up

2025-12-09 10:50:15 +02:00
parent cc69d332e3
commit f30805ad7f
25 changed files with 846 additions and 317 deletions
--- a/docs/advisory-ai/sbom-context-hand-off.md
+++ b/docs/advisory-ai/sbom-context-hand-off.md
@@ -4,6 +4,12 @@ _Updated: 2025-11-24 · Owners: Advisory AI Guild · SBOM Service Guild · Sprin

 Defines the contract and smoke test for passing SBOM context from SBOM Service to Advisory AI `/v1/sbom/context` consumers. Aligns with `SBOM-AIAI-31-001` (paths/timelines) and the CLI fixtures published on 2025-11-19.

+## Status & Next Steps (2025-12-08)
+- ✅ 2025-12-08: Real SbomService `/sbom/context` run (`dotnet run --no-build` on `http://127.0.0.1:5090`) using `sample-sbom-context.json` scope. Response hash `sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d` captured with timeline + dependency paths.
+  - Evidence: `evidence-locker/sbom-context/2025-12-05-smoke.ndjson` (2025-12-08 entry) and raw payload `evidence-locker/sbom-context/2025-12-08-response.json`.
+  - Offline kit mirror: `offline-kit/advisory-ai/fixtures/sbom-context/2025-12-08/` (CLI guardrail fixtures, new `sbom-context-response.json`, and `SHA256SUMS` manifest).
+- 2025-12-05 run (fixture-backed stub) remains archived in the same NDJSON/logs for traceability.
+
 ## Contract
 - **Endpoint** (SBOM Service): `/sbom/context`
 - **Request** (minimal):
--- a/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
+++ b/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
@@ -7,7 +7,7 @@

 ## Dependencies & Concurrency
 - Depends on Sprint 0100.A (Attestor) staying green.
- Upstream artefacts required: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `DEVOPS-AIAI-31-001`.
+- Upstream artefacts required: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `SBOM-AIAI-31-001`, `CLI-VULN-29-001` ✅ (2025-12-04), `CLI-VEX-30-001` ✅ (2025-12-04), `DEVOPS-AIAI-31-001`.
 - Concurrency: block publishing on missing CLI/Policy/SBOM deliverables; drafting allowed where noted.

 ## Wave Coordination
@@ -29,8 +29,8 @@
 | 1 | AIAI-DOCS-31-001 | BLOCKED (2025-11-22) | Await CLI/Policy artefacts | Advisory AI Docs Guild | Author guardrail + evidence docs with upstream references |
 | 2 | AIAI-PACKAGING-31-002 | MOVED to SPRINT_0503_0001_0001_ops_devops_i (2025-11-23) | Track under DEVOPS-AIAI-31-002 in Ops sprint | Advisory AI Release | Package advisory feeds with SBOM pointers + provenance |
 | 3 | AIAI-RAG-31-003 | DONE | None | Advisory AI + Concelier | Align RAG evidence payloads with LNM schema |
-| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-23) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants |
-| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED (2025-11-23) | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs; proceed once upstream artefacts land |
+| 4 | SBOM-AIAI-31-003 | DONE (2025-12-08) | SbomService `/sbom/context` endpoint shipped; evidence at `evidence-locker/sbom-context/2025-12-08-response.json` + offline kit 2025-12-08 mirror | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants |
+| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED (2025-11-23) | POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 (CLI gate cleared 2025-12-04) | Docs Guild | CLI/policy/ops docs; proceed once upstream artefacts land |

 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
@@ -41,6 +41,10 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-08 | Implemented `/sbom/context` in `StellaOps.SbomService` (timeline + dependency path aggregation, deterministic hash) with tests, then ran live smoke via `dotnet run --no-build` capturing `sha256:0c705259fdf984bf300baba0abf484fc3bbae977cf8a0a2d1877481f552d600d` and mirrored offline kit `2025-12-08/`. | SBOM Service Guild |
+| 2025-12-08 | Reopened SBOM-AIAI-31-003 to DOING: advisory docs have fixtures, but SbomService `/sbom/context` endpoint is still stubbed; implementation + live smoke required. | Project Mgmt |
+| 2025-12-05 | Executed fixture-backed `/sbom/context` smoke (hash `sha256:421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18`), logged evidence at `evidence-locker/sbom-context/2025-12-05-smoke.ndjson`, and mirrored fixtures to `offline-kit/advisory-ai/fixtures/sbom-context/2025-12-05/`; SBOM-AIAI-31-003 marked DONE. | Advisory AI Guild |
+| 2025-12-05 | Verified CLI-VULN-29-001 / CLI-VEX-30-001 artefacts landed; moved SBOM-AIAI-31-003 to DOING and kicked off `/v1/sbom/context` smoke + offline kit replication. | Project Mgmt |
 | 2025-12-03 | Added Wave Coordination (A drafting done; B publish blocked on upstream artefacts; C packaging moved to ops sprint). No status changes. | Project Mgmt |
 | 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
 | 2025-11-22 | Began AIAI-DOCS-31-001 and AIAI-RAG-31-003: refreshed guardrail + LNM-aligned RAG docs; awaiting CLI/Policy artefacts before locking outputs. | Docs Guild |
@@ -50,7 +54,8 @@
 | 2025-12-02 | Normalized sprint file to standard template; no status changes. | StellaOps Agent |

 ## Decisions & Risks
- Publishing of docs/packages is gated on upstream CLI/Policy/SBOM artefacts; drafting allowed but must remain unpublished until dependencies land.
+- Publishing of docs/packages is gated on upstream Policy/DevOps artefacts; CLI prerequisites and SBOM hand-off smoke landed 2025-12-05, so remaining dependencies are `POLICY-ENGINE-31-001` and `DEVOPS-AIAI-31-001`.
+- `/sbom/context` endpoint now live in SbomService; future fixes should keep smoke evidence (`evidence-locker/sbom-context/2025-xx-response.json`) updated when data contracts change.
 - Link-Not-Merge schema remains authoritative for evidence payloads; deviations require Concelier sign-off.

 ## Next Checkpoints
--- a/docs/implplan/blocked_tree.md
+++ b/docs/implplan/blocked_tree.md
@@ -141,7 +141,7 @@
  - PROV-OBS-53-002 ✅ -> PROV-OBS-53-003 ✅

 - CLI/Advisory AI handoff
-  - SBOM-AIAI-31-003 <- CLI-VULN-29-001; CLI-VEX-30-001
-  - DOCS-AIAI-31-005/006/008/009 <- CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001
+  - SBOM-AIAI-31-003 DONE (2025-12-08): SbomService `/sbom/context` endpoint implemented with deterministic hash + live smoke (`evidence-locker/sbom-context/2025-12-08-response.json`, offline kit mirror 2025-12-08).
+  - DOCS-AIAI-31-005/006/008/009: CLI dependency cleared 2025-12-04; remaining prerequisites are POLICY-ENGINE-31-001 and DEVOPS-AIAI-31-001 for telemetry/ops knobs.

 Note: POLICY-20-001 is defined and tracked in `docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md` (Task 14), and POLICY-AUTH-SIGNALS-LIB-115 is defined in `docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md` (Task 0); both scopes match the expectations captured here.
--- a/docs/implplan/tasks-all.md
+++ b/docs/implplan/tasks-all.md
@@ -372,12 +372,12 @@
 | CLI-SIG-26-002 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). Dependencies: CLI-SIG-26-001. | CLI-SIG-26-001 | CLCI0108 |
 | CLI-TEN-47-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation. | — | CLCI0108 |
 | CLI-TEN-49-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add service account token minting, delegation (`stella token delegate`), impersonation banner, and audit-friendly logging. Dependencies: CLI-TEN-47-001. | CLI-TEN-47-001 | CLCI0108 |
-| CLI-VEX-30-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | PLVL0102 completion | CLCI0107 |
+| CLI-VEX-30-001 | DONE (2025-12-04) | 2025-12-04 | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | PLVL0102 completion | CLCI0107 |
 | CLI-VEX-30-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. Dependencies: CLI-VEX-30-001. | CLI-VEX-30-001 | CLCI0107 |
 | CLI-VEX-30-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. Dependencies: CLI-VEX-30-002. | CLI-VEX-30-002 | CLCI0107 |
 | CLI-VEX-30-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. Dependencies: CLI-VEX-30-003. | CLI-VEX-30-003 | CLCI0107 |
 | CLI-VEX-401-011 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild | `src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | Add `stella decision export | Reachability API exposure | CLCI0107 |
-| CLI-VULN-29-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | — | CLCI0107 |
+| CLI-VULN-29-001 | DONE (2025-12-04) | 2025-12-04 | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | — | CLCI0107 |
 | CLI-VULN-29-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. Dependencies: CLI-VULN-29-001. | CLI-VULN-29-001 | CLCI0107 |
 | CLI-VULN-29-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection (`--filter`) and idempotent retries. Dependencies: CLI-VULN-29-002. | CLI-VULN-29-002 | CLCI0107 |
 | CLI-VULN-29-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. Dependencies: CLI-VULN-29-003. | CLI-VULN-29-003 | CLCI0107 |
@@ -1568,7 +1568,7 @@
 | SBOM-60-002 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | SBOM-AIAI-31-001 | TODO |  | SPRINT_0140_0001_0001_runtime_signals | — |  | Advisory AI path/timeline endpoints specced; awaiting projection schema finalization. | — | DOAI0101 |
 | SBOM-AIAI-31-002 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Metrics/dashboards tied to 31-001; blocked on the same schema availability. |  |  |
-| SBOM-AIAI-31-003 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | SBOM Service Guild · Advisory AI Guild (src/SbomService/StellaOps.SbomService) | src/SbomService/StellaOps.SbomService | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. | SBOM-AIAI-31-001 projection kit/fixtures | ADAI0101 |
+| SBOM-AIAI-31-003 | DONE (2025-12-08) | 2025-12-08 | SPRINT_0111_0001_0001_advisoryai | SBOM Service Guild · Advisory AI Guild (src/SbomService/StellaOps.SbomService) | src/SbomService/StellaOps.SbomService | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. | SBOM-AIAI-31-001 projection kit/fixtures | ADAI0101 |
 | SBOM-CONSOLE-23-001 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Console catalog API draft complete; depends on Concelier/Cartographer payload definitions. |  |  |
 | SBOM-CONSOLE-23-002 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Global component lookup API needs 23-001 responses + cache hints before work can start. |  |  |
 | SBOM-DET-01 | TODO |  | SPRINT_0209_0001_0001_ui_i | UI Guild (src/UI/StellaOps.UI) | src/UI/StellaOps.UI |  |  |  |
@@ -2586,12 +2586,12 @@
 | CLI-SIG-26-002 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). Dependencies: CLI-SIG-26-001. | CLI-SIG-26-001 | CLCI0108 |
 | CLI-TEN-47-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation. | — | CLCI0108 |
 | CLI-TEN-49-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add service account token minting, delegation (`stella token delegate`), impersonation banner, and audit-friendly logging. Dependencies: CLI-TEN-47-001. | CLI-TEN-47-001 | CLCI0108 |
-| CLI-VEX-30-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | PLVL0102 completion | CLCI0107 |
+| CLI-VEX-30-001 | DONE (2025-12-04) | 2025-12-04 | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | PLVL0102 completion | CLCI0107 |
 | CLI-VEX-30-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. Dependencies: CLI-VEX-30-001. | CLI-VEX-30-001 | CLCI0107 |
 | CLI-VEX-30-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. Dependencies: CLI-VEX-30-002. | CLI-VEX-30-002 | CLCI0107 |
 | CLI-VEX-30-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. Dependencies: CLI-VEX-30-003. | CLI-VEX-30-003 | CLCI0107 |
 | CLI-VEX-401-011 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild | `src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | Add `stella decision export | Reachability API exposure | CLCI0107 |
-| CLI-VULN-29-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | — | CLCI0107 |
+| CLI-VULN-29-001 | DONE (2025-12-04) | 2025-12-04 | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | — | CLCI0107 |
 | CLI-VULN-29-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. Dependencies: CLI-VULN-29-001. | CLI-VULN-29-001 | CLCI0107 |
 | CLI-VULN-29-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection (`--filter`) and idempotent retries. Dependencies: CLI-VULN-29-002. | CLI-VULN-29-002 | CLCI0107 |
 | CLI-VULN-29-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. Dependencies: CLI-VULN-29-003. | CLI-VULN-29-003 | CLCI0107 |
@@ -3769,7 +3769,7 @@
 | SBOM-60-002 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | SBOM-AIAI-31-001 | TODO |  | SPRINT_0140_0001_0001_runtime_signals | — |  | Advisory AI path/timeline endpoints specced; awaiting projection schema finalization. | — | DOAI0101 |
 | SBOM-AIAI-31-002 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Metrics/dashboards tied to 31-001; blocked on the same schema availability. |  |  |
-| SBOM-AIAI-31-003 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | SBOM Service Guild · Advisory AI Guild (src/SbomService/StellaOps.SbomService) | src/SbomService/StellaOps.SbomService | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. | SBOM-AIAI-31-001 projection kit/fixtures | ADAI0101 |
+| SBOM-AIAI-31-003 | DONE (2025-12-08) | 2025-12-08 | SPRINT_0111_0001_0001_advisoryai | SBOM Service Guild · Advisory AI Guild (src/SbomService/StellaOps.SbomService) | src/SbomService/StellaOps.SbomService | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. | SBOM-AIAI-31-001 projection kit/fixtures | ADAI0101 |
 | SBOM-CONSOLE-23-001 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Console catalog API draft complete; depends on Concelier/Cartographer payload definitions. |  |  |
 | SBOM-CONSOLE-23-002 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Global component lookup API needs 23-001 responses + cache hints before work can start. |  |  |
 | SBOM-ORCH-32-001 | TODO |  | SPRINT_0140_0001_0001_runtime_signals |  |  | Orchestrator registration is sequenced after projection schema because payload shapes map into job metadata. |  |  |