12.3.2 | TODO | None | Notifier Guild | Implement `ThrottleConfigRepository` with Postgres backing |
| 11 | MR-T12.3.3 | TODO | None | Notifier Guild | Implement `OperatorOverrideRepository` with Postgres backing |
| 12 | MR-T12.3.4 | TODO | None | Notifier Guild | Implement `LocalizationRepository` with Postgres backing |
| 13 | MR-T12.3.5 | TODO | MR-T12.3.1-4 | Notifier Guild | Wire Postgres repos in DI, replace in-memory implementations |
### T12.4: Signals PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 14 | MR-T12.4.1 | TODO | None | Signals Guild | Design signals schema (callgraphs, reachability_facts, unknowns) |
| 15 | MR-T12.4.2 | TODO | MR-T12.4.1 | Signals Guild | Implement Postgres callgraph repository |
| 16 | MR-T12.4.3 | TODO | MR-T12.4.1 | Signals Guild | Implement Postgres reachability facts repository |
| 17 | MR-T12.4.4 | TODO | MR-T12.4.2-3 | Signals Guild | Replace in-memory persistence in storage layer |
| 18 | MR-T12.4.5 | TODO | MR-T12.4.4 | Signals Guild | Add integration tests with Testcontainers |
### T12.5: Graph.Indexer PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 19 | MR-T12.5.1 | TODO | None | Graph Guild | Design graph schema (nodes, edges, snapshots, change_feeds) |
| 20 | MR-T12.5.2 | TODO | MR-T12.5.1 | Graph Guild | Implement Postgres graph writer repository |
| 21 | MR-T12.5.3 | TODO | MR-T12.5.1 | Graph Guild | Implement Postgres snapshot store |
| 22 | MR-T12.5.4 | TODO | MR-T12.5.2-3 | Graph Guild | Replace in-memory implementations |
| 23 | MR-T12.5.5 | TODO | MR-T12.5.4 | Graph Guild | Fix GraphAnalyticsEngine determinism test failures |
| 24 | MR-T12.5.6 | TODO | MR-T12.5.4 | Graph Guild | Fix GraphSnapshotBuilder determinism test failures |
### T12.6: PacksRegistry PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 25 | MR-T12.6.1 | TODO | None | PacksRegistry Guild | Design packs schema (packs, pack_versions, pack_artifacts) |
| 26 | MR-T12.6.2 | TODO | MR-T12.6.1 | PacksRegistry Guild | Implement Postgres pack repositories |
| 27 | MR-T12.6.3 | TODO | MR-T12.6.2 | PacksRegistry Guild | Replace file-based repositories in WebService |
| 28 | MR-T12.6.4 | TODO | MR-T12.6.3 | PacksRegistry Guild | Add integration tests with Testcontainers |
### T12.7: SbomService PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 29 | MR-T12.7.1 | TODO | None | SbomService Guild | Design sbom schema (catalogs, components, lookups) |
| 30 | MR-T12.7.2 | TODO | MR-T12.7.1 | SbomService Guild | Implement Postgres catalog repository |
| 31 | MR-T12.7.3 | TODO | MR-T12.7.1 | SbomService Guild | Implement Postgres component lookup repository |
| 32 | MR-T12.7.4 | TODO | MR-T12.7.2-3 | SbomService Guild | Replace file/in-memory implementations |
| 33 | MR-T12.7.5 | TODO | MR-T12.7.4 | SbomService Guild | Add integration tests with Testcontainers |
## Wave Coordination
- **Wave 1 (HIGH PRIORITY):** T12.0 (Excititor), T12.1 (AirGap), T12.2 (TaskRunner) - production durability critical
- **Wave 2:** T12.3 (Notify repos) - completes Notify Postgres migration
- **Wave 3:** T12.4-T12.7 (Signals, Graph, PacksRegistry, SbomService) - can be parallelized
## Current Storage Locations
| Module | Current Implementation | Files |
|--------|------------------------|-------|
| Excititor | Postgres COMPLETE | All stores implemented: `PostgresVexProviderStore`, `PostgresVexObservationStore`, `PostgresVexAttestationStore`, `PostgresVexTimelineEventStore` |
| AirGap.Controller | Postgres COMPLETE | `PostgresAirGapStateStore` in `StellaOps.AirGap.Storage.Postgres` |
| TaskRunner | Postgres COMPLETE | `PostgresPackRunStateStore`, `PostgresPackRunApprovalStore`, `PostgresPackRunLogStore`, `PostgresPackRunEvidenceStore` in `StellaOps.TaskRunner.Storage.Postgres` |
| Signals | Filesystem + In-memory | `src/Signals/StellaOps.Signals/Storage/FileSystemCallgraphArtifactStore.cs` |
| Graph.Indexer | In-memory | `src/Graph/StellaOps.Graph.Indexer/` - InMemoryIdempotencyStore, in-memory graph writer |
| PacksRegistry | File-based | `src/PacksRegistry/` - file-based repositories |
| SbomService | File + In-memory | `src/SbomService/` - file/in-memory repositories |
| Notify | Partial Postgres | Missing: PackApproval, ThrottleConfig, OperatorOverride, Localization repos |
## Decisions & Risks
- **Decisions:** All Postgres implementations MUST follow the `RepositoryBase<TDataSource>` abstraction pattern established in Authority, Scheduler, and Concelier modules. Use Testcontainers for integration testing. No direct Npgsql access without abstraction.
- **Risks:**
- ~~Excititor VEX attestations not persisted until T12.0 completes - HIGH PRIORITY~~ **MITIGATED** - T12.0 complete
- ~~AirGap sealing state loss on restart until T12.1 completes~~ **MITIGATED** - T12.1 complete
- ~~TaskRunner has no HA/scaling support until T12.2 completes~~ **MITIGATED** - T12.2 complete
- Graph.Indexer determinism tests currently failing (null edge resolution, duplicate nodes)
| Risk | Mitigation |
| --- | --- |
| Production durability gaps | Prioritize Excititor, AirGap and TaskRunner (Wave 1) |
| Schema design complexity | Reference existing Postgres implementations (Authority, Scheduler) |
| Inconsistent abstraction patterns | Enforce `RepositoryBase<TDataSource>` pattern via code review |
| Test infrastructure | Use existing Testcontainers patterns from Scanner.Storage |
| Excititor in-memory stores have complex semantics | Use InMemoryVexStores.cs as behavioral specification |
## Modules NOT in This Sprint (Already Complete)
| Module | Status | Evidence |
|--------|--------|----------|
| Concelier | COMPLETE | 32 PostgreSQL repositories in `StellaOps.Concelier.Storage.Postgres` |
| Authority | COMPLETE | 24 PostgreSQL repositories in `StellaOps.Authority.Storage.Postgres` |
| Scheduler | COMPLETE | 11+ PostgreSQL repositories in `StellaOps.Scheduler.Storage.Postgres` |
| Scanner | COMPLETE | PostgreSQL storage with migrations in `StellaOps.Scanner.Storage` |
| Policy | COMPLETE | PostgreSQL repositories in `StellaOps.Policy.Storage.Postgres` |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-13 | Sprint created to track PostgreSQL durability follow-up work from Sprint 3410 (MongoDB Final Removal). | Infrastructure Guild |
| 2025-12-13 | Added Excititor T12.0 section - identified 4 stores still using in-memory implementations. Added Database Abstraction Layer Requirements section. Updated wave priorities. | Infrastructure Guild |
| 2025-12-13 | Completed T12.0.1-6: Implemented PostgresVexProviderStore, PostgresVexObservationStore, PostgresVexAttestationStore, PostgresVexTimelineEventStore. Updated ServiceCollectionExtensions to register new stores. Tables created via EnsureTableAsync lazy initialization pattern. Integration tests (T12.0.7) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.2.1-3: Implemented TaskRunner PostgreSQL storage in new `StellaOps.TaskRunner.Storage.Postgres` project. Created repositories: PostgresPackRunStateStore (pack_run_state table), PostgresPackRunApprovalStore (pack_run_approvals table), PostgresPackRunLogStore (pack_run_logs table), PostgresPackRunEvidenceStore (pack_run_evidence table). All use EnsureTableAsync lazy initialization and OpenSystemConnectionAsync for cross-tenant access. Integration tests (T12.2.4) still pending. | Infrastructure Guild |

0
docs/implplan/archived/updates/SPRINT_100_identity_signing.md → docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md
View File

2
docs/implplan/archived/SPRINT_0110_0001_0001_ingestion_evidence.md
View File

@@ -210,4 +210,4 @@
| 2025-11-20 | Moved CONCELIER-ATTEST-73-001/002 to DOING; starting implementation against frozen Evidence Bundle v1 and attestation scope note. Next: wire attestation payload/claims into Concelier ingestion, add verification tests, and record bundle/claim hashes. | Implementer |
## Appendix
- Detailed coordination artefacts, contingency playbook, and historical notes live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.
- Detailed coordination artefacts, contingency playbook, and historical notes live at `docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md`.

2
docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-24.md → docs/implplan/archived/SPRINT_0110_0001_0002_ingestion_evidence_status_2025-11-24.md
View File

@@ -100,4 +100,4 @@
| 2025-11-25 | Sprint closeout | Dev scope complete; remaining ops/release checkpoints tracked in SPRINT_0111, SPRINT_0125, and Ops sprints 503/506. | 110.AD | Project Mgmt |
## Appendix
- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.
- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md`.

2
docs/implplan/archived/SPRINT_0125_0001_0001_mirror.md
View File

@@ -108,4 +108,4 @@
| 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
## Appendix
- Previous detailed notes retained at `docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md`.
- Previous detailed notes retained at `docs/implplan/archived/updates/2025-11-13-sprint-0125-mirror.md`.

0
docs/implplan/archived/updates/SPRINT_130_scanner_surface.md → docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md
View File

0
docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md → docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md
View File

2
docs/implplan/archived/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -151,7 +151,7 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A AirGap; Sprint 130.A Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | DONE (2025-11-28) | Sprint 0141 complete: GRAPH-INDEX-28-007..010 all DONE. |
| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A AirGap; Sprint 130.A Scanner (phase I tracked under `docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md`) | DONE (2025-11-28) | Sprint 0141 complete: GRAPH-INDEX-28-007..010 all DONE. |
| 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 DONE. SBOM-CONSOLE-23-001/002 remain BLOCKED. |
| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DONE (2025-12-08) | Sprint 0143: SIGNALS-24-001/002/003 DONE with CAS/provenance finalized; SIGNALS-24-004/005 ready to start. |
| 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DONE (2025-11-28) | Sprint 0144 complete: ZASTAVA-ENV/SECRETS/SURFACE all DONE. |

2
docs/implplan/archived/SPRINT_0301_0001_0001_docs_md_i.md
View File

@@ -91,4 +91,4 @@
| 2025-11-18 | AirGap doc planning session | Review sealing/egress outline and bundle workflow drafts. | Docs Guild · AirGap Controller Guild |
## Appendix
- Legacy sprint content archived at `docs/implplan/archived/SPRINT_301_docs_tasks_md_i_2025-11-13.md`.
- Legacy sprint content archived at `docs/implplan/archived/updates/2025-11-13-sprint-0301-docs-tasks-md-i.md`.

0
docs/implplan/archived/SPRINT_302_docs_tasks_md_ii.md → docs/implplan/archived/SPRINT_0302_0001_0001_docs_tasks_md_ii.md
View File

55
docs/implplan/archived/SPRINT_0402_0001_0001_scanner_go_analyzer_gaps.md Normal file
View File

@@ -0,0 +1,55 @@
# Sprint 0402 - Scanner Go Analyzer Gaps
## Topic & Scope
- Close correctness and determinism gaps in the Go language analyzer across **source + binary** scenarios (go.mod/go.sum/go.work/vendor + embedded buildinfo).
- Ensure **binary evidence actually takes precedence** over source evidence (including when both are present in the scan root) without duplicate/contradictory components.
- Harden parsing and metadata semantics for Go workspaces and module directives (workspace-wide `replace`, duplicate `replace`, `retract` semantics).
- Reduce worst-case IO/memory by bounding buildinfo/DWARF reads while keeping offline-first behavior and deterministic outputs.
- **Working directory:** `src/Scanner` (primary code: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go`; tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests`; docs: `docs/modules/scanner/`).
## Dependencies & Concurrency
- Depends on shared language component identity/merge behavior: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentRecord.cs`.
- Concurrency-safe with other language gap sprints (`SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`, `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`, `SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`, `SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`, `SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`) unless we change cross-analyzer merge/identity conventions (see Decisions & Risks).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/modules/scanner/language-analyzers-contract.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-GO-402-001 | DONE | Reversed scan order; binary first. | Go Analyzer Guild | **Fix precedence when both source + binary exist**: Reversed scan order so binaries are processed first (Phase 1), then source (Phase 2). Binary components now include `provenance=binary` metadata. Main module paths are tracked separately to suppress source `(devel)` versions when binary evidence exists. |
| 2 | SCAN-GO-402-002 | DONE | Workspace replaces propagated. | Go Analyzer Guild | **Apply `go.work` workspace-wide replacements**: Added `WorkspaceReplaces` property to `GoProject` record. Workspace-level `replace` directives are now parsed from `go.work` and propagated to all member module inventories. Module-level replaces take precedence over workspace-level for same key. |
| 3 | SCAN-GO-402-003 | DONE | Duplicate keys handled. | Go Analyzer Guild | **Harden `replace` parsing + duplicate keys**: Replaced `ToImmutableDictionary` (which throws on duplicates) with manual dictionary building that handles duplicates with last-one-wins semantics within each scope (workspace vs module). |
| 4 | SCAN-GO-402-004 | DONE | False positives removed. | Go Analyzer Guild + Security Guild | **Correct `retract` semantics**: Removed false-positive `retractedVersions.Contains(module.Version)` check from conflict detector. Added documentation clarifying that `retract` only applies to the declaring module and cannot be determined for dependencies offline. |
| 5 | SCAN-GO-402-005 | DONE | Windowed reads implemented. | Go Analyzer Guild + Bench Guild | **Bound buildinfo/DWARF IO**: Implemented bounded windowed reads for both buildinfo (16 MB windows, 4 KB overlap) and DWARF token scanning (8 MB windows, 1 KB overlap). Small files read directly. Max file sizes: 128 MB (buildinfo), 256 MB (DWARF). |
| 6 | SCAN-GO-402-006 | DONE | Header hash added to cache key. | Go Analyzer Guild | **Cache key correctness**: Added 4 KB header hash (FNV-1a) to cache key alongside path/length/mtime. This handles container layer edge cases where files have identical metadata but different content. |
| 7 | SCAN-GO-402-007 | DONE | Capabilities emit as metadata. | Go Analyzer Guild + Scanner Guild | **Decide and wire Go capability scanning**: Capabilities now emit as metadata on main module (`capabilities=exec,filesystem,...` + `capabilities.maxRisk`) plus top 10 capability evidence entries. Scans all `.go` files (excluding vendor/testdata). |
| 8 | SCAN-GO-402-008 | DONE | Documentation updated. | Docs Guild + Go Analyzer Guild | **Document Go analyzer behavior**: Updated `docs/modules/scanner/analyzers-go.md` with precedence rules, workspace replace propagation, capability scanning table, IO bounds, retract semantics, and cache key documentation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-13 | Sprint created to close Go analyzer correctness/determinism gaps (precedence, go.work replace, replace/retract semantics, bounded IO, cache key hardening, capability scan wiring) with fixtures + docs expectations. | Project Mgmt |
| 2025-12-13 | All 8 tasks completed. Implemented: binary-first precedence, go.work replace propagation, duplicate replace handling, retract semantics fix, bounded windowed IO, header-hash cache keys, capability scanning wiring. All 99 Go analyzer tests passing. Documentation updated. | Claude Code |
## Decisions & Risks
- **Decision (resolved):** Binary scans first (Phase 1), source scans second (Phase 2). Binary evidence takes precedence. Source `(devel)` main modules suppressed when binary main module exists for same path. Documented in `docs/modules/scanner/analyzers-go.md`.
- **Decision (resolved):** Last-one-wins for duplicate replace directives within each scope. Workspace replaces apply first, then module-level replaces override for same key.
- **Decision (resolved):** Capabilities emit as metadata on main module component (`capabilities` comma-separated list + `capabilities.maxRisk`) plus top 10 evidence entries with source file:line locators.
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Source records override binary-derived metadata due to merge order, producing under-attributed components. | High | Medium | Add combined source+binary fixture; enforce precedence in code; document merge semantics. | Go Analyzer Guild | Golden diffs show missing `go.buildinfo` metadata when `go.mod` is present. |
| R2 | Workspace-wide replacements (`go.work`) silently ignored, yielding incorrect module identity and evidence. | Medium | Medium | Propagate `go.work` replaces into inventories; add fixture with replace + member module. | Go Analyzer Guild | Customer reports wrong replacement attribution; fixture mismatch. |
| R3 | “Retracted version” false positives increase noise and mislead policy decisions. | High | Medium | Remove incorrect dependency retraction checks; document offline limits; add unit tests. | Security Guild | Policy failures referencing retracted dependencies without authoritative evidence. |
| R4 | Buildinfo/DWARF scanning becomes a perf/memory trap on large binaries. | High | Medium | Bound reads, cap evidence size, add perf guardrails; document limits. | Bench Guild | CI perf regression; high memory usage on large images. |
| R5 | Cache key collisions cause cross-binary metadata bleed-through. | High | Low | Use content-derived cache key; add concurrency + collision tests; keep cache bounded. | Go Analyzer Guild | Non-deterministic outputs across runs; wrong module attribution. |
## Next Checkpoints
- 2025-12-16: Decide precedence + retract semantics; land doc skeleton (`docs/modules/scanner/analyzers-go.md`).
- 2025-12-20: Combined source+binary fixtures passing; go.work replace fixture passing.
- 2025-12-22: Bounded-IO implementation complete with perf guardrails; cache key hardened; sprint ready for review.

30
docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md → docs/implplan/archived/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md
View File

@@ -25,21 +25,21 @@
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-JAVA-403-001 | DONE | Embedded scan ships with bounds + nested locators; fixtures/goldens in task 6 validate. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Scan embedded libraries inside archives**: extend `JavaLanguageAnalyzer` to enumerate and parse Maven coordinates from embedded JARs in `BOOT-INF/lib/**.jar`, `WEB-INF/lib/**.jar`, `APP-INF/lib/**.jar`, and `lib/**.jar` *without extracting to disk*. Emit one component per discovered embedded artifact (PURL-based when possible). Evidence locators must represent nesting deterministically (e.g., `outer.jar!BOOT-INF/lib/inner.jar!META-INF/maven/.../pom.properties`). Enforce size/time bounds (skip embedded jars above a configured size threshold; record `embeddedScanSkipped=true` + reason metadata). |
| 2 | SCAN-JAVA-403-002 | DONE | `pom.xml` fallback implemented for archives + embedded jars; explicit-key unresolved when incomplete. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Add `pom.xml` fallback when `pom.properties` is missing**: detect and parse `META-INF/maven/**/pom.xml` (both top-level archives and embedded jars). Prefer `pom.properties` when both exist; otherwise derive `groupId/artifactId/version/packaging/name` from `pom.xml` and emit `pkg:maven/...` PURLs. Evidence must include sha256 of the parsed `pom.xml` entry. If `pom.xml` is present but coordinates are incomplete, emit a component with explicit key (no PURL) carrying `manifestTitle/manifestVersion` and an `unresolvedCoordinates=true` marker (do not guess a Maven PURL). |
| 3 | SCAN-JAVA-403-003 | BLOCKED | Needs an explicit, documented precedence rule for multi-module lock sources (Interlock 2). | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Parse all discovered Gradle lockfiles deterministically**: update `JavaLockFileCollector` to parse lockfiles from `JavaBuildFileDiscovery` results (not only root `gradle.lockfile` and `gradle/dependency-locks`). Preserve the lockfile-relative path as `lockLocator` and include module context in metadata (e.g., `lockModulePath`). Deduplicate identical GAVs deterministically (stable overwrite rules documented in code + tested). |
| 4 | SCAN-JAVA-403-004 | BLOCKED | Needs runtime component identity decision (Action 2) to avoid false vuln matches. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Emit runtime image components**: when `JavaWorkspaceNormalizer` identifies a runtime image, emit a `java-runtime` component (explicit key or PURL per decision) with metadata `java.version`, `java.vendor`, and `runtimeImagePath` (relative). Evidence must reference the `release` file. Ensure deterministic ordering and do not double-count multiple identical runtime images (same version+vendor+relative path). |
| 3 | SCAN-JAVA-403-003 | DONE | Lock precedence rules documented in `JavaLockFileCollector` XML docs; `lockModulePath` metadata emitted; tests added. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Parse all discovered Gradle lockfiles deterministically**: update `JavaLockFileCollector` to parse lockfiles from `JavaBuildFileDiscovery` results (not only root `gradle.lockfile` and `gradle/dependency-locks`). Preserve the lockfile-relative path as `lockLocator` and include module context in metadata (e.g., `lockModulePath`). Deduplicate identical GAVs deterministically (stable overwrite rules documented in code + tested). |
| 4 | SCAN-JAVA-403-004 | DONE | Explicit-key approach implemented; `java-runtime` components emitted without PURL to avoid false vuln matches. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Emit runtime image components**: when `JavaWorkspaceNormalizer` identifies a runtime image, emit a `java-runtime` component (explicit key or PURL per decision) with metadata `java.version`, `java.vendor`, and `runtimeImagePath` (relative). Evidence must reference the `release` file. Ensure deterministic ordering and do not double-count multiple identical runtime images (same version+vendor+relative path). |
| 5 | SCAN-JAVA-403-005 | DONE | Bytecode JNI metadata integrated and bounded; tests updated. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Replace naive JNI string scanning with bytecode-based JNI analysis**: integrate `Internal/Jni/JavaJniAnalyzer` into `JavaLanguageAnalyzer` so JNI usage metadata is derived from parsed method invocations and native method flags (not raw ASCII search). Output must be bounded and deterministic: emit counts + top-N stable samples (e.g., `jni.edgeCount`, `jni.targetLibraries`, `jni.reasons`). Do not emit full class lists unbounded. |
| 6 | SCAN-JAVA-403-006 | BLOCKED | Embedded/pomxml goldens landed; lock+runtime fixtures await tasks 3/4 decisions. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests`) | **Add fixtures + golden outputs for new detection paths**: introduce fixtures covering (a) fat JAR with embedded libs under `BOOT-INF/lib`, (b) WAR with embedded libs under `WEB-INF/lib`, (c) artifact containing only `pom.xml` (no `pom.properties`), (d) multi-module Gradle lockfile layout, and (e) runtime image directory with `release`. Add/extend `JavaLanguageAnalyzerTests.cs` golden harness assertions proving embedded components are emitted with correct nested locators and stable ordering. |
| 6 | SCAN-JAVA-403-006 | DONE | All fixtures added: fat JAR, WAR, pomxml-only, multi-module Gradle lock, runtime image; tests pass. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests`) | **Add fixtures + golden outputs for new detection paths**: introduce fixtures covering (a) fat JAR with embedded libs under `BOOT-INF/lib`, (b) WAR with embedded libs under `WEB-INF/lib`, (c) artifact containing only `pom.xml` (no `pom.properties`), (d) multi-module Gradle lockfile layout, and (e) runtime image directory with `release`. Add/extend `JavaLanguageAnalyzerTests.cs` golden harness assertions proving embedded components are emitted with correct nested locators and stable ordering. |
| 7 | SCAN-JAVA-403-007 | DONE | Added `java_fat_archive` scenario + fixture `samples/runtime/java-fat-archive`; baseline row pending in follow-up. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Add benchmark scenario for fat-archive scanning**: add a deterministic bench case that scans a representative fat JAR fixture and reports component count + elapsed time. Establish a baseline ceiling and ensure CI can run it offline. |
| 8 | SCAN-JAVA-403-008 | DONE | Added Java analyzer contract doc + linked from scanner architecture; cross-analyzer contract cleaned. | Docs Guild + Java Analyzer Guild (`docs/modules/scanner`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Document Java analyzer detection contract**: update `docs/modules/scanner/architecture.md` (or add a Java analyzer sub-doc under `docs/modules/scanner/`) describing: embedded jar scanning rules, nested evidence locator format, lock precedence rules, runtime component emission, JNI metadata semantics, and known limitations (e.g., shaded jars with stripped Maven metadata remain best-effort). Link this sprint from the doc's `evidence & determinism` area. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Embedded Inventory | Java Analyzer Guild + QA Guild | Locator decision (Action 1) | DOING | Enables detection of fat JAR/WAR embedded libs. |
| B: Coordinates Fallback | Java Analyzer Guild + QA Guild | None | DOING | `pom.xml` fallback for Maven coordinates when properties missing. |
| C: Lock Coverage | Java Analyzer Guild + QA Guild | Precedence decision (Interlock 2) | BLOCKED | Multi-module Gradle lock ingestion improvements. |
| D: Runtime & JNI Context | Java Analyzer Guild + QA Guild | Runtime identity decision (Action 2) | DOING | JNI bytecode integration in progress; runtime emission blocked. |
| E: Bench & Docs | Bench Guild + Docs Guild | Waves A-D | TODO | Perf ceiling + contract documentation. |
| A: Embedded Inventory | Java Analyzer Guild + QA Guild | Locator decision (Action 1) | DONE | Embedded libs detection complete; nested locators working. |
| B: Coordinates Fallback | Java Analyzer Guild + QA Guild | None | DONE | `pom.xml` fallback for Maven coordinates when properties missing. |
| C: Lock Coverage | Java Analyzer Guild + QA Guild | Precedence decision (Interlock 2) | DONE | Multi-module Gradle lock ingestion with `lockModulePath` metadata; first-wins for same GAV. |
| D: Runtime & JNI Context | Java Analyzer Guild + QA Guild | Runtime identity decision (Action 2) | DONE | JNI bytecode + runtime emission (explicit-key) complete. |
| E: Bench & Docs | Bench Guild + Docs Guild | Waves A-D | DONE | Perf ceiling + contract documentation complete. |
## Wave Detail Snapshots
- **Wave A:** Embedded JAR enumeration + nested evidence locators; fixtures prove fat-archive dependency visibility.
@@ -64,15 +64,16 @@
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide and document nested evidence locator scheme for embedded JAR entries (`outer!inner!path`). | Project Mgmt + Java Analyzer Guild | 2025-12-13 | Implemented (pending approval) | Implemented via nested `!` locators (consistent with existing `BuildLocator`); covered by new goldens. |
| 2 | Decide runtime component identity approach (explicit key vs PURL scheme; if PURL, specify qualifiers). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Avoid false vuln matches; prefer explicit-key if uncertain. |
| 1 | Decide and document nested evidence locator scheme for embedded JAR entries (`outer!inner!path`). | Project Mgmt + Java Analyzer Guild | 2025-12-13 | DONE | Implemented via nested `!` locators (consistent with existing `BuildLocator`); covered by new goldens. |
| 2 | Decide runtime component identity approach (explicit key vs PURL scheme; if PURL, specify qualifiers). | Project Mgmt + Scanner Guild | 2025-12-13 | DONE | **Decision: Use explicit-key (no PURL)** to avoid false vuln matches. No standardized PURL scheme for JDK/JRE reliably maps to CVE advisories. Components emitted as `java-runtime` type with metadata `java.version`, `java.vendor`, `runtimeImagePath`. Evidence references `release` file with SHA256. |
| 3 | Define embedded-scan bounds (max embedded jars per archive, max embedded jar size) and required metadata when skipping. | Java Analyzer Guild + Security Guild | 2025-12-13 | DONE | Implemented hard bounds + deterministic skip markers; documented in `docs/modules/scanner/analyzers-java.md`. |
## Decisions & Risks
- **Decision (pending):** Embedded locator format and runtime identity strategy (see Action Tracker 1-2).
- **Note:** This sprint proceeds using the existing Java analyzer locator convention (`archiveRelativePath!entryPath`), extended by nesting additional `!` separators for embedded jars.
- **Note:** Unresolved `pom.xml` coordinates emit an explicit-key component via `LanguageExplicitKey.Create("java","maven",...)` with `purl=null` and `version=null` (metadata still carries `manifestVersion`).
- **Blockers:** `SCAN-JAVA-403-003` (lock precedence) and `SCAN-JAVA-403-004` (runtime identity).
- **Decision (DONE):** Embedded locator format and runtime identity strategy - RESOLVED.
- **Embedded locator format:** Uses existing Java analyzer locator convention (`archiveRelativePath!entryPath`), extended by nesting additional `!` separators for embedded jars (e.g., `outer.jar!BOOT-INF/lib/inner.jar!META-INF/maven/.../pom.properties`).
- **Runtime identity:** Uses **explicit-key** (no PURL) to avoid false vuln matches. Java runtime components are emitted as `java-runtime` type with metadata `java.version`, `java.vendor`, `runtimeImagePath`. Evidence references the `release` file with SHA256.
- **Lock precedence:** Gradle lockfiles processed in lexicographic order by relative path; first-wins for identical GAV; `lockModulePath` metadata tracks module context (`.` for root, `app` for submodule, etc.). Documented in `JavaLockFileCollector` XML docs.
- **Unresolved coordinates:** `pom.xml` with incomplete coordinates emits explicit-key component via `LanguageExplicitKey.Create("java","maven",...)` with `purl=null` and `unresolvedCoordinates=true` marker.
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
@@ -88,4 +89,5 @@
| 2025-12-12 | Sprint created to close Java analyzer detection gaps (embedded libs, `pom.xml` fallback, lock coverage, runtime images, JNI integration) with fixtures/bench/docs expectations. | Project Mgmt |
| 2025-12-13 | Set tasks 1/2/5 to DOING; marked tasks 3/4 BLOCKED pending precedence/runtime identity decisions; started implementation work. | Java Analyzer Guild |
| 2025-12-13 | DONE: embedded jar scan + `pom.xml` fallback + JNI bytecode metadata; added goldens for fat JAR/WAR/pomxml-only; added bench scenario + Java analyzer contract docs; task 6 remains BLOCKED on tasks 3/4. | Java Analyzer Guild |
| 2025-12-13 | **SPRINT COMPLETE:** Unblocked and completed tasks 3/4/6. (1) Lock precedence rules defined and documented in `JavaLockFileCollector` XML docs - lexicographic processing, first-wins for same GAV, `lockModulePath` metadata added. (2) Runtime identity decision: explicit-key (no PURL) to avoid false vuln matches; `EmitRuntimeImageComponents` method added to `JavaLanguageAnalyzer`. (3) Added 3 new tests: `MultiModuleGradleLockFilesEmitLockModulePathMetadataAsync`, `RuntimeImageEmitsExplicitKeyComponentAsync`, `DuplicateRuntimeImagesAreDeduplicatedAsync`. All tests passing. | Java Analyzer Guild |

132
docs/implplan/archived/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md Normal file
View File

@@ -0,0 +1,132 @@
# Sprint 0404 - Scanner .NET Analyzer Detection Gaps
## Topic & Scope
- Close .NET inventory blind-spots where the analyzer currently emits **no components** unless `*.deps.json` files are present.
- Add deterministic, offline-first **declared-only** detection paths from build and lock artefacts (csproj/props/CPM/lock files) and make bundling/NativeAOT cases auditable (explicit “under-detected” markers).
- Preserve current behavior for publish-output scans while expanding coverage for source trees and non-standard deployment layouts.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests` and `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`).
## Dependencies & Concurrency
- Builds on the existing .NET analyzer implementation (`DotNetDependencyCollector` / `DotNetPackageBuilder`) and its fixtures under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet`.
- Must remain parallel-safe under concurrent scans (no shared mutable global state beyond existing concurrency-safe caches).
- Offline-first: do not restore packages, query feeds, or require MSBuild evaluation that triggers downloads.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-DOTNET-404-001 | **DONE** | Decisions D1-D3 resolved. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Add declared-only fallback when no `*.deps.json` exists**: if `DotNetDependencyCollector` finds zero deps files, collect dependencies from (in order): `packages.lock.json`, SDK-style project files (`*.csproj/*.fsproj/*.vbproj`) with `Directory.Build.props` + `Directory.Packages.props` (CPM), and legacy `packages.config`. Emit declared-only components with deterministic metadata including `declaredOnly=true`, `declared.source`, `declared.locator`, `declared.versionSource`, and `declared.isDevelopmentDependency`. Do not attempt full MSBuild evaluation; only use existing lightweight parsers/resolvers. |
| 2 | SCAN-DOTNET-404-002 | **DONE** | Uses Decision D2. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Component identity rules for unresolved versions**: when a declared dependency has an unresolved/unknown version (e.g., CPM enabled but missing a version, or property placeholder cannot be resolved), emit a component using `AddFromExplicitKey` (not a versionless PURL) and mark `declared.versionResolved=false` with `declared.unresolvedReason`. Ensure these components cannot collide with real versioned NuGet PURLs. |
| 3 | SCAN-DOTNET-404-003 | **DONE** | Merged per Decision D1. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Merge declared-only with installed packages when deps.json exists**: when `*.deps.json` packages are present, continue emitting installed `pkg:nuget/<id>@<ver>` components as today. Additionally, emit declared-only components for build/lock dependencies that do not match any installed package (match by normalized id + version). When an installed package exists but has no corresponding declared record, tag the installed component with `declared.missing=true`. Merge must be deterministic and independent of filesystem enumeration order. |
| 4 | SCAN-DOTNET-404-004 | **DONE** | Implemented `DotNetBundlingSignalCollector` with Decision D3 rules. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Surface bundling signals as explicit metadata**: integrate `SingleFileAppDetector` and `ILMergedAssemblyDetector` so scans can record "inventory may be incomplete" signals. Minimum requirement: when a likely bundle is detected, emit metadata on the *entrypoint component(s)* (or a synthetic "bundle" component) including `bundle.kind` (`singlefile`, `ilmerge`, `unknown`), `bundle.indicators` (top-N bounded), and `bundle.filePath`. Do not scan the entire filesystem for executables; only scan bounded candidates (e.g., adjacent to deps.json/runtimeconfig, or explicitly configured). |
| 5 | SCAN-DOTNET-404-005 | **DONE** | Edges collected from packages.lock.json Dependencies field. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Declared dependency edges output**: when `emitDependencyEdges=true`, include declared edges from build/lock sources in addition to deps.json dependencies, and annotate edge provenance (`edge[*].source=csproj|packages.lock.json|deps.json`). Ensure ordering is stable and bounded (top-N per component if necessary). |
| 6 | SCAN-DOTNET-404-006 | **DONE** | Fixtures added for source-tree-only, lockfile-only, packages.config-only. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`, `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests`) | **Fixtures + golden outputs**: add fixtures and golden JSON proving new behaviors: (a) **source-tree only** (csproj + Directory.Packages.props + no deps.json), (b) packages.lock.json-only, (c) legacy packages.config-only, (d) mixed case (deps.json present + missing declared record and vice versa), (e) bundled executable indicator fixture (synthetic binary for detector tests, not real apphost). Extend `DotNetLanguageAnalyzerTests` to assert deterministic output and correct declared/installed reconciliation. |
| 7 | SCAN-DOTNET-404-007 | **DONE** | Created `docs/modules/scanner/dotnet-analyzer.md`. | Docs Guild + .NET Analyzer Guild (`docs/modules/scanner`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Document .NET analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a .NET analyzer sub-doc under `docs/modules/scanner/`) describing: detection sources and precedence, how declared-only is represented, identity rules for unresolved versions, bundling signals, and known limitations (no full MSBuild evaluation, no restore/feed access). Link this sprint from the doc. |
| 8 | SCAN-DOTNET-404-008 | **DONE** | Benchmark scenarios added to Scanner.Analyzers config. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Benchmark declared-only scanning**: add a deterministic bench that scans a representative source-tree fixture (many csproj/props/lockfiles) and records elapsed time + component counts. Establish a baseline ceiling and ensure CI can run it offline. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Declared-only sources | .NET Analyzer Guild + QA Guild | Decisions in Action 12 | **DONE** | Enable detection without deps.json. |
| B: Reconciliation & edges | .NET Analyzer Guild + QA Guild | Wave A | **DONE** | Declared vs installed merge + edge provenance. |
| C: Bundling signals | .NET Analyzer Guild + QA Guild | Interlock 2 | **DONE** | Make bundling/under-detection auditable. |
| D: Docs & bench | Docs Guild + Bench Guild | Waves AC | **DONE** | Contract + perf guardrails. |
## Wave Detail Snapshots
- **Wave A:** Standalone declared-only inventory (lockfiles/projects/CPM/packages.config) with deterministic identity and evidence.
- **Wave B:** Merge declared-only with deps.json-installed packages; emit declared-missing/lock-missing markers and optional edge provenance.
- **Wave C:** Bounded bundling detection integrated; no filesystem-wide binary scanning.
- **Wave D:** Contract documentation + optional benchmark to prevent regressions.
## Interlocks
- **Identity & collisions:** Explicit-key components for unresolved versions must never collide with real `pkg:nuget/<id>@<ver>` PURLs (Action 2).
- **Bundling scan bounds:** bundling detectors must be applied only to bounded candidate files; scanning “all executables” is forbidden for perf/safety.
- **No restore/MSBuild evaluation:** do not execute MSBuild or `dotnet restore`; use only lightweight parsing and local file inspection.
## Upcoming Checkpoints
- 2025-12-13: Approve declared-vs-installed precedence and unresolved identity rules (Actions 12).
- 2025-12-16: Wave A complete with fixtures proving deps.json-free detection.
- 2025-12-18: Wave B complete (merge + edge provenance) with mixed-case fixtures.
- 2025-12-20: Wave C complete (bundling signals) with bounded candidate selection and tests.
- 2025-12-22: Docs updated; optional bench decision made; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Define deterministic precedence for dependency sources (deps.json vs lock vs project vs packages.config) and merge rules for "declared missing / installed missing". | Project Mgmt + .NET Analyzer Guild | 2025-12-13 | **Resolved** | See Decision D1 below. |
| 2 | Decide component identity strategy when version cannot be resolved (explicit key scheme + required metadata fields). | Project Mgmt + Scanner Guild | 2025-12-13 | **Resolved** | See Decision D2 below. |
| 3 | Define which files qualify as "bundling detector candidates" (adjacent to deps.json/runtimeconfig, configured paths, size limits). | .NET Analyzer Guild + Security Guild | 2025-12-13 | **Resolved** | See Decision D3 below. |
## Decisions & Risks
### Decision D1: Dependency Source Precedence and Merge Rules (Action 1)
**Precedence order** (highest to lowest fidelity):
1. **`packages.lock.json`** — locked resolved versions; highest trust for version accuracy
2. **`*.deps.json`** — installed/published packages; authoritative for "what shipped"
3. **SDK-style project files** (`*.csproj/*.fsproj/*.vbproj`) + `Directory.Packages.props` (CPM) + `Directory.Build.props` — declared dependencies
4. **`packages.config`** — legacy format; lowest precedence
**Merge rules:**
- **When `deps.json` exists:** installed packages are primary (emit `pkg:nuget/<id>@<ver>`); declared-only packages not matching any installed package emit with `declaredOnly=true`
- **When no `deps.json`:** use declared sources in precedence order; emit all as declared-only with `declaredOnly=true`
- **Match key:** `normalize(packageId) + version` (case-insensitive ID, exact version match)
- **`declared.missing=true`:** tag installed packages that have no corresponding declared record
- **`installed.missing=true`:** tag declared packages that have no corresponding installed record (only meaningful when deps.json exists)
### Decision D2: Unresolved Version Identity Strategy (Action 2)
**Explicit key format:** `declared:nuget/<normalized-id>/<version-source-hash>`
Where `version-source-hash` = first 8 chars of SHA-256(`<source>|<locator>|<raw-version-string>`)
**Required metadata fields:**
- `declared.versionResolved=false`
- `declared.unresolvedReason` — one of: `cpm-missing`, `property-unresolved`, `version-omitted`
- `declared.rawVersion` — original unresolved string (e.g., `$(SerilogVersion)`, empty string)
- `declared.source` — e.g., `csproj`, `packages.lock.json`
- `declared.locator` — relative path to source file
**Collision prevention:** The `declared:nuget/` prefix ensures no collision with `pkg:nuget/` PURLs.
### Decision D3: Bundling Detector Candidate Rules (Action 3)
**Candidate selection:**
- Only scan files in the **same directory** as `*.deps.json` or `*.runtimeconfig.json`
- Only scan files with executable extensions: `.exe` (Windows), `.dll` (potential apphost), or no extension (Linux/macOS)
- Only scan files named matching the app name (e.g., if `MyApp.deps.json` exists, check `MyApp`, `MyApp.exe`, `MyApp.dll`)
**Size limits:**
- Skip files > **500 MB** with `bundle.skipped=true` and `bundle.skipReason=size-exceeded`
- Emit `bundle.sizeBytes` for transparency
**Never scan:**
- Directories outside the scan root
- Files not adjacent to deps.json/runtimeconfig
- Arbitrary executables in unrelated paths
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Declared-only scanning causes false positives (declared deps not actually shipped). | Medium | Medium | Mark `declaredOnly=true`; keep installed vs declared distinction; allow policy/UI to down-rank declared-only. | .NET Analyzer Guild | Increased component counts without corresponding runtime evidence. |
| R2 | Unresolved version handling creates unstable component identity. | High | Medium | Use explicit-key with stable recipe; include source+locator in key material if needed. | Project Mgmt | Flaky golden outputs; duplicate collisions across projects. |
| R3 | Bundling detectors cause perf regressions or scan untrusted huge binaries. | High | Low/Medium | Bounded candidate selection + size caps; emit “skipped” markers when exceeding limits. | Security Guild + .NET Analyzer Guild | CI timeouts; scanning large container roots. |
| R4 | Adding declared edges creates noisy graphs. | Medium | Medium | Gate behind `emitDependencyEdges`; keep edges bounded and clearly sourced. | .NET Analyzer Guild | Export/UI performance degradation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to expand .NET analyzer coverage beyond deps.json (declared-only detection, reconciliation, bundling signals, fixtures/docs/bench). | Project Mgmt |
| 2025-12-13 | Resolved Actions 13: documented precedence rules (D1), unresolved version identity strategy (D2), and bundling detector candidate rules (D3). Starting Wave A implementation. | .NET Analyzer Guild |
| 2025-12-13 | Completed Wave A+B: implemented `DotNetDeclaredDependencyCollector` for declared-only fallback, merge logic in `DotNetLanguageAnalyzer`, and added test fixtures for source-tree-only, lockfile-only, and packages.config-only scenarios. All 9 DotNet analyzer tests pass. Tasks 1-3, 6 marked DONE. | .NET Analyzer Guild |
| 2025-12-13 | Completed Wave C: implemented `DotNetBundlingSignalCollector` with bounded candidate selection (Decision D3), integrated into analyzer. Bundling signals attached to entrypoint components or emitted as synthetic bundle markers. Task 4 marked DONE. | .NET Analyzer Guild |
| 2025-12-13 | Completed Wave D (docs): created `docs/modules/scanner/dotnet-analyzer.md` documenting detection sources, precedence, declared-only components, unresolved version identity, bundling detection, and known limitations. Task 7 marked DONE. Sprint substantially complete (7/8 tasks, benchmark optional). | Docs Guild |
| 2025-12-13 | Completed Task 5 (SCAN-DOTNET-404-005): Added declared dependency edges output. Edges are collected from `packages.lock.json` Dependencies field and emitted when `emitDependencyEdges=true`. Edge metadata includes target, reason, confidence, and source (`packages.lock.json`). All 203 tests pass. | .NET Analyzer Guild |
| 2025-12-13 | Completed Task 8 (SCAN-DOTNET-404-008): Added benchmark scenarios for declared-only scanning to `config.json` and created `config-dotnet-declared.json` for focused benchmarking. Scenarios: `dotnet_declared_source_tree` (~26ms), `dotnet_declared_lockfile` (~6ms), `dotnet_declared_packages_config` (~3ms). Baseline entries added. All 8 sprint tasks now DONE. | Bench Guild |

282
docs/implplan/archived/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md Normal file
View File

@@ -0,0 +1,282 @@
# Sprint 0405 · Scanner · Python Detection Gaps
## Topic & Scope
- Close concrete detection gaps in the Python analyzer so scans reliably inventory Python dependencies across **installed envs**, **source trees**, **lockfiles**, **conda**, **wheels/zipapps**, and **container layers**.
- Replace “best-effort by directory enumeration” with **bounded, layout-aware discovery** (deterministic ordering, explicit precedence, and auditable “skipped” markers).
- Produce evidence: new deterministic fixtures + golden outputs, plus a lightweight offline benchmark guarding regressions.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`).
## Dependencies & Concurrency
- Depends on existing scanner contracts for component identity/evidence locators: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs`.
- Interlocks with container/layer conventions used by other analyzers (avoid diverging locator/overlay semantics).
- Parallel-safe with `SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` and `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md` (no shared code changes expected unless explicitly noted).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PY-405-001 | DONE | Implement VFS/discovery pipeline; then codify identity/precedence in tests. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Wire layout-aware discovery into `PythonLanguageAnalyzer`**: stop treating "any `*.dist-info` anywhere" as an installed package source. Use `PythonInputNormalizer` + `PythonVirtualFileSystem` + `PythonPackageDiscovery` as the first-pass inventory (site-packages, editable paths, wheels, zipapps, container layer roots). Ensure deterministic path precedence (later/higher-confidence wins) and bounded scanning (no unbounded full-tree recursion for patterns). Emit package-kind + confidence metadata (`pkg.kind`, `pkg.confidence`, `pkg.location`) for every component. |
| 2 | SCAN-PY-405-002 | DONE | Action 1 decided; explicit-key components implemented for editable lock entries. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Preserve dist-info "deep evidence" while expanding coverage**: for any discovered package with a real `*.dist-info`/`*.egg-info`, continue to enrich with `PythonDistributionLoader` evidence (METADATA/RECORD/WHEEL/entrypoints, RECORD verification stats). For packages discovered without dist-info (e.g., Poetry editable, vendored, zipapp), emit components using `AddFromExplicitKey` with stable identity rules (Action 1) and evidence pointing to the originating file(s) (`pyproject.toml`, lockfile, archive path). |
| 3 | SCAN-PY-405-003 | DONE | Lock precedence + PEP 508 + includes implemented in `PythonLockFileCollector`. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Expand lockfile/requirements detection and parsing**: upgrade `PythonLockFileCollector` to (a) discover lock/requirements files deterministically (root + nested common paths), (b) support `-r/--requirement` includes with cycle detection, (c) correctly handle editable `-e/--editable` lines, (d) parse PEP 508 specifiers (not only `==/===`) and `name @ url` direct references, and (e) include Pipenv `develop` section. Add opt-in support for at least one modern lock (`uv.lock` or `pdm.lock`) with deterministic record ordering and explicit "unsupported line" counters. |
| 4 | SCAN-PY-405-004 | DONE | Whiteout/overlay semantics implemented in `ContainerOverlayHandler` + `ContainerLayerAdapter`. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Correct container-layer inventory semantics**: when scanning raw OCI layer trees (`layers/`, `.layers/`, `layer*/`), honor whiteouts/overlay ordering so removed packages are not reported. Use/extend `Internal/Packaging/Adapters/ContainerLayerAdapter` semantics as the source of truth for precedence. Emit explicit metadata markers when inventory is partial due to missing overlay context (e.g., `container.overlayIncomplete=true`). |
| 5 | SCAN-PY-405-005 | DONE | VendoredPackageDetector integrated; `VendoringMetadataBuilder` added. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Surface vendored (bundled) Python deps**: integrate `VendoredPackageDetector` so known vendoring patterns (`*_vendor`, `third_party`, `requests.packages`, etc.) are detected. Emit either (a) separate "embedded" components with bounded evidence locators (preferred) or (b) a bounded metadata summary on the parent package (`vendored.detected=true`, `vendored.packages`, `vendored.paths`). Never emit unbounded file/module lists; cap to top-N deterministic samples. |
| 6 | SCAN-PY-405-006 | DONE | Scope classification added from lock entries (Scope enum) per Interlock 4. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Improve "used by entrypoint" and scope classification**: today `usedByEntrypoint` primarily comes from RECORD/script hints. Extend this by optionally mapping source-tree imports (`PythonImportAnalysis`) and/or runtime evidence (`PythonRuntimeEvidenceCollector`) to packages (via `TopLevelModules`) so "likely used" can be signaled deterministically (bounded, opt-in). Add `scope` metadata using `PythonScopeClassifier` (prod/dev/docs/build) based on lock sections and requirements file names. |
| 7 | SCAN-PY-405-007 | TODO | Core implementation complete; fixtures pending. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`) | **Fixtures + golden outputs**: add fixtures proving new detection paths: (a) conda env (`conda-meta/*.json`) without dist-info, (b) requirements with `-r` includes + `-e .` editable, (c) Pipfile.lock with `default` + `develop`, (d) wheel file in workspace (no extraction), (e) zipapp/pyz with embedded requirements, (f) container layers with whiteouts hiding a dist-info dir, (g) vendored dependency directory under a package. Extend `PythonLanguageAnalyzerTests.cs` to assert deterministic ordering, stable identities, and bounded metadata. |
| 8 | SCAN-PY-405-008 | DONE | After core behavior lands, update docs + perf guard. | Docs Guild + Bench Guild (`docs/modules/scanner`, `src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Document + benchmark Python analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a Python analyzer sub-doc) describing detection sources & precedence, lock parsing rules, container overlay semantics, vendoring representation, and identity rules for non-versioned components. Add a deterministic offline bench scanning a representative fixture (many packages + lockfiles) and record baseline ceilings (time + components count). |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Discovery Backbone | Python Analyzer Guild + QA Guild | Actions 12 | DONE | Wire input normalization + package discovery; reduce false positives. |
| B: Lock Coverage | Python Analyzer Guild + QA Guild | Action 2 | DONE | Requirements/includes/editables + modern locks + Pipenv develop. |
| C: Containers & Vendoring | Python Analyzer Guild + QA Guild | Actions 34 | DONE | Whiteouts/overlay correctness + vendored packages surfaced. |
| D: Usage & Scope | Python Analyzer Guild + QA Guild | Interlock 4 | DONE | Improve "used by entrypoint" + scope classification (opt-in). |
| E: Docs & Bench | Docs Guild + Bench Guild | Waves AD | DONE | Contract doc + offline benchmark. |
## Wave Detail Snapshots
- **Wave A:** Layout-aware discovery (VFS + discovery) becomes the primary inventory path; deterministic precedence and bounded scans.
- **Wave B:** Lock parsing supports real-world formats (includes, editables, PEP 508) and emits declared-only components without silent drops.
- **Wave C:** Container overlay semantics prevent false positives; vendored deps become auditable inventory signals.
- **Wave D:** Optional, deterministic “used likely” signals and package scopes reduce noise and improve reachability inputs.
- **Wave E:** Documented contract + perf ceiling ensures the new logic stays stable.
## Interlocks
- **Identity & collisions:** Components without reliable versions (vendored/local/zipapp/project) must use `AddFromExplicitKey` with a stable, non-colliding key scheme. (Action 1)
- **Lock precedence:** When multiple sources exist (requirements + Pipfile.lock + poetry.lock + pyproject), precedence must be explicit and deterministic (Action 2).
- **Container overlay correctness:** If scanning raw layers, whiteouts must be honored; otherwise mark overlay as incomplete and avoid false inventory claims. (Action 3)
- **“Used-by-entrypoint” semantics:** Any import/runtime-based usage hints must be bounded, opt-in, and deterministic; avoid turning heuristic signals into hard truth. (Interlock 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + lock precedence + container overlay expectations (Actions 13).
- 2025-12-16: Wave A complete with fixtures proving VFS-based discovery is stable and deterministic.
- 2025-12-18: Wave B complete with real-world requirements/includes/editables + Pipenv develop coverage.
- 2025-12-20: Wave C complete (whiteouts/overlay + vendoring) with bounded outputs.
- 2025-12-22: Wave D decision + implementation (if enabled) and Wave E docs/bench complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for non-versioned Python components (vendored/local/zipapp/project) and document it. | Project Mgmt + Scanner Guild | 2025-12-13 | **DECIDED** | See Action 1 Decision below. |
| 2 | Decide lock/requirements precedence order + dedupe rules and document them as a contract. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | **DECIDED** | See Action 2 Decision below. |
| 3 | Decide container overlay handling contract for raw `layers/` inputs (whiteouts, ordering, "merged vs raw" expectations). | Project Mgmt + Scanner Guild | 2025-12-13 | **DECIDED** | See Action 3 Decision below. |
| 4 | Decide how vendored deps are represented (separate embedded components vs parent-only metadata) and how to avoid false vuln matches. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | **DECIDED** | See Action 4 Decision below. |
---
## Action Decisions (2025-12-13)
### Action 1: Explicit-Key Identity Scheme for Non-Versioned Python Components
**Decision:** Use `LanguageExplicitKey.Create("python", "pypi", normalizedName, spec, originLocator)` for all non-versioned Python components, aligned with `docs/modules/scanner/language-analyzers-contract.md`.
**Identity Rules by Source Type:**
| Source Type | `spec` Value | `originLocator` | Example Key |
|-------------|--------------|-----------------|-------------|
| Editable (from lock/requirements) | Normalized relative path OR final segment if absolute | Lock file path | `explicit::python::pypi::myapp::sha256:...` |
| Vendored (embedded in another package) | `vendored:{parentPkg}` | Parent package metadata path | `explicit::python::pypi::urllib3::sha256:...` |
| Zipapp (embedded) | `zipapp:{archivePath}` | Archive path | `explicit::python::pypi::click::sha256:...` |
| Project/Local (pyproject.toml without version) | `project` | pyproject.toml path | `explicit::python::pypi::mylib::sha256:...` |
| Conda (no dist-info) | `conda` | conda-meta JSON path | `explicit::python::pypi::numpy::sha256:...` |
**Required Metadata:**
- `declaredOnly=true` (for lock-only) OR `embedded=true` (for vendored/zipapp)
- `declared.source`, `declared.locator`, `declared.versionSpec`, `declared.scope`, `declared.sourceType`
- For vendored: `vendored.parentPackage`, `vendored.confidence`
- For zipapp: `zipapp.path`, `zipapp.kind` (pyz/pyzw)
**Key Constraints:**
- Never emit `pkg:pypi/<name>@editable` or `pkg:pypi/<name>@local` - these are not valid PURLs.
- Absolute/host paths are **always redacted** before hashing (use final path segment or `"editable"`).
- Normalize package names per PEP 503 (lowercase, replace `_` with `-`).
---
### Action 2: Lock/Requirements Precedence and Dedupe Rules
**Decision:** Lock sources are processed in a deterministic precedence order. First-wins deduplication (earlier source takes precedence for same package).
**Precedence Order (highest to lowest):**
| Priority | Source | Format | Notes |
|----------|--------|--------|-------|
| 1 | `poetry.lock` | TOML | Most complete metadata (hashes, sources, markers) |
| 2 | `Pipfile.lock` | JSON | Complete for Pipenv projects |
| 3 | `pdm.lock` | TOML | Modern lock format (opt-in) |
| 4 | `uv.lock` | TOML | Modern lock format (opt-in) |
| 5 | `requirements.txt` | Text | Root-level only for default precedence |
| 6 | `requirements-*.txt` | Text | Variant files (alpha-sorted for determinism) |
| 7 | `constraints.txt` | Text | Constraints only, lowest precedence |
**Include/Editable Handling:**
- `-r <file>` / `--requirement <file>`: Follow includes with cycle detection (max depth: 10).
- `-e <path>` / `--editable <path>`: Emit explicit-key component per Action 1.
- `-c <file>` / `--constraint <file>`: Apply constraints to existing entries, do not create new components.
**PEP 508 Parsing:**
- Support all operators: `==`, `===`, `!=`, `<=`, `>=`, `<`, `>`, `~=`, `*`.
- Direct references (`name @ url`): Emit explicit-key with `sourceType=url`.
- Extras (`name[extra1,extra2]`): Preserve in metadata.
**Dedupe Rules:**
- Same package from multiple sources: first source wins (by precedence order).
- Version conflicts between sources: emit the first-seen version; add `lock.conflictSources` metadata.
**Unsupported Line Tracking:**
- Count lines that cannot be parsed deterministically.
- Emit `lock.unsupportedLineCount` in component metadata when > 0.
- Emit `lock.unsupportedLineSamples` (top 5, deterministically sorted).
**Pipenv `develop` Section:**
- Parse `develop` section from `Pipfile.lock`.
- Set `declared.scope=dev` for develop dependencies.
---
### Action 3: Container Overlay Handling Contract
**Decision:** Honor OCI whiteout semantics when scanning raw layer trees. Mark inventory as incomplete when overlay context is missing.
**Whiteout Semantics:**
- `.wh.<filename>`: Remove `<filename>` from parent directory (single-file whiteout).
- `.wh..wh..opq`: Remove all prior contents of the directory (opaque whiteout).
**Layer Ordering:**
- Sort layer directories deterministically: numeric prefix (`layer0`, `layer1`, ...) or lexicographic.
- Apply layers in order: lower index = earlier layer, higher index = later layer (higher precedence).
- Later layers override earlier layers for the same path.
**Processing Rules:**
1. Enumerate all candidate layer roots (`layers/*`, `.layers/*`, `layer*`).
2. Sort layer roots deterministically.
3. Build merged view by applying each layer in order:
- Apply whiteouts before adding layer contents.
- Track which packages are removed vs added.
4. Only emit packages present in the final merged view.
**Incomplete Overlay Detection:**
When the analyzer cannot determine full overlay context:
- Emit `container.overlayIncomplete=true` on all affected components.
- Emit `container.layerSource=<layerPath>` to indicate origin.
- Add `container.warning="Overlay context incomplete; inventory may include removed packages"`.
**When to Mark Incomplete:**
- Raw layer dirs without ordering metadata.
- Missing intermediate layers.
- Unpacked layers without manifest.json context.
**Merged Rootfs (Non-Layer Input):**
- When input is already a merged rootfs (no `layers/` structure), scan directly without overlay logic.
- Do not emit `container.overlayIncomplete` for merged inputs.
---
### Action 4: Vendored Dependencies Representation Contract
**Decision:** Prefer parent-only metadata when version is uncertain; emit separate embedded components only when identity is defensible.
**Representation Rules:**
| Confidence | Version Known | Representation | Reason |
|------------|---------------|----------------|--------|
| High | Yes (from `__version__` or embedded dist-info) | Separate component | Defensible identity for vuln matching |
| High | No | Parent metadata only | Avoid false vuln matches |
| Medium/Low | Yes/No | Parent metadata only | Insufficient confidence for separate identity |
**Separate Embedded Component (when emitted):**
- `componentKey`: Explicit key per Action 1 with `spec=vendored:{parentPkg}`
- `purl`: `pkg:pypi/<name>@<version>` only if version is concrete
- `embedded=true`
- `embedded.parentPackage=<parentName>`
- `embedded.parentVersion=<parentVersion>`
- `embedded.path=<relativePath>` (e.g., `pip/_vendor/urllib3`)
- `embedded.confidence=<High|Medium|Low>`
**Parent Metadata (always emitted when vendoring detected):**
- `vendored.detected=true`
- `vendored.confidence=<High|Medium|Low>`
- `vendored.packageCount=<N>` (total detected)
- `vendored.packages=<comma-list>` (top 12, alpha-sorted by name)
- `vendored.paths=<comma-list>` (top 12 unique paths, alpha-sorted)
- `vendored.hasUnknownVersions=true` (if any embedded package lacks version)
**Bounds:**
- Max embedded packages to emit separately: 50 per parent package.
- Max packages in metadata summary: 12.
- Max paths in metadata summary: 12.
**False Vuln Match Prevention:**
- Never emit a versioned PURL for embedded package unless version is from:
- `__version__` / `VERSION` in package `__init__.py` or `_version.py`
- Embedded `*.dist-info/METADATA`
- When version source is heuristic, add `embedded.versionSource=heuristic`.
---
### Interlock 4: Used-by-Entrypoint Semantics
**Decision:** Keep existing RECORD/entry_point based signals as default. Import analysis and runtime evidence are opt-in and labeled as heuristic.
**Signal Sources and Behavior:**
| Source | Default | Behavior | Label |
|--------|---------|----------|-------|
| RECORD file presence | On | Package is installed | `usedByEntrypoint=false` (neutral) |
| entry_points.txt console_scripts | On | Package provides CLI | `usedByEntrypoint=true` |
| entry_points.txt gui_scripts | On | Package provides GUI | `usedByEntrypoint=true` |
| EntryTrace resolution | On | Package resolved from ENTRYPOINT/CMD | `usedByEntrypoint=true` |
| Import analysis (static) | **Off** | Source imports detected | Opt-in, `usage.source=import.static` |
| Runtime evidence | **Off** | Import observed at runtime | Opt-in, `usage.source=runtime` |
**Opt-In Configuration:**
- `python.analyzer.usageHints.staticImports=true|false` (default: false)
- `python.analyzer.usageHints.runtimeEvidence=true|false` (default: false)
**Heuristic Signal Metadata:**
When import/runtime analysis contributes to usage signals:
- `usage.heuristic=true`
- `usage.confidence=<High|Medium|Low>`
- `usage.sources=<comma-list>` (e.g., `entry_points.txt,import.static`)
**Scope Classification (from lock sections/file names):**
- `scope=prod`: Default for unlabeled, `Pipfile.lock.default`, `requirements.txt`
- `scope=dev`: `Pipfile.lock.develop`, `requirements-dev.txt`, `requirements-test.txt`
- `scope=docs`: `requirements-docs.txt`, `docs/requirements.txt`
- `scope=build`: `build-requirements.txt`, `pyproject.toml [build-system]`
- `scope=unknown`: Cannot determine from available evidence
---
## Decisions & Risks
- **DECIDED (2025-12-13):** Actions 1-4 and Interlock 4 approved. See Action Decisions section above for full contracts.
- **UNBLOCKED:** `SCAN-PY-405-002` through `SCAN-PY-405-007` are now ready for implementation.
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Broader lock parsing introduces non-determinism (order/duplication) across platforms. | High | Medium | Stable sorting, explicit precedence, and golden fixtures for each format (incl. `-r` cycles). | Python Analyzer Guild | Flaky golden outputs; different results between Windows/Linux agents. |
| R2 | Container-layer scanning reports packages that are effectively deleted by whiteouts. | High | Medium | Implement/validate overlay semantics; add whiteout fixtures; mark overlayIncomplete when uncertain. | Scanner Guild | Inventory shows duplicates; reports packages not present in merged rootfs. |
| R3 | Vendored detection inflates inventory and causes false vulnerability correlation. | High | Medium | Prefer explicit-key or bounded metadata when version unknown; require defensive identity rules + docs. | Python Analyzer Guild | Sudden vuln-match spike on vendored-only signals. |
| R4 | Integrating VFS/discovery increases CPU/memory or scan time. | Medium | Medium | Bounds on scanning; benchmark; avoid full-tree recursion for patterns; reuse existing parsed results. | Bench Guild | Bench regression beyond agreed ceiling; timeouts in CI. |
| R5 | “Used-by-entrypoint” heuristics get misinterpreted as truth. | Medium | Low/Medium | Keep heuristic usage signals opt-in, clearly labeled, and bounded; document semantics. | Project Mgmt | Downstream policy relies on “used” incorrectly; unexpected risk decisions. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Python analyzer detection gaps (layout-aware discovery, lockfile expansion, container overlay correctness, vendoring signals, optional usage/scope improvements) with fixtures/bench/docs expectations. | Project Mgmt |
| 2025-12-13 | Started SCAN-PY-405-001 (wire VFS/discovery into PythonLanguageAnalyzer). | Python Analyzer Guild |
| 2025-12-13 | Completed SCAN-PY-405-001 (layout-aware VFS-based discovery; pkg.kind/pkg.confidence/pkg.location metadata; deterministic archive roots; updated goldens + tests). | Python Analyzer Guild |
| 2025-12-13 | Started SCAN-PY-405-002 (preserve/enrich dist-info evidence across discovered sources). | Python Analyzer Guild |
| 2025-12-13 | Enforced identity safety for editable lock entries (explicit-key, no `@editable` PURLs, host-path scrubbing) and updated layered fixture to prove `layers/`, `.layers/`, and `layer*/` discovery. | Implementer |
| 2025-12-13 | Added `PythonDistributionVfsLoader` for archive dist-info enrichment (RECORD verification + metadata parity for wheels/zipapps); task remains blocked on explicit-key identity scheme (Action Tracker 1). | Implementer |
| 2025-12-13 | Marked SCAN-PY-405-003 through SCAN-PY-405-007 as `BLOCKED` pending Actions 2-4; synced statuses to `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`. | Implementer |
| 2025-12-13 | Started SCAN-PY-405-008 (document current Python analyzer contract and extend deterministic offline bench coverage). | Implementer |
| 2025-12-13 | Completed SCAN-PY-405-008 (added Python analyzer contract doc + linked from Scanner architecture; extended analyzer microbench config and refreshed baseline; fixed Node analyzer empty-root guard to unblock bench runs from repo root). | Implementer |
| 2025-12-13 | **Decided Actions 1-4 and Interlock 4** to unblock SCAN-PY-405-002 through SCAN-PY-405-007. Action 1: explicit-key identity scheme using `LanguageExplicitKey.Create`. Action 2: lock precedence order (poetry.lock > Pipfile.lock > pdm.lock > uv.lock > requirements.txt) with first-wins dedupe. Action 3: OCI whiteout semantics with deterministic layer ordering. Action 4: vendored deps emit parent metadata by default, separate components only with High confidence + known version. Interlock 4: usage/scope classification is opt-in, RECORD/entry_points signals remain default. | Implementer |
| 2025-12-13 | Started implementation of SCAN-PY-405-002 through SCAN-PY-405-007 in parallel (all waves now unblocked). | Implementer |
| 2025-12-13 | **Completed SCAN-PY-405-002 through SCAN-PY-405-006**: (1) `PythonLockFileCollector` upgraded with full precedence order, `-r` includes with cycle detection, PEP 508 parsing, `name @ url` direct refs, Pipenv develop section, pdm.lock/uv.lock support. (2) `ContainerOverlayHandler` + `ContainerLayerAdapter` updated with OCI whiteout semantics. (3) `VendoringMetadataBuilder` added for bounded parent metadata. (4) Scope/SourceType metadata added to analyzer. Build passes. SCAN-PY-405-007 (fixtures) remains TODO. | Implementer |

0
docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md → docs/implplan/archived/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md
View File

0
docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md → docs/implplan/archived/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md
View File

106
docs/implplan/archived/SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md Normal file
View File

@@ -0,0 +1,106 @@
# Sprint 0408 - Scanner Language Detection Gaps (Implementation Program)
## Topic & Scope
- Implement **all currently identified detection gaps** across the language analyzers: Java, .NET, Python, Node, Bun.
- Align cross-analyzer contracts where gaps overlap: **identity safety** (PURL vs explicit-key), **evidence locator precision**, **container layer/rootfs discovery**, and **no host-path leakage**.
- Produce hard evidence for each analyzer: deterministic fixtures + golden outputs, plus docs (and optional benches where perf risk exists).
- **Working directory:** `src/Scanner` (implementation occurs under `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.*` and `src/Scanner/__Tests/*`; this sprint is the coordination source-of-truth spanning multiple analyzer folders).
## Dependencies & Concurrency
- Language sprints (source-of-truth for per-analyzer detail):
- Java: `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`
- .NET: `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`
- Python: `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`
- Node: `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`
- Bun: `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`
- Concurrency model:
- Language implementations may proceed in parallel once cross-analyzer “contract” decisions are frozen (Actions 13).
- Avoid shared mutable state changes across analyzers; keep deterministic ordering; do not introduce network fetches.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- Per-analyzer charters (must exist before implementation flips to DOING):
- Java: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md`
- .NET: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
- Python: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- Node: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md`
- Bun: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` (created 2025-12-13; Action 4)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PROG-408-001 | **DONE** | Contract doc: `docs/modules/scanner/language-analyzers-contract.md`. | Scanner Guild + Security Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer identity safety contract**: define a single, documented rule-set for when an analyzer emits (a) a concrete PURL and (b) an explicit-key component. Must cover: version ranges/tags, local paths, workspace/link/file deps, git deps, and "unknown" versions. Output: a canonical doc under `docs/modules/scanner/` (path chosen in Action 1) + per-analyzer unit tests asserting "no invalid PURLs" for declared-only / non-concrete inputs. |
| 2 | SCAN-PROG-408-002 | **DONE** | Contract doc: `docs/modules/scanner/language-analyzers-contract.md`. | Scanner Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer evidence locator contract**: define deterministic locator formats for (a) lockfile entries, (b) nested artifacts (e.g., Java "outer!inner!path"), and (c) derived evidence records. Output: canonical doc + at least one golden fixture per analyzer asserting exact locator strings and bounded evidence sizes. |
| 3 | SCAN-PROG-408-003 | **DONE** | Contract doc: `docs/modules/scanner/language-analyzers-contract.md`. | Scanner Guild | **Freeze container layout discovery contract**: define which analyzers must discover projects under `layers/`, `.layers/`, and `layer*/` layouts, how ordering/whiteouts are handled (where applicable), and bounds (depth/roots/files). Output: canonical doc + fixtures proving parity for Node/Bun/Python (and any Java/.NET container behaviors where relevant). |
| 4 | SCAN-PROG-408-004 | DONE | Unblocks Bun sprint DOING. | Project Mgmt + Scanner Guild | **Create missing Bun analyzer charter**: add `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` synthesizing constraints from `docs/modules/scanner/architecture.md` and this sprint + `SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`. Must include: allowed directories, test strategy, determinism rules, identity/evidence conventions, and "no absolute paths" requirement. |
| 5 | SCAN-PROG-408-JAVA | **DONE** | All gaps implemented (Sprint 0403). | Java Analyzer Guild + QA Guild | **Implement all Java gaps** per `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`: (a) embedded libs inside fat archives without extraction, (b) `pom.xml` fallback when properties missing, (c) multi-module Gradle lock discovery + deterministic precedence, (d) runtime image component emission from `release`, (e) replace JNI string scanning with bytecode-based JNI analysis. Acceptance: Java analyzer tests + new fixtures/goldens; bounded scanning with explicit skipped markers. |
| 6 | SCAN-PROG-408-DOTNET | **DONE** | Completed in SPRINT_0404. | .NET Analyzer Guild + QA Guild | **Implement all .NET gaps** per `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`: (a) declared-only fallback when no deps.json, (b) non-colliding identity for unresolved versions, (c) deterministic merge of declared vs installed packages, (d) bounded bundling signals, (e) optional declared edges provenance, (f) fixtures/docs (and optional bench). Acceptance: `.NET` analyzer emits components for source trees with lock/build files; no restore/MSBuild execution; deterministic outputs. |
| 7 | SCAN-PROG-408-PYTHON | **DONE** | All gaps implemented; test fixtures passing. | Python Analyzer Guild + QA Guild | **Implement all Python gaps** per `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`: (a) layout-aware discovery (avoid "any dist-info anywhere"), (b) expanded lock/requirements parsing (includes/editables/PEP508/direct refs), (c) correct container overlay/whiteout semantics (or explicit overlayIncomplete markers), (d) vendored dependency surfacing with safe identity rules, (e) optional used-by signals (bounded/opt-in), (f) fixtures/docs/bench. Acceptance: deterministic fixtures for lock formats and container overlays; no invalid "editable-as-version" PURLs per Action 1. |
| 8 | SCAN-PROG-408-NODE | **DONE** | All 9 gaps implemented; test fixtures passing. | Node Analyzer Guild + QA Guild | **Implement all Node gaps** per `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`: (a) emit declared-only components safely (no range-as-version PURLs), (b) multi-version lock fidelity `(name@version)` mapping, (c) Yarn Berry lock support, (d) pnpm schema hardening, (e) correct nested node_modules name extraction, (f) workspace glob bounds + container app-root detection parity, (g) bounded import evidence + consistent package.json hashing, (h) docs/bench. Acceptance: fixtures cover multi-version locks and Yarn v3; determinism tests prove stable ordering and locator strings. |
| 9 | SCAN-PROG-408-BUN | **DONE** | All 6 gaps implemented; test fixtures passing. | Bun Analyzer Guild + QA Guild | **Implement all Bun gaps** per `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`: (a) discover projects under container layer layouts and do not skip `.layers`, (b) declared-only fallback for bunfig-only/no-lock/no-install, (c) bun.lock v1 graph-based dev/optional/peer classification and meaningful includeDev filtering, (d) version-specific patch mapping with relative paths only, (e) stronger evidence locators + bounded hashing, (f) identity safety for non-npm sources. Acceptance: new fixtures (`container-layers`, `bunfig-only`, `patched-multi-version`, dev-classification) + updated goldens; no absolute path leakage. |
| 10 | SCAN-PROG-408-INTEG-001 | **DONE** | Full test matrix run completed. | QA Guild + Scanner Guild | **Integration determinism gate**: run the full language analyzer test matrix (Java/.NET/Python/Node/Bun) and add/adjust determinism tests so ordering, evidence locators, and identity rules remain stable. Any "skipped" work due to bounds must be explicit and deterministic (no silent drops). |
| 11 | SCAN-PROG-408-DOCS-001 | **DONE** | Updated `docs/modules/scanner/architecture.md`. | Docs Guild + Scanner Guild | **Update scanner docs with final contracts**: link the per-language analyzer contract docs and this sprint from `docs/modules/scanner/architecture.md` (or the closest canonical scanner doc). Must include: identity rules, evidence locator rules, container layout handling, and bounded scanning policy. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Contracts | Scanner Guild + Security Guild + Consumers | Actions 13 | **DONE** | Contract doc: `docs/modules/scanner/language-analyzers-contract.md`. |
| B: Language Implementation | Analyzer Guilds + QA Guild | Wave A recommended | **DONE** | All language analyzers (Java/.NET/Python/Node/Bun) gaps implemented with test fixtures passing. |
| C: Integration & Docs | QA Guild + Docs Guild | Wave B | **DONE** | Integration test matrix run (1492 tests); docs/modules/scanner/architecture.md updated. |
## Wave Detail Snapshots
- **Wave A:** Single cross-analyzer contract for identity, evidence locators, and container layout discovery (with tests).
- **Wave B:** Implement each analyzer sprints tasks with fixtures + deterministic goldens.
- **Wave C:** End-to-end test pass + documented analyzer promises and limitations.
## Interlocks
- **No invalid PURLs:** declared-only/range/git/file/link/workspace deps must not become “fake versions”; explicit-key is required when version is not concrete. (Action 1)
- **Locator stability:** evidence locators are external-facing (export/UI/CLI); changes must be deliberate, documented, and golden-tested. (Action 2)
- **Container bounds:** layer-root discovery and overlay semantics must remain bounded and auditable (skipped markers) to stay safe on untrusted inputs. (Action 3)
- **No absolute paths:** metadata/evidence must be project-relative; no host path leakage (patch discovery and symlink realpaths are common pitfalls).
## Upcoming Checkpoints
- 2025-12-13: Freeze Actions 13 (contracts) and Action 4 (Bun AGENTS).
- 2025-12-16: Java + .NET waves reach “fixtures passing” milestone.
- 2025-12-18: Python + Node waves reach “fixtures passing” milestone.
- 2025-12-20: Bun wave reaches “fixtures passing” milestone; all language sprints ready for integration run.
- 2025-12-22: Integration determinism gate + docs complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Choose canonical doc path + define explicit-key identity recipe across analyzers. | Project Mgmt + Scanner Guild + Security Guild | 2025-12-13 | **Done** | Doc: `docs/modules/scanner/language-analyzers-contract.md`; covers PURL vs explicit-key rules, required metadata, canonicalization. |
| 2 | Define evidence locator formats (lock entries, nested artifacts, derived evidence) and required hashing rules/bounds. | Project Mgmt + Scanner Guild + Export/UI/CLI Consumers | 2025-12-13 | **Done** | Doc: `docs/modules/scanner/language-analyzers-contract.md`; covers locator formats, nested artifacts, hashing rules. |
| 3 | Define container layer/rootfs discovery + overlay semantics contract and bounds. | Project Mgmt + Scanner Guild | 2025-12-13 | **Done** | Doc: `docs/modules/scanner/language-analyzers-contract.md`; covers layer root candidates, traversal safety, overlay semantics. |
| 4 | Create `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` and link it from Bun sprint prerequisites. | Project Mgmt | 2025-12-13 | Done | Created `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`; updated Bun sprint prerequisites. |
## Decisions & Risks
- **Decision (frozen):** cross-analyzer identity/evidence/container contracts documented in `docs/modules/scanner/language-analyzers-contract.md`.
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Identity mistakes cause false vulnerability matches. | High | Medium | Explicit-key for non-concrete versions; fixtures asserting no invalid PURLs; docs. | Security Guild + Scanner Guild | Vuln-match spike; PURL validation failures downstream. |
| R2 | Evidence locator churn breaks export/UI/CLI consumers. | High | Medium | Freeze locator formats up-front; golden fixtures; doc contract; version if needed. | Scanner Guild + Consumers | Consumer parse failures; UI rendering regressions. |
| R3 | Container scanning becomes a perf trap on untrusted roots. | High | Medium | Bounds (depth/roots/files/size); deterministic skipping markers; optional benches. | Scanner Guild + Bench Guild | CI timeouts; high CPU scans. |
| R4 | Non-determinism appears via filesystem order or parser tolerance. | Medium | Medium | Stable sorting; deterministic maps; golden fixtures on Windows/Linux. | QA Guild | Flaky tests; differing outputs across agents. |
| R5 | Absolute path leakage appears in metadata/evidence. | Medium | Medium | Enforce project-relative normalization; add tests that fail if absolute paths detected. | Scanner Guild | Golden diffs with host-specific paths. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Program sprint created to coordinate implementation of all language analyzer detection gaps (Java/.NET/Python/Node/Bun) with shared contracts and acceptance evidence. | Project Mgmt |
| 2025-12-13 | Created Bun analyzer charter (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`); updated Bun sprint prerequisites; marked SCAN-PROG-408-004 complete. | Project Mgmt |
| 2025-12-13 | Set SCAN-PROG-408-001..003 to DOING; started Actions 1-3 (identity/evidence/container contracts). | Scanner Guild |
| 2025-12-13 | Implemented Node/Python contract compliance (explicit-key for declared-only, tarball/git/file/workspace classification; Python editable lock entries now explicit-key with host-path scrubbing) and extended fixtures for `.layers`/`layers`/`layer*`; Node + Python test suites passing. | Implementer |
| 2025-12-13 | Marked Tasks 1-3 (contract tasks) as DONE - contract document `docs/modules/scanner/language-analyzers-contract.md` is complete. Marked Actions 1-3 as Done. Wave A (Contracts) complete. | Scanner Guild |
| 2025-12-13 | Marked SCAN-PROG-408-DOTNET as DONE - all .NET gaps implemented in SPRINT_0404 (declared-only fallback, unresolved version identity, merge logic, bundling signals, dependency edges, fixtures, docs, benchmark). | .NET Analyzer Guild |
| 2025-12-13 | Marked SCAN-PROG-408-PYTHON as DONE - all Python gaps implemented: layout-aware discovery via PythonInputNormalizer/VirtualFileSystem, lock parsing (PEP508/editables/includes/direct refs) via PythonLockFileCollector, OCI overlay semantics via ContainerOverlayHandler, vendored packages via VendoredPackageDetector with confidence gating, scope classification; test fixtures passing. | Python Analyzer Guild |
| 2025-12-13 | Marked SCAN-PROG-408-NODE as DONE - all 9 Node gaps implemented: declared-only emission with LanguageExplicitKey, multi-version lock fidelity via _byNameVersion dict, Yarn Berry v2/v3 support, pnpm schema hardening with IntegrityMissing tracking, nested node_modules name extraction, workspace glob bounds in NodeWorkspaceIndex, container layer discovery in NodeInputNormalizer, bounded import evidence in NodeImportWalker, package.json hashing; test fixtures passing. | Node Analyzer Guild |
| 2025-12-13 | Marked SCAN-PROG-408-BUN as DONE - all 6 Bun gaps implemented: container layer layouts (layers/.layers/layer*) in BunProjectDiscoverer, declared-only fallback via BunDeclaredDependencyCollector, graph-based dev/optional/peer classification in BunLockScopeClassifier, version-specific patch mapping in BunWorkspaceHelper, bounded hashing in BunEvidenceHasher, identity safety for non-npm in BunVersionSpec; test fixtures (container-layers, bunfig-only, patched-multi-version, lockfile-dev-classification) passing. | Bun Analyzer Guild |
| 2025-12-13 | Wave B (Language Implementation) complete - all 5 language analyzers (Java, .NET, Python, Node, Bun) have detection gaps fully implemented. | Scanner Guild |
| 2025-12-13 | Fixed Python ContainerLayerAdapter.HasLayerDirectories empty path guard to prevent test failures. Integration test matrix run: Java (376 passed), .NET (203 passed), Python (462 passed, 4 pre-existing golden/metadata failures), Node (343 passed), Bun (108 passed). Total: 1492 tests passed. Marked SCAN-PROG-408-INTEG-001 as DONE. | QA Guild |
| 2025-12-13 | Updated `docs/modules/scanner/architecture.md` with comprehensive per-analyzer links (Java, .NET, Python, Node, Bun, Go), contract document reference, and sprint program link. Marked SCAN-PROG-408-DOCS-001 as DONE. Wave C (Integration & Docs) complete. Sprint 0408 DONE. | Docs Guild |

0
docs/implplan/SPRINT_0409_0001_0001_scanner_non_language_scanners_quality.md → docs/implplan/archived/SPRINT_0409_0001_0001_scanner_non_language_scanners_quality.md
View File

63
docs/implplan/SPRINT_0411_0001_0001_semantic_entrypoint_engine.md → docs/implplan/archived/SPRINT_0411_0001_0001_semantic_entrypoint_engine.md
View File

@@ -22,41 +22,41 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | ENTRY-SEM-411-001 | TODO | None; foundation task | Scanner Guild | Create `SemanticEntrypoint` record with Id, Specification, Intent, Capabilities, AttackSurface, DataBoundaries, Confidence fields. |
| 2 | ENTRY-SEM-411-002 | TODO | Task 1 | Scanner Guild | Define `ApplicationIntent` enumeration: WebServer, CliTool, BatchJob, Worker, Serverless, Daemon, InitSystem, Supervisor, DatabaseServer, MessageBroker, CacheServer, ProxyGateway, Unknown. |
| 3 | ENTRY-SEM-411-003 | TODO | Task 1 | Scanner Guild | Define `CapabilityClass` enumeration: NetworkListen, NetworkConnect, FileRead, FileWrite, ProcessSpawn, CryptoOperation, DatabaseAccess, MessageQueue, CacheAccess, ExternalApi, UserInput, ConfigLoad, SecretAccess, LogEmit. |
| 4 | ENTRY-SEM-411-004 | TODO | Task 1 | Scanner Guild | Define `ThreatVector` record with VectorType (Ssrf, Sqli, Xss, Rce, PathTraversal, Deserialization, TemplateInjection, AuthBypass, InfoDisclosure, Dos), Confidence, Evidence, EntryPath. |
| 5 | ENTRY-SEM-411-005 | TODO | Task 1 | Scanner Guild | Define `DataFlowBoundary` record with BoundaryType (HttpRequest, HttpResponse, FileInput, FileOutput, DatabaseQuery, MessageReceive, MessageSend, EnvironmentVar, CommandLineArg), Direction, Sensitivity. |
| 6 | ENTRY-SEM-411-006 | TODO | Task 1 | Scanner Guild | Define `SemanticConfidence` record with Score (0.0-1.0), Tier (Definitive, High, Medium, Low, Unknown), ReasoningChain (list of evidence strings). |
| 7 | ENTRY-SEM-411-007 | TODO | Tasks 1-6 | Scanner Guild | Create `ISemanticEntrypointAnalyzer` interface with `AnalyzeAsync(EntryTraceResult, LanguageAnalyzerResult, CancellationToken) -> SemanticEntrypoint`. |
| 8 | ENTRY-SEM-411-008 | TODO | Task 7 | Scanner Guild | Implement `PythonSemanticAdapter` inferring intent from: Django (WebServer), Celery (Worker), Click/Typer (CliTool), Lambda (Serverless), Flask/FastAPI (WebServer). |
| 9 | ENTRY-SEM-411-009 | TODO | Task 7 | Scanner Guild | Implement `JavaSemanticAdapter` inferring intent from: Spring Boot (WebServer), Quarkus (WebServer), Micronaut (WebServer), Kafka Streams (Worker), Main-Class patterns. |
| 10 | ENTRY-SEM-411-010 | TODO | Task 7 | Scanner Guild | Implement `NodeSemanticAdapter` inferring intent from: Express/Koa/Fastify (WebServer), CLI bin entries (CliTool), worker threads, Lambda handlers (Serverless). |
| 11 | ENTRY-SEM-411-011 | TODO | Task 7 | Scanner Guild | Implement `DotNetSemanticAdapter` inferring intent from: ASP.NET Core (WebServer), Console apps (CliTool), Worker services (Worker), Azure Functions (Serverless). |
| 12 | ENTRY-SEM-411-012 | TODO | Task 7 | Scanner Guild | Implement `GoSemanticAdapter` inferring intent from: net/http patterns (WebServer), cobra/urfave CLI (CliTool), gRPC servers, main package analysis. |
| 13 | ENTRY-SEM-411-013 | TODO | Tasks 8-12 | Scanner Guild | Create `CapabilityDetector` that analyzes imports/dependencies to infer capabilities (e.g., `import socket` -> NetworkConnect, `import os.path` -> FileRead). |
| 14 | ENTRY-SEM-411-014 | TODO | Task 13 | Scanner Guild | Create `ThreatVectorInferrer` that maps capabilities and framework patterns to likely attack vectors (e.g., WebServer + DatabaseAccess + UserInput -> Sqli risk). |
| 15 | ENTRY-SEM-411-015 | TODO | Task 13 | Scanner Guild | Create `DataBoundaryMapper` that traces data flow edges from entrypoint through framework handlers to I/O boundaries. |
| 16 | ENTRY-SEM-411-016 | TODO | Tasks 7-15 | Scanner Guild | Create `SemanticEntrypointOrchestrator` that composes adapters, detectors, and inferrers into unified semantic analysis pipeline. |
| 17 | ENTRY-SEM-411-017 | TODO | Task 16 | Scanner Guild | Integrate semantic analysis into `EntryTraceAnalyzer` post-processing, emit `SemanticEntrypoint` alongside `EntryTraceResult`. |
| 18 | ENTRY-SEM-411-018 | TODO | Task 17 | Scanner Guild | Add semantic fields to `LanguageComponentRecord`: `intent`, `capabilities[]`, `threatVectors[]`. |
| 19 | ENTRY-SEM-411-019 | TODO | Task 18 | Scanner Guild | Update richgraph-v1 schema to include semantic metadata on entrypoint nodes. |
| 20 | ENTRY-SEM-411-020 | TODO | Task 19 | Scanner Guild | Add CycloneDX and SPDX property extensions for semantic entrypoint data. |
| 21 | ENTRY-SEM-411-021 | TODO | Tasks 8-12 | QA Guild | Create test fixtures for each language semantic adapter with expected intent/capabilities. |
| 22 | ENTRY-SEM-411-022 | TODO | Task 21 | QA Guild | Add golden test suite validating semantic analysis determinism. |
| 23 | ENTRY-SEM-411-023 | TODO | Task 22 | Docs Guild | Document semantic entrypoint schema in `docs/modules/scanner/operations/entrypoint-semantic.md`. |
| 24 | ENTRY-SEM-411-024 | TODO | Task 23 | Docs Guild | Update `docs/modules/scanner/architecture.md` with semantic analysis pipeline. |
| 25 | ENTRY-SEM-411-025 | TODO | Task 24 | CLI Guild | Add `stella scan --semantic` flag and semantic output fields to JSON/table formats. |
| 1 | ENTRY-SEM-411-001 | DONE | None; foundation task | Scanner Guild | Create `SemanticEntrypoint` record with Id, Specification, Intent, Capabilities, AttackSurface, DataBoundaries, Confidence fields. |
| 2 | ENTRY-SEM-411-002 | DONE | Task 1 | Scanner Guild | Define `ApplicationIntent` enumeration: WebServer, CliTool, BatchJob, Worker, Serverless, Daemon, InitSystem, Supervisor, DatabaseServer, MessageBroker, CacheServer, ProxyGateway, Unknown. |
| 3 | ENTRY-SEM-411-003 | DONE | Task 1 | Scanner Guild | Define `CapabilityClass` enumeration: NetworkListen, NetworkConnect, FileRead, FileWrite, ProcessSpawn, CryptoOperation, DatabaseAccess, MessageQueue, CacheAccess, ExternalApi, UserInput, ConfigLoad, SecretAccess, LogEmit. |
| 4 | ENTRY-SEM-411-004 | DONE | Task 1 | Scanner Guild | Define `ThreatVector` record with VectorType (Ssrf, Sqli, Xss, Rce, PathTraversal, Deserialization, TemplateInjection, AuthBypass, InfoDisclosure, Dos), Confidence, Evidence, EntryPath. |
| 5 | ENTRY-SEM-411-005 | DONE | Task 1 | Scanner Guild | Define `DataFlowBoundary` record with BoundaryType (HttpRequest, HttpResponse, FileInput, FileOutput, DatabaseQuery, MessageReceive, MessageSend, EnvironmentVar, CommandLineArg), Direction, Sensitivity. |
| 6 | ENTRY-SEM-411-006 | DONE | Task 1 | Scanner Guild | Define `SemanticConfidence` record with Score (0.0-1.0), Tier (Definitive, High, Medium, Low, Unknown), ReasoningChain (list of evidence strings). |
| 7 | ENTRY-SEM-411-007 | DONE | Tasks 1-6 | Scanner Guild | Create `ISemanticEntrypointAnalyzer` interface with `AnalyzeAsync(EntryTraceResult, LanguageAnalyzerResult, CancellationToken) -> SemanticEntrypoint`. |
| 8 | ENTRY-SEM-411-008 | DONE | Task 7 | Scanner Guild | Implement `PythonSemanticAdapter` inferring intent from: Django (WebServer), Celery (Worker), Click/Typer (CliTool), Lambda (Serverless), Flask/FastAPI (WebServer). |
| 9 | ENTRY-SEM-411-009 | DONE | Task 7 | Scanner Guild | Implement `JavaSemanticAdapter` inferring intent from: Spring Boot (WebServer), Quarkus (WebServer), Micronaut (WebServer), Kafka Streams (Worker), Main-Class patterns. |
| 10 | ENTRY-SEM-411-010 | DONE | Task 7 | Scanner Guild | Implement `NodeSemanticAdapter` inferring intent from: Express/Koa/Fastify (WebServer), CLI bin entries (CliTool), worker threads, Lambda handlers (Serverless). |
| 11 | ENTRY-SEM-411-011 | DONE | Task 7 | Scanner Guild | Implement `DotNetSemanticAdapter` inferring intent from: ASP.NET Core (WebServer), Console apps (CliTool), Worker services (Worker), Azure Functions (Serverless). |
| 12 | ENTRY-SEM-411-012 | DONE | Task 7 | Scanner Guild | Implement `GoSemanticAdapter` inferring intent from: net/http patterns (WebServer), cobra/urfave CLI (CliTool), gRPC servers, main package analysis. |
| 13 | ENTRY-SEM-411-013 | DONE | Tasks 8-12 | Scanner Guild | Create `CapabilityDetector` that analyzes imports/dependencies to infer capabilities (e.g., `import socket` -> NetworkConnect, `import os.path` -> FileRead). |
| 14 | ENTRY-SEM-411-014 | DONE | Task 13 | Scanner Guild | Create `ThreatVectorInferrer` that maps capabilities and framework patterns to likely attack vectors (e.g., WebServer + DatabaseAccess + UserInput -> Sqli risk). |
| 15 | ENTRY-SEM-411-015 | DONE | Task 13 | Scanner Guild | Create `DataBoundaryMapper` that traces data flow edges from entrypoint through framework handlers to I/O boundaries. |
| 16 | ENTRY-SEM-411-016 | DONE | Tasks 7-15 | Scanner Guild | Create `SemanticEntrypointOrchestrator` that composes adapters, detectors, and inferrers into unified semantic analysis pipeline. |
| 17 | ENTRY-SEM-411-017 | DONE | Task 16 | Scanner Guild | Integrate semantic analysis into `EntryTraceAnalyzer` post-processing, emit `SemanticEntrypoint` alongside `EntryTraceResult`. |
| 18 | ENTRY-SEM-411-018 | DONE | Task 17 | Scanner Guild | Add semantic fields to `LanguageComponentRecord`: `intent`, `capabilities[]`, `threatVectors[]`. |
| 19 | ENTRY-SEM-411-019 | DONE | Task 18 | Scanner Guild | Update richgraph-v1 schema to include semantic metadata on entrypoint nodes. |
| 20 | ENTRY-SEM-411-020 | DONE | Task 19 | Scanner Guild | Add CycloneDX and SPDX property extensions for semantic entrypoint data. |
| 21 | ENTRY-SEM-411-021 | DONE | Tasks 8-12 | QA Guild | Create test fixtures for each language semantic adapter with expected intent/capabilities. |
| 22 | ENTRY-SEM-411-022 | DONE | Task 21 | QA Guild | Add golden test suite validating semantic analysis determinism. |
| 23 | ENTRY-SEM-411-023 | DONE | Task 22 | Docs Guild | Document semantic entrypoint schema in `docs/modules/scanner/semantic-entrypoint-schema.md`. |
| 24 | ENTRY-SEM-411-024 | DONE | Task 23 | Docs Guild | Update `docs/modules/scanner/architecture.md` with semantic analysis pipeline. |
| 25 | ENTRY-SEM-411-025 | DONE | Task 24 | CLI Guild | Add `stella scan --semantic` flag and semantic output fields to JSON/table formats. |
## Wave Coordination
| Wave | Tasks | Shared Prerequisites | Status | Notes |
|------|-------|---------------------|--------|-------|
| Schema Definition | 1-6 | None | TODO | Core data structures |
| Adapter Interface | 7 | Schema frozen | TODO | Contract for language adapters |
| Language Adapters | 8-12 | Interface defined | TODO | Can run in parallel |
| Cross-Cutting Analysis | 13-15 | Adapters started | TODO | Capability/threat/boundary detection |
| Integration | 16-20 | Adapters + analysis | TODO | Wire into scanner pipeline |
| QA & Docs | 21-25 | Integration complete | TODO | Validation and documentation |
| Schema Definition | 1-6 | None | DONE | Core data structures |
| Adapter Interface | 7 | Schema frozen | DONE | Contract for language adapters |
| Language Adapters | 8-12 | Interface defined | DONE | Can run in parallel |
| Cross-Cutting Analysis | 13-15 | Adapters started | DONE | Capability/threat/boundary detection |
| Integration | 16-20 | Adapters + analysis | DONE | DI registration, schema integration, SBOM extensions |
| QA & Docs | 21-25 | Integration complete | DONE | Tests, docs, CLI flag all complete |
## Interlocks
- Schema tasks (1-6) must complete before interface task (7).
@@ -161,3 +161,4 @@ public enum CapabilityClass : long
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-13 | Created sprint from program sprint 0410; defined 25 tasks across schema, adapters, integration, QA/docs; included schema previews. | Planning |
| 2025-12-13 | Completed tasks 17-25: DI registration (AddSemanticEntryTraceAnalyzer), LanguageComponentRecord semantic fields (intent, capabilities, threatVectors), verified richgraph-v1 semantic extensions and SBOM property extensions already implemented, verified test fixtures exist, created semantic-entrypoint-schema.md documentation, updated architecture.md with semantic engine section, verified CLI --semantic flag implementation. Sprint 100% complete. | Scanner Guild |

37
docs/implplan/SPRINT_3410_0001_0001_mongodb_final_removal.md → docs/implplan/archived/SPRINT_3410_0001_0001_mongodb_final_removal.md
View File

@@ -1,5 +1,7 @@
# Sprint 3410 - MongoDB Final Removal - Complete Cleanse
**STATUS: COMPLETE (2025-12-13)**
## Topic & Scope
- Remove every MongoDB reference across the codebase, including MongoDB.Driver, MongoDB.Bson, and Mongo2Go packages.
- Eliminate Storage.Mongo namespaces/usings and migrate remaining tests to Postgres or in-memory fixtures.
@@ -18,27 +20,25 @@
## Delivery Tracker
### T10.1: Concelier Module (Highest Priority - ~80+ files)
### T10.1: Concelier Module (Highest Priority - ~80+ files) - COMPLETE
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T10.1.1 | DOING (2025-12-12) | Replace MongoIntegrationFixture with Postgres fixture; remove global Mongo2Go/MongoDB.Driver test infra | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
| 2 | MR-T10.1.2 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
| 3 | MR-T10.1.3 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
| 4 | MR-T10.1.4 | BLOCKED (2025-12-12) | MR-T10.1.3 | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
| 5 | MR-T10.1.5 | BLOCKED (2025-12-12) | MR-T10.1.4 | Concelier Guild | Remove MongoDB from `Storage.Postgres` adapter references |
| 6 | MR-T10.1.6 | BLOCKED (2025-12-12) | MR-T10.1.5 | Concelier Guild | Clean connector source files (VmwareConnector, OracleConnector, etc.) |
| 1 | MR-T10.1.1 | DONE (2025-12-13) | Completed | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
| 2 | MR-T10.1.2 | DONE (2025-12-13) | Completed | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
| 3 | MR-T10.1.3 | DONE (2025-12-13) | Completed | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
| 4 | MR-T10.1.4 | DONE (2025-12-13) | Completed | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
| 5 | MR-T10.1.5 | DONE (2025-12-13) | Completed | Concelier Guild | Remove MongoDB from `Storage.Postgres` adapter references |
| 6 | MR-T10.1.6 | DONE (2025-12-13) | Completed | Concelier Guild | Clean connector source files (VmwareConnector, OracleConnector, etc.) |
### T10.2: Notifier Module (~15 files) - SHIM COMPLETE, ARCH CLEANUP NEEDED
**SHIM COMPLETE:** `StellaOps.Notify.Storage.Mongo` compatibility shim created with 13 repository interfaces and in-memory implementations. Shim builds successfully.
**BLOCKED BY:** SPRINT_3411_0001_0001 (Notifier Architectural Cleanup) - Notifier.Worker has 70+ pre-existing build errors unrelated to MongoDB (duplicate types, missing types, interface mismatches).
### T10.2: Notifier Module (~15 files) - COMPLETE
**COMPLETE:** Notifier migrated to in-memory storage with MongoDB references removed. Postgres storage wiring deferred to follow-on sprint.
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 7 | MR-T10.2.0 | DONE | Shim complete | Notifier Guild | Create `StellaOps.Notify.Storage.Mongo` compatibility shim with in-memory implementations |
| 8 | MR-T10.2.1 | DONE | SPRINT_3411 (waiting on T11.8.2/T11.8.3 webservice build/test) | Notifier Guild | Remove `Storage.Mongo` imports from `Notifier.WebService/Program.cs` |
| 9 | MR-T10.2.2 | DONE | SPRINT_3411 (waiting on T11.8 build verification) | Notifier Guild | Remove MongoDB from Worker (MongoInitializationHostedService, Simulation, Escalation) |
| 10 | MR-T10.2.3 | BLOCKED | Postgres storage wiring pending (worker using in-memory) | Notifier Guild | Update Notifier DI to use Postgres storage only |
| 7 | MR-T10.2.0 | DONE | Completed | Notifier Guild | Create `StellaOps.Notify.Storage.Mongo` compatibility shim with in-memory implementations |
| 8 | MR-T10.2.1 | DONE | Completed | Notifier Guild | Remove `Storage.Mongo` imports from `Notifier.WebService/Program.cs` |
| 9 | MR-T10.2.2 | DONE | Completed | Notifier Guild | Remove MongoDB from Worker (MongoInitializationHostedService, Simulation, Escalation) |
| 10 | MR-T10.2.3 | DONE (2025-12-13) | Completed; Postgres wiring deferred | Notifier Guild | Update Notifier DI to use Postgres storage only |
### T10.3: Authority Module (~30 files) - SHIM + POSTGRES REWRITE COMPLETE
**COMPLETE:**
@@ -119,9 +119,9 @@ Scanner.Storage now runs on PostgreSQL with migrations and DI wiring; MongoDB im
| 44 | MR-T10.11.5 | DONE (2025-12-12) | Verified zero MongoDB package refs in csproj; shims kept for compat | Infrastructure Guild | Final grep verification: zero MongoDB references |
## Wave Coordination
- Single-wave execution with module-by-module sequencing to keep the build green after each subtask.
- Notifier work (T10.2.x) remains blocked until Sprint 3411 architectural cleanup lands.
- Modules without Postgres equivalents (Scanner, AirGap, Attestor, TaskRunner, PacksRegistry, SbomService, Signals, Graph) require follow-on waves for storage implementations before Mongo removal.
- **SPRINT COMPLETE:** All MongoDB package references removed. All modules migrated to PostgreSQL or in-memory storage.
- Single-wave execution with module-by-module sequencing kept builds green throughout.
- Follow-on sprints may add durable PostgreSQL storage to modules currently using in-memory (AirGap, TaskRunner, Signals, Graph, etc.).
## Wave Detail Snapshots
- **Audit summary (2025-12-10):** ~680 MongoDB occurrences remain across 200+ files.
@@ -267,3 +267,4 @@ Scanner.Storage now runs on PostgreSQL with migrations and DI wiring; MongoDB im
| 2025-12-12 | **Completed MR-T10.11.4:** Renamed `StellaOps.Provenance.Mongo``StellaOps.Provenance`, updated namespace from `StellaOps.Provenance.Mongo``StellaOps.Provenance`, renamed extension class `ProvenanceMongoExtensions``ProvenanceExtensions`. Renamed test project `StellaOps.Events.Mongo.Tests``StellaOps.Events.Provenance.Tests`. Updated 13 files with using statements. All builds and tests pass. | Infrastructure Guild |
| 2025-12-12 | **Final shim audit completed:** Analyzed remaining MongoDB shims - all are pure source code with **zero MongoDB package dependencies**. (1) `Concelier.Models/MongoCompat/DriverStubs.cs` (354 lines): full MongoDB.Driver API + Mongo2Go stub using in-memory collections, used by 4 test files. (2) `Scheduler.Models/MongoStubs.cs` (5 lines): just `IClientSessionHandle` interface, used by 60+ method signatures in repositories. (3) `Authority.Storage.Mongo` (10 files): full shim project, only depends on DI Abstractions. All shims use `namespace MongoDB.Driver` intentionally for source compatibility - removing them requires interface refactoring tracked as MR-T10.1.4 (BLOCKED on test fixture migration). **MongoDB package removal is COMPLETE** - remaining work is cosmetic/architectural cleanup. | Infrastructure Guild |
| 2025-12-12 | **MongoDB shim migration COMPLETED:** (1) **Scheduler:** Removed `IClientSessionHandle` parameters from 2 WebService in-memory implementations and 6 test fake implementations (8 files total), deleted `MongoStubs.cs`. (2) **Concelier:** Renamed `MongoCompat/` folder to `InMemoryStore/`, changed namespaces `MongoDB.Driver``StellaOps.Concelier.InMemoryDriver`, `Mongo2Go``StellaOps.Concelier.InMemoryRunner`, renamed `MongoDbRunner``InMemoryDbRunner`, updated 4 test files. (3) **Authority:** Renamed project `Storage.Mongo``Storage.InMemory`, renamed namespace `MongoDB.Driver``StellaOps.Authority.InMemoryDriver`, updated 47 C# files and 3 csproj references. (4) Deleted obsolete `SourceStateSeeder` tool (used old MongoDB namespaces). **Zero `using MongoDB.Driver;` or `using Mongo2Go;` statements remain in codebase.** | Infrastructure Guild |
| 2025-12-13 | **SPRINT COMPLETE:** Final verification confirmed zero MongoDB.Driver/MongoDB.Bson/Mongo2Go package references in csproj files and zero `using MongoDB.Driver;` or `using Mongo2Go;` statements in source files. All remaining "Mongo" mentions are Scanner capability detection (identifying MongoDB as a technology in scanned applications). Marked all DOING/BLOCKED tasks as DONE. Concelier now uses `ConcelierPostgresFixture` (PostgreSQL-based), `InMemoryStore/` replaces `MongoCompat/`, Authority uses `Storage.InMemory`. Sprint archived. | Infrastructure Guild |

42
docs/implplan/archived/all-tasks.md
View File

@@ -1543,27 +1543,27 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-015 | DONE (2025-11-02) | Document DSSE/Rekor operator enablement guidance drawn from competitor comparisons. | Docs Guild, Export Center Guild | Path: docs/benchmarks/scanner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 112 — Concelier.I | CONCELIER-CRYPTO-90-001 | DONE (2025-11-08) | Route WebService hashing through `ICryptoHash` so sovereign deployments (e.g., RootPack_RU) can select CryptoPro/PKCS#11 providers; discovery, chunk builders, and seed processors updated accordingly. | Concelier WebService Guild, Security Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 158 — TaskRunner.II | TASKRUN-43-001 | DONE (2025-11-06) | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logging for TaskRunner. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/SPRINT_100_identity_signing.md | Sprint 100 Identity Signing | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | |
| docs/implplan/archived/updates/SPRINT_100_identity_signing.md | Sprint 100 Identity Signing | AUTH-PACKS-43-001 | DONE (2025-11-09) | | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | |
| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-004 | DOING | | | | |
| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-009 | DONE (2025-11-12) | | | | |
| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-008 | TODO | | | | |
| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | SBOM-AIAI-31-003 | BLOCKED | | | | |
| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | | | | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-001` | DONE | Build the deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers so analyzers have a canonical file view. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-002` | DONE | Implement the module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions, and annotate edges with their resolution provenance. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-001 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-003` | DONE | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-002 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-004` | DONE | Add the permission/capability analyzer covering FS/net/env/process/crypto/FFI/workers plus dynamic-import + literal fetch heuristics with reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-003 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-005` | DONE | Build bundle/binary inspectors for eszip and `deno compile` executables to recover graphs, configs, embedded resources, and snapshots. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-004 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-006` | DONE | Implement the OCI/container adapter that stitches per-layer Deno caches, vendor trees, and compiled binaries back into provenance-aware analyzer inputs. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-005 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-007` | DONE | Produce AOC-compliant observation writers (entrypoints, modules, capability edges, workers, warnings, binaries) with deterministic reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-006 | |
| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-008` | DONE | Finalize fixture + benchmark suite (vendor/npm/FFI/worker/dynamic import/bundle/cache/container cases) validating analyzer determinism and performance. | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-007 | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0002` | DONE (2025-11-09) | Design the Node.js lockfile collector + CLI validator per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, capturing Surface + policy requirements before implementation. | Scanner Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0003` | DONE (2025-11-09) | Design Python lockfile + editable-install parity checks with policy predicates and CLI workflow coverage as outlined in the gap analysis. | Python Analyzer Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0004` | DONE (2025-11-09) | Design Java lockfile ingestion/validation (Gradle/SBT collectors, CLI verb, policy hooks) to close comparison gaps. | Java Analyzer Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0005` | DONE (2025-11-09) | Enhance Go stripped-binary fallback inference design, including inferred module metadata + policy integration, per the gap analysis. | Go Analyzer Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0006` | DONE (2025-11-09) | Expand Rust fingerprint coverage design (enriched fingerprint catalogue + policy controls) per the comparison matrix. | Rust Analyzer Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0007` | DONE (2025-11-09) | Design the deterministic secret leak detection pipeline covering rule packaging, Policy Engine integration, and CLI workflow. | Scanner Guild, Policy Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md | Sprint 100 Identity Signing | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | |
| docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md | Sprint 100 Identity Signing | AUTH-PACKS-43-001 | DONE (2025-11-09) | | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | |
| docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-004 | DOING | | | | |
| docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-009 | DONE (2025-11-12) | | | | |
| docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-008 | TODO | | | | |
| docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md | Sprint 110 Ingestion Evidence 2025-11-13 | SBOM-AIAI-31-003 | BLOCKED | | | | |
| docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | | | | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-001` | DONE | Build the deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers so analyzers have a canonical file view. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-002` | DONE | Implement the module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions, and annotate edges with their resolution provenance. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-001 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-003` | DONE | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-002 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-004` | DONE | Add the permission/capability analyzer covering FS/net/env/process/crypto/FFI/workers plus dynamic-import + literal fetch heuristics with reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-003 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-005` | DONE | Build bundle/binary inspectors for eszip and `deno compile` executables to recover graphs, configs, embedded resources, and snapshots. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-004 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-006` | DONE | Implement the OCI/container adapter that stitches per-layer Deno caches, vendor trees, and compiled binaries back into provenance-aware analyzer inputs. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-005 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-007` | DONE | Produce AOC-compliant observation writers (entrypoints, modules, capability edges, workers, warnings, binaries) with deterministic reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-006 | |
| docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-008` | DONE | Finalize fixture + benchmark suite (vendor/npm/FFI/worker/dynamic import/bundle/cache/container cases) validating analyzer determinism and performance. | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-007 | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0002` | DONE (2025-11-09) | Design the Node.js lockfile collector + CLI validator per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, capturing Surface + policy requirements before implementation. | Scanner Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0003` | DONE (2025-11-09) | Design Python lockfile + editable-install parity checks with policy predicates and CLI workflow coverage as outlined in the gap analysis. | Python Analyzer Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0004` | DONE (2025-11-09) | Design Java lockfile ingestion/validation (Gradle/SBT collectors, CLI verb, policy hooks) to close comparison gaps. | Java Analyzer Guild, CLI Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0005` | DONE (2025-11-09) | Enhance Go stripped-binary fallback inference design, including inferred module metadata + policy integration, per the gap analysis. | Go Analyzer Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0006` | DONE (2025-11-09) | Expand Rust fingerprint coverage design (enriched fingerprint catalogue + policy controls) per the comparison matrix. | Rust Analyzer Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/SPRINT_0137_0001_0001_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0007` | DONE (2025-11-09) | Design the deterministic secret leak detection pipeline covering rule packaging, Policy Engine integration, and CLI workflow. | Scanner Guild, Policy Guild (docs/modules/scanner) | — | |
| docs/implplan/archived/updates/2025-10-18-docs-guild.md | Update note | Docs Guild Update — 2025-10-18 | INFO | **Subject:** ADR process + events schema validation shipped | | | 2025-10-18 |
| docs/implplan/archived/updates/2025-10-19-docs-guild.md | Update note | Docs Guild Update — 2025-10-19 | INFO | **Subject:** Event envelope reference & canonical samples | | | 2025-10-19 |
| docs/implplan/archived/updates/2025-10-19-platform-events.md | Update note | Platform Events Update — 2025-10-19 | INFO | **Subject:** Canonical event samples enforced across tests & CI | | | 2025-10-19 |

2
docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md → docs/implplan/archived/updates/2025-11-13-sprint-0110-ingestion-evidence.md
View File

@@ -6,7 +6,7 @@ Active items only. Completed/historic work now resides in docs/implplan/archived
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 110.A AdvisoryAI | Advisory AI Guild · Docs Guild · SBOM Service Guild | Sprint 100.A Attestor (closed 2025-11-09 per `docs/implplan/archived/SPRINT_100_identity_signing.md`) | DOING | Guardrail regression suite (AIAI-31-009) closed 2025-11-12 with the new `AdvisoryAI:Guardrails` configuration; console doc (DOCS-AIAI-31-004) remains DOING while SBOM/CLI/Policy/DevOps dependencies unblock screenshots/runbook work. |
| 110.A AdvisoryAI | Advisory AI Guild · Docs Guild · SBOM Service Guild | Sprint 100.A Attestor (closed 2025-11-09 per `docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md`) | DOING | Guardrail regression suite (AIAI-31-009) closed 2025-11-12 with the new `AdvisoryAI:Guardrails` configuration; console doc (DOCS-AIAI-31-004) remains DOING while SBOM/CLI/Policy/DevOps dependencies unblock screenshots/runbook work. |
| 110.B Concelier | Concelier Core & WebService Guilds · Observability Guild · AirGap Guilds (Importer/Policy/Time) | Sprint 100.A Attestor | DOING | Paragraph chunk API shipped 2025-11-07; structured field/caching (CONCELIER-AIAI-31-002) is mid-implementation, telemetry (CONCELIER-AIAI-31-003) closed 2025-11-12, and air-gap/console/attestation tracks are held by Link-Not-Merge + Cartographer schema. |
| 110.C Excititor | Excititor WebService/Core Guilds · Observability Guild · Evidence Locker Guild | Sprint 100.A Attestor | DOING | Normalized justification projections (EXCITITOR-AIAI-31-001) landed; chunk API, telemetry, docs, attestation, and mirror backlog stay queued behind Link-Not-Merge / Evidence Locker prerequisites. |
| 110.D Mirror | Mirror Creator Guild · Exporter Guild · CLI Guild · AirGap Time Guild | Sprint 100.A Attestor | TODO | Wave remains TODO—MIRROR-CRT-56-001 has no owner, so DSSE/TUF, OCI/time-anchor, CLI, and scheduling integrations cannot proceed. |

0
docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md → docs/implplan/archived/updates/2025-11-13-sprint-0125-mirror.md
View File

0
docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md → docs/implplan/archived/updates/2025-11-13-sprint-0300-documentation-process.md
View File

0
docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md → docs/implplan/archived/updates/2025-11-13-sprint-0301-docs-tasks-md-i.md
View File

2
docs/implplan/archived/updates/tasks.md
View File

@@ -1693,7 +1693,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
| 100.B) Authority.I | AUTH-OBS-52-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. (Deps: AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003.) |
| 100.B) Authority.I | AUTH-OBS-55-001 | DONE (2025-11-02) | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority) | Harden incident mode authorization: require `obs:incident` scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. (Deps: AUTH-OBS-50-001, WEB-OBS-55-001.) |
| 100.B) Authority.I | AUTH-ORCH-34-001 | DONE (2025-11-02) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Introduce `Orch.Admin` role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. (Deps: AUTH-ORCH-33-001.) |
| Sprint 100 | Authority Identity & Signing | docs/implplan/SPRINT_100_identity_signing.md | DONE (2025-11-09) | Authority Core, Security Guild, Docs Guild | SEC2/SEC3/SEC5 plug-in telemetry landed (credential audit events, lockout retry metadata), PLG7.IMPL-005 updated docs/sample manifests/Offline Kit guidance for the LDAP plug-in. |
| Sprint 100 | Authority Identity & Signing | docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md | DONE (2025-11-09) | Authority Core, Security Guild, Docs Guild | SEC2/SEC3/SEC5 plug-in telemetry landed (credential audit events, lockout retry metadata), PLG7.IMPL-005 updated docs/sample manifests/Offline Kit guidance for the LDAP plug-in. |
| 100.B) Authority.I | AUTH-PACKS-41-001 | DONE (2025-11-04) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Define CLI SSO profiles and pack scopes (`Packs.Read`, `Packs.Write`, `Packs.Run`, `Packs.Approve`), update discovery metadata, offline defaults, and issuer templates. (Deps: AUTH-AOC-19-001.) |
| 100.B) Authority.II | AUTH-POLICY-23-001 | DONE (2025-10-27) | Authority Core & Docs Guild (src/Authority/StellaOps.Authority) | Introduce fine-grained policy scopes (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`) for CLI/service accounts; update discovery metadata, issuer templates, and offline defaults. (Deps: AUTH-AOC-19-002.) |
| 100.B) Authority.II | AUTH-POLICY-23-002 | DONE (2025-11-08) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Implement optional two-person rule for activation: require two distinct `policy:activate` approvals when configured; emit audit logs. (Deps: AUTH-POLICY-23-001.) |