stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-18 20:37:12 +02:00
parent 1fcf550d3a 0dc71e760a
commit f85d53888c
278 changed files with 35930 additions and 1134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/implplan/SPRINT_0339_0001_0001_cli_offline_commands.md
View File

@@ -72,12 +72,12 @@ stellaops verify offline \
| 2 | T2 | DONE | Implemented `OfflineCommandGroup` and wired into `CommandFactory`. | DevEx/CLI Guild | Create `OfflineCommandGroup` class. |
| 3 | T3 | DONE | Implemented `offline import` with manifest/hash validation, monotonicity checks, and quarantine hooks. | DevEx/CLI Guild | Implement `offline import` command (core import flow). |
| 4 | T4 | DONE | Implemented `--verify-dsse` via `DsseVerifier` (requires `--trust-root`) and added tests. | DevEx/CLI Guild | Add `--verify-dsse` flag handler. |
| 5 | T5 | DOING | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
| 5 | T5 | DONE | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
| 6 | T6 | DONE | Implemented deterministic trust-root loading (`--trust-root`). | DevEx/CLI Guild | Add `--trust-root` option. |
| 7 | T7 | DONE | Enforced `--force-reason` when forcing activation and persisted justification. | DevEx/CLI Guild | Add `--force-activate` flag. |
| 8 | T8 | DONE | Implemented `offline status` with table/json outputs. | DevEx/CLI Guild | Implement `offline status` command. |
| 9 | T9 | DOING | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
| 10 | T10 | DOING | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
| 9 | T9 | DONE | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
| 10 | T10 | DONE | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
| 11 | T11 | DONE | Standardized `--output table|json` formatting for offline verbs. | DevEx/CLI Guild | Create output formatters (table, json). |
| 12 | T12 | DONE | Added progress reporting for bundle hashing when bundle size exceeds threshold. | DevEx/CLI Guild | Implement progress reporting. |
| 13 | T13 | DONE | Implemented offline exit codes (`OfflineExitCodes`). | DevEx/CLI Guild | Add exit code standardization. |
@@ -628,7 +628,7 @@ public static class OfflineExitCodes
- [x] `--bundle` is required; error if not provided
- [x] Bundle file must exist; clear error if missing
- [x] `--verify-dsse` integrates with `DsseVerifier`
- [ ] `--verify-rekor` uses offline Rekor snapshot
- [x] `--verify-rekor` uses offline Rekor snapshot
- [x] `--trust-root` loads public key from file
- [x] `--force-activate` without `--force-reason` fails with helpful message
- [x] Force activation logs to audit trail
@@ -647,14 +647,14 @@ public static class OfflineExitCodes
- [x] Shows quarantine count if > 0
### `verify offline`
- [ ] `--evidence-dir` is required
- [ ] `--artifact` accepts sha256:... format
- [ ] `--policy` supports YAML and JSON
- [ ] Loads keys from evidence directory
- [ ] Verifies DSSE signatures offline
- [ ] Checks tlog inclusion proofs offline
- [ ] Reports policy violations clearly
- [ ] Exit code 0 on pass, 12 on fail
- [x] `--evidence-dir` is required
- [x] `--artifact` accepts sha256:... format
- [x] `--policy` supports YAML and JSON
- [x] Loads keys from evidence directory
- [x] Verifies DSSE signatures offline
- [x] Checks tlog inclusion proofs offline
- [x] Reports policy violations clearly
- [x] Exit code 0 on pass, 12 on fail
### Testing Strategy
@@ -675,13 +675,14 @@ public static class OfflineExitCodes
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Offline Rekor verification contract missing/incomplete | Cannot meet `--verify-rekor` acceptance criteria. | Define/land offline inclusion proof verification contract/library and wire into CLI. | DevEx/CLI | Blocked |
| Offline Rekor verification contract missing/incomplete | Cannot meet `--verify-rekor` acceptance criteria. | Define/land offline inclusion proof verification contract/library and wire into CLI. | DevEx/CLI | Closed |
| `.tar.zst` payload inspection not implemented | Limited local validation (hash/sidecar checks only). | Add deterministic Zstd+tar inspection path (or reuse existing bundle tooling) and cover with tests. | DevEx/CLI | Open |
| `verify offline` policy schema unclear | Risk of implementing an incompatible policy loader/verifier. | Define policy schema + canonicalization/evaluation rules; then implement `verify offline` and `--policy`. | DevEx/CLI | Blocked |
| `verify offline` policy schema unclear | Risk of implementing an incompatible policy loader/verifier. | Define policy schema + canonicalization/evaluation rules; then implement `verify offline` and `--policy`. | DevEx/CLI | Closed |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Completed T5/T9/T10 (offline Rekor verifier, `verify offline`, YAML/JSON policy loader); validated via `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`. | Agent |
| 2025-12-17 | Unblocked T5/T9/T10 by adopting the published offline policy schema (A12) and Rekor receipt contract (Rekor Technical Reference §13); started implementation of offline Rekor inclusion proof verification and `verify offline`. | Agent |
| 2025-12-15 | Implemented `offline import/status` (+ exit codes, state storage, quarantine hooks), added docs and tests; validated with `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`; marked T5/T9/T10 BLOCKED pending verifier/policy contracts. | DevEx/CLI |
| 2025-12-15 | Normalised sprint file to standard template; set T1 to DOING. | Planning · DevEx/CLI |

11
docs/implplan/SPRINT_0340_0001_0001_first_signal_card_ui.md
View File

@@ -3,7 +3,7 @@
**Epic:** Time-to-First-Signal (TTFS) Implementation
**Module:** Web UI
**Working Directory:** `src/Web/StellaOps.Web/src/app/`
**Status:** DOING
**Status:** DONE
**Created:** 2025-12-14
**Target Completion:** TBD
**Depends On:** SPRINT_0339_0001_0001 (First Signal API)
@@ -49,15 +49,15 @@ This sprint implements the `FirstSignalCard` Angular component that displays the
| T6 | Create FirstSignalCard styles | — | DONE | `src/Web/StellaOps.Web/src/app/features/runs/components/first-signal-card/first-signal-card.component.scss` |
| T7 | Implement SSE integration | — | DONE | Uses run stream SSE (`first_signal`) via `EventSourceFactory`; requires `tenant` query fallback in Orchestrator stream endpoints. |
| T8 | Implement polling fallback | — | DONE | `FirstSignalStore` starts polling (default 5s) when SSE errors. |
| T9 | Implement TTFS telemetry | | DOING | Implement Web telemetry client + TTFS event emission (`ttfs_start`, `ttfs_signal_rendered`) with sampling and offline-safe buffering. |
| T9 | Implement TTFS telemetry | Agent | DONE | Implemented `TelemetryClient` + TTFS event emission (`ttfs_start`, `ttfs_signal_rendered`) with offline queueing + flush. |
| T10 | Create prefetch service | — | DONE | `src/Web/StellaOps.Web/src/app/features/runs/services/first-signal-prefetch.service.ts` |
| T11 | Integrate into run detail page | — | DONE | Integrated into `src/Web/StellaOps.Web/src/app/features/console/console-status.component.html` as interim run-surface. |
| T12 | Create Storybook stories | — | DONE | `src/Web/StellaOps.Web/src/stories/runs/first-signal-card.stories.ts` |
| T13 | Create unit tests | — | DONE | `src/Web/StellaOps.Web/src/app/core/api/first-signal.store.spec.ts` |
| T14 | Create e2e tests | — | DONE | `src/Web/StellaOps.Web/tests/e2e/first-signal-card.spec.ts` |
| T15 | Create accessibility tests | — | DONE | `src/Web/StellaOps.Web/tests/e2e/a11y-smoke.spec.ts` includes `/console/status`. |
| T16 | Configure telemetry sampling | | DOING | Wire `AppConfig.telemetry.sampleRate` into telemetry client sampling decisions and expose defaults in config. |
| T17 | Add i18n keys for micro-copy | — | DOING | Add i18n framework and migrate FirstSignalCard micro-copy to translation keys (EN baseline). |
| T16 | Configure telemetry sampling | Agent | DONE | Wired `AppConfig.telemetry.sampleRate` into `TelemetrySamplerService` decisions; config normalization clamps defaults. |
| T17 | Add i18n keys for micro-copy | Agent | DONE | Created `I18nService`, `TranslatePipe`, added `firstSignal.*` keys to `micro-interactions.en.json`, migrated FirstSignalCard template. |
---
@@ -1780,5 +1780,6 @@ npx ngx-translate-extract \
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-15 | Implemented FirstSignalCard + store/client, quickstart mock, Storybook story, unit/e2e/a11y coverage; added Orchestrator stream tenant query fallback; marked telemetry/i18n tasks BLOCKED pending platform decisions. | Agent |
| 2025-12-18 | Completed T9/T16 (telemetry client + sampling) and refreshed T17 (i18n keys, FirstSignalCard micro-copy); added unit specs. | Agent |
| 2025-12-17 | Unblocked T9/T16/T17 by selecting a Web telemetry+sampling contract and adding an i18n framework; started implementation and test updates. | Agent |
| 2025-12-15 | Implemented FirstSignalCard + store/client, quickstart mock, Storybook story, unit/e2e/a11y coverage; added Orchestrator stream tenant query fallback; marked telemetry/i18n tasks BLOCKED pending platform decisions. | Agent |

7
docs/implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md
View File

@@ -61,7 +61,7 @@ Per advisory §5:
| T5 | Implement SBOM collector (CycloneDX, SPDX) | DONE | Agent | `CycloneDxParser`, `SpdxParser`, `SbomParserFactory`, `SbomCollector` in Reconciliation/Parsers. |
| T6 | Implement attestation collector | DONE | Agent | `IAttestationParser`, `DsseAttestationParser`, `AttestationCollector` in Reconciliation/Parsers. |
| T7 | Integrate with `DsseVerifier` for validation | DONE | Agent | `AttestationCollector` integrates with `DsseVerifier` for DSSE signature verification. |
| T8 | Integrate with Rekor offline verifier | DOING | Agent | Implement offline Rekor receipt verifier (Merkle inclusion + checkpoint signature) and wire into AttestationCollector when `VerifyRekorProofs=true`. |
| T8 | Integrate with Rekor offline verifier | DONE | Agent | Implement offline Rekor receipt verifier (Merkle inclusion + checkpoint signature) and wire into AttestationCollector when `VerifyRekorProofs=true`. |
| **Step 3: Normalization** | | | | |
| T9 | Design normalization rules | DONE | Agent | `NormalizationOptions` with configurable rules. |
| T10 | Implement stable JSON sorting | DONE | Agent | `JsonNormalizer.NormalizeObject()` with ordinal key sorting. |
@@ -77,10 +77,10 @@ Per advisory §5:
| T18 | Design `EvidenceGraph` schema | DONE | Agent | `EvidenceGraph`, `EvidenceNode`, `EvidenceEdge` models. |
| T19 | Implement deterministic graph serializer | DONE | Agent | `EvidenceGraphSerializer` with stable ordering. |
| T20 | Create SHA-256 manifest generator | DONE | Agent | `EvidenceGraphSerializer.ComputeHash()` writes `evidence-graph.sha256`. |
| T21 | Integrate DSSE signing for output | DOING | Agent | Implement local DSSE signing of `evidence-graph.json` using `StellaOps.Attestor.Envelope` + ECDSA PEM key option; keep output deterministic. |
| T21 | Integrate DSSE signing for output | DONE | Agent | Implement local DSSE signing of `evidence-graph.json` using `StellaOps.Attestor.Envelope` + ECDSA PEM key option; keep output deterministic. |
| **Integration & Testing** | | | | |
| T22 | Create `IEvidenceReconciler` service | DONE | Agent | `IEvidenceReconciler` + `EvidenceReconciler` implementing 5-step algorithm. |
| T23 | Wire to CLI `verify offline` command | DOING | Agent | CLI `verify offline` calls reconciler and returns deterministic pass/fail + violations; shared policy loader. |
| T23 | Wire to CLI `verify offline` command | DONE | Agent | CLI `verify offline` calls reconciler and returns deterministic pass/fail + violations; shared policy loader. |
| T24 | Write golden-file tests | DONE | Agent | `CycloneDxParserTests`, `SpdxParserTests`, `DsseAttestationParserTests` with fixtures. |
| T25 | Write property-based tests | DONE | Agent | `SourcePrecedenceLatticePropertyTests` verifying lattice algebraic properties. |
| T26 | Update documentation | DONE | Agent | Created `docs/modules/airgap/evidence-reconciliation.md`. |
@@ -976,6 +976,7 @@ public sealed record ReconciliationResult(
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Completed T8/T21/T23 (Rekor offline verifier integration, deterministic DSSE signing output, CLI wiring); validated via `dotnet test src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/StellaOps.AirGap.Importer.Tests.csproj -c Release`. | Agent |
| 2025-12-15 | Normalised sprint headings toward the standard template; set `T1` to `DOING` and began implementation. | Agent |
| 2025-12-15 | Implemented `ArtifactIndex` + canonical digest normalization (`T1`, `T3`) with unit tests. | Agent |
| 2025-12-15 | Implemented deterministic evidence directory discovery (`T2`) with unit tests (relative paths + sha256 content hashes). | Agent |

42
docs/implplan/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md
View File

@@ -64,12 +64,40 @@ Before starting, read:
| 4 | T4 | DONE | Expose verification settings | Attestor Guild | Add `RekorVerificationOptions` in Configuration/ |
| 5 | T5 | DONE | Use verifiers in HTTP client | Attestor Guild | Implement `HttpRekorClient.VerifyInclusionAsync` |
| 6 | T6 | DONE | Stub verification behavior | Attestor Guild | Implement `StubRekorClient.VerifyInclusionAsync` |
| 7 | T7 | BLOCKED | Wire verification pipeline | Attestor Guild | Requires T8 for offline mode before full pipeline integration |
| 8 | T8 | BLOCKED | Add sealed/offline checkpoint mode | Attestor Guild | Depends on finalized offline checkpoint bundle format contract |
| 9 | T9 | DONE | Add unit coverage | Attestor Guild | Add unit tests for Merkle proof verification |
| 10 | T10 | DONE | Add integration coverage | Attestor Guild | RekorInclusionVerificationIntegrationTests.cs added |
| 11 | T11 | DONE | Expose verification counters | Attestor Guild | Added Rekor counters to AttestorMetrics |
| 12 | T12 | DONE | Sync docs | Attestor Guild | Added Rekor verification section to architecture.md |
| 7 | T6a | TODO | Freeze offline checkpoint/receipt contract | Attestor Guild · AirGap Guild | Publish canonical offline layout + schema for: tlog root key, checkpoint signature, and inclusion proof pack (docs + fixtures) |
| 8 | T6b | TODO | Add offline fixtures + validation harness | Attestor Guild | Add deterministic fixtures + parsing helpers so offline mode can be tested without network |
| 9 | T7 | BLOCKED | Wire verification pipeline | Attestor Guild | BLOCKED on T8 (and its prerequisites T6a/T6b) before full pipeline integration |
| 10 | T8 | BLOCKED | Add sealed/offline checkpoint mode | Attestor Guild | BLOCKED on T6a/T6b (offline checkpoint/receipt contract + fixtures) |
| 11 | T9 | DONE | Add unit coverage | Attestor Guild | Add unit tests for Merkle proof verification |
| 12 | T10 | DONE | Add integration coverage | Attestor Guild | RekorInclusionVerificationIntegrationTests.cs added |
| 13 | T11 | DONE | Expose verification counters | Attestor Guild | Added Rekor counters to AttestorMetrics |
| 14 | T12 | DONE | Sync docs | Attestor Guild | Added Rekor verification section to architecture.md |
---
## Unblock Task Notes (T6a/T6b)
### T6a: Freeze offline checkpoint/receipt contract
- **Goal:** define the canonical offline inputs required to verify inclusion proofs without network access.
- **Use these docs as the baseline (do not invent new shapes):**
- `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (§13)
- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§34; `evidence/tlog/checkpoint.sig` + `entries/`)
- **Minimum deliverables:**
- A single canonical contract doc (new or existing) that answers:
- Where the **tlog public key** comes from (file path, rotation/versioning)
- Where the **signed checkpoint/tree head** lives (file path; signature format)
- Where the **inclusion proof pack** lives (file path; entry + hashes; deterministic ordering rules)
- How the checkpoint is bound to the proof pack (tree size, root hash)
- A schema file (JSON Schema) for the on-disk checkpoint/receipt shape used by Attestor offline verification.
### T6b: Offline fixtures + validation harness
- **Goal:** make offline mode testable and reproducible.
- **Minimum deliverables:**
- Deterministic fixtures committed under `src/Attestor/StellaOps.Attestor.Tests/Fixtures/` (checkpoint, pubkey, valid/invalid proof material).
- Tests that verify:
- checkpoint signature verification succeeds/fails as expected
- recomputed Merkle root matches checkpoint for valid entries and fails for tampered fixtures
- no network calls are required for offline mode
---
@@ -285,6 +313,7 @@ public Counter<long> CheckpointVerifyTotal { get; } // attestor.checkpoint_
## Interlocks
- Rekor public key distribution must be configured via `AttestorOptions` and documented for offline bundles.
- Offline checkpoints must be pre-distributed; `AllowOfflineWithoutSignature` policy requires explicit operator intent.
- T6a/T6b define the concrete offline checkpoint/receipt contract and fixtures; do not implement T8 until those are published and reviewed.
---
@@ -320,6 +349,7 @@ public Counter<long> CheckpointVerifyTotal { get; } // attestor.checkpoint_
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | Normalised sprint file to standard template sections; started implementation and moved `T1` to `DOING`. | Implementer |
| 2025-12-18 | Added unblock tasks (T6a/T6b) for offline checkpoint/receipt contract + fixtures; updated T7/T8 to be BLOCKED on them. | Project Mgmt |
---

82
docs/implplan/SPRINT_3410_0001_0001_epss_ingestion_storage.md
View File

@@ -148,23 +148,25 @@ External Dependencies:
| ID | Task | Status | Owner | Est. | Notes |
|----|------|--------|-------|------|-------|
| **EPSS-3410-001** | Database schema migration | DONE | Agent | 2h | Added `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql` and `MigrationIds.cs` entry; applied via `AddStartupMigrations`. |
| **EPSS-3410-002** | Create `EpssScoreRow` DTO | DOING | Agent | 1h | Streaming DTO for CSV rows. |
| **EPSS-3410-003** | Implement `IEpssSource` interface | DOING | Agent | 2h | Abstraction for online vs bundle. |
| **EPSS-3410-004** | Implement `EpssOnlineSource` | DOING | Agent | 4h | HTTPS download from FIRST.org (optional; not used in tests). |
| **EPSS-3410-005** | Implement `EpssBundleSource` | DOING | Agent | 3h | Local file read for air-gap. |
| **EPSS-3410-006** | Implement `EpssCsvStreamParser` | DOING | Agent | 6h | Parse CSV, extract comment, validate. |
| **EPSS-3410-007** | Implement `EpssRepository` | DOING | Agent | 8h | Data access layer (Dapper + Npgsql) for import runs + scores/current/changes. |
| **EPSS-3410-008** | Implement `EpssChangeDetector` | DOING | Agent | 4h | Delta computation + flag logic (SQL join + `compute_epss_change_flags`). |
| **EPSS-3410-009** | Implement `EpssIngestJob` | DOING | Agent | 6h | Main job orchestration (Worker hosted service; supports online + bundle). |
| **EPSS-3410-010** | Configure Scheduler job trigger | TODO | Backend | 2h | Add to `scheduler.yaml` |
| **EPSS-3410-011** | Implement outbox event schema | TODO | Backend | 2h | `epss.updated@1` event |
| **EPSS-3410-012** | Unit tests (parser, detector, flags) | TODO | Backend | 6h | xUnit tests |
| **EPSS-3410-013** | Integration tests (Testcontainers) | TODO | Backend | 8h | End-to-end ingestion test |
| **EPSS-3410-014** | Performance test (300k rows) | TODO | Backend | 4h | Verify <120s budget |
| **EPSS-3410-015** | Observability (metrics, logs, traces) | TODO | Backend | 4h | OpenTelemetry integration |
| **EPSS-3410-016** | Documentation (runbook, troubleshooting) | TODO | Backend | 3h | Operator guide |
| **EPSS-3410-002** | Create `EpssScoreRow` DTO | DONE | Agent | 1h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssScoreRow.cs` |
| **EPSS-3410-003** | Implement `IEpssSource` interface | DONE | Agent | 2h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSource.cs` |
| **EPSS-3410-004** | Implement `EpssOnlineSource` | DONE | Agent | 4h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssOnlineSource.cs` |
| **EPSS-3410-005** | Implement `EpssBundleSource` | DONE | Agent | 3h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssBundleSource.cs` |
| **EPSS-3410-006** | Implement `EpssCsvStreamParser` | DONE | Agent | 6h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssCsvStreamParser.cs` |
| **EPSS-3410-007** | Implement `EpssRepository` | DONE | Agent | 8h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRepository.cs` + `IEpssRepository.cs` |
| **EPSS-3410-008** | Implement `EpssChangeDetector` | DONE | Agent | 4h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeDetector.cs` + `EpssChangeFlags.cs` |
| **EPSS-3410-009** | Implement `EpssIngestJob` | DONE | Agent | 6h | `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - BackgroundService with retry, observability. |
| **EPSS-3410-010** | Configure Scheduler job trigger | DONE | Agent | 2h | Registered in `Program.cs` via `AddHostedService<EpssIngestJob>()` with `EpssIngestOptions` config binding. EPSS services registered in `ServiceCollectionExtensions.cs`. |
| **EPSS-3410-011** | Implement outbox event schema | DONE | Agent | 2h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs` |
| **EPSS-3410-012** | Unit tests (parser, detector, flags) | DONE | Agent | 6h | `EpssCsvStreamParserTests.cs`, `EpssChangeDetectorTests.cs` |
| **EPSS-3410-013** | Integration tests (Testcontainers) | DONE | Agent | 8h | `EpssRepositoryIntegrationTests.cs` |
| **EPSS-3410-013A** | Perf harness + deterministic dataset generator | TODO | Backend | 4h | Add a perf test project and deterministic 310k-row CSV generator (fixed seed, no network). Produce local run instructions and baseline output format. |
| **EPSS-3410-013B** | CI perf runner + workflow for EPSS ingest | TODO | DevOps | 4h | Add a Gitea workflow (nightly/manual) + runner requirements so perf tests can run with Docker/Testcontainers; publish runner label/capacity requirements and artifact retention. |
| **EPSS-3410-014** | Performance test (300k rows) | BLOCKED | Backend | 4h | BLOCKED on EPSS-3410-013A/013B. Once harness + CI runner exist, execute and record baseline (<120s) with environment details. |
| **EPSS-3410-015** | Observability (metrics, logs, traces) | DONE | Agent | 4h | ActivitySource with tags (model_date, row_count, cve_count, duration_ms); structured logging at Info/Warning/Error levels. |
| **EPSS-3410-016** | Documentation (runbook, troubleshooting) | DONE | Agent | 3h | Added Operations Runbook 10) to `docs/modules/scanner/epss-integration.md` with configuration, modes, manual ingestion, troubleshooting, and monitoring guidance. |
**Total Estimated Effort**: 65 hours (~2 weeks for 1 developer)
**Total Estimated Effort**: 73 hours (~2 weeks for 1 developer)
---
@@ -604,11 +606,46 @@ public async Task ComputeChanges_DetectsFlags_Correctly()
---
### EPSS-3410-013A: Perf Harness + Deterministic Dataset Generator
**Description**: Add an offline-friendly perf harness for EPSS ingest without committing a huge static dataset.
**Deliverables**:
- New test project: `src/Scanner/__Tests/StellaOps.Scanner.Storage.Performance.Tests/`
- Deterministic generator: 310k rows with fixed seed, stable row order, and controlled CVE distribution.
- Test tagged so it does not run in default CI (`[Trait("Category","Performance")]` or equivalent).
- Local run snippet (exact `dotnet test` invocation + required env vars for Testcontainers).
**Acceptance Criteria**:
- [ ] Generator produces identical output across runs (same seed same SHA-256 of CSV bytes)
- [ ] Perf test runs locally in <= 5 minutes on a dev machine (budget validation happens in CI)
- [ ] No network required beyond local Docker engine for Testcontainers
---
### EPSS-3410-013B: CI Perf Runner + Workflow
**Description**: Enable deterministic perf execution in CI with known hardware + reproducible logs.
**Deliverables**:
- Gitea workflow (nightly + manual): `.gitea/workflows/epss-perf.yml`
- Runner requirements documented (label, OS/arch, CPU/RAM, Docker/Testcontainers support).
- Artifacts retained: perf logs + environment metadata (CPU model, cores, memory, Docker version, image digests).
**Acceptance Criteria**:
- [ ] CI job can spin up PostgreSQL via Testcontainers reliably
- [ ] Perf test output includes total duration + phase breakdowns (parse/insert/changes/current)
- [ ] Budgets enforced only in this workflow (does not break default PR CI)
---
### EPSS-3410-014: Performance Test (300k rows)
**Description**: Verify ingestion meets performance budget.
**File**: `src/Concelier/__Tests/StellaOps.Concelier.Epss.Performance.Tests/EpssIngestPerformanceTests.cs`
**BLOCKED ON:** EPSS-3410-013A, EPSS-3410-013B
**File**: `src/Scanner/__Tests/StellaOps.Scanner.Storage.Performance.Tests/EpssIngestPerformanceTests.cs` (new project)
**Requirements**:
- Synthetic CSV: 310,000 rows (close to real-world)
@@ -860,10 +897,17 @@ concelier:
|------------|--------|-------|
| 2025-12-17 | Normalized sprint file to standard template; aligned working directory to Scanner schema implementation; preserved original Concelier-first design text for reference. | Agent |
| 2025-12-18 | Set EPSS-3410-002..009 to DOING; begin implementing ingestion pipeline in `src/Scanner/__Libraries/StellaOps.Scanner.Storage` and Scanner Worker. | Agent |
| 2025-12-18 | Verified EPSS-3410-002..008, 012, 013 already implemented. Created EpssIngestJob (009), EpssUpdatedEvent (011). Core pipeline complete; remaining: scheduler YAML, performance test, observability, docs. | Agent |
| 2025-12-18 | Completed EPSS-3410-010: Registered EpssIngestJob in Program.cs with options binding; added EPSS services to ServiceCollectionExtensions.cs. | Agent |
| 2025-12-18 | Completed EPSS-3410-015: Verified ActivitySource tracing with model_date, row_count, cve_count, duration_ms tags; structured logging in place. | Agent |
| 2025-12-18 | Completed EPSS-3410-016: Added Operations Runbook (§10) to docs/modules/scanner/epss-integration.md covering config, online/bundle modes, manual trigger, troubleshooting, monitoring. | Agent |
| 2025-12-18 | BLOCKED EPSS-3410-014: Performance test requires CI infrastructure and 300k row dataset. BULK INSERT uses NpgsqlBinaryImporter; expected to meet <120s budget. | Agent |
| 2025-12-18 | Added unblock tasks EPSS-3410-013A/013B; EPSS-3410-014 remains BLOCKED until harness + CI perf runner/workflow are available. | Project Mgmt |
## Next Checkpoints
- Implement EPSS ingestion pipeline + scheduler trigger (this sprint), then close Scanner integration (SPRINT_3410_0002_0001).
- Unblock performance test (EPSS-3410-014) by completing EPSS-3410-013A (harness) and EPSS-3410-013B (CI perf runner/workflow).
- Close Scanner integration (SPRINT_3410_0002_0001).
**Sprint Status**: READY FOR IMPLEMENTATION
**Sprint Status**: BLOCKED (EPSS-3410-014 pending EPSS-3410-013B CI perf runner/workflow)
**Approval**: _____________________ Date: ___________

19
docs/implplan/SPRINT_3410_0002_0001_epss_scanner_integration.md
View File

@@ -44,15 +44,15 @@ Integrate EPSS v4 data into the Scanner WebService for vulnerability scoring and
| # | Task ID | Status | Owner | Est | Description |
|---|---------|--------|-------|-----|-------------|
| 1 | EPSS-SCAN-001 | DONE | Agent | 2h | Create Scanner EPSS database schema (008_epss_integration.sql) |
| 2 | EPSS-SCAN-002 | TODO | Backend | 2h | Create `EpssEvidence` record type |
| 3 | EPSS-SCAN-003 | TODO | Backend | 4h | Implement `IEpssProvider` interface |
| 4 | EPSS-SCAN-004 | TODO | Backend | 4h | Implement `EpssProvider` with PostgreSQL lookup |
| 5 | EPSS-SCAN-005 | TODO | Backend | 2h | Add optional Valkey cache layer |
| 6 | EPSS-SCAN-006 | TODO | Backend | 4h | Integrate EPSS into `ScanProcessor` |
| 7 | EPSS-SCAN-007 | TODO | Backend | 2h | Add EPSS weight to scoring configuration |
| 8 | EPSS-SCAN-008 | TODO | Backend | 4h | Implement `GET /epss/current` bulk lookup API |
| 9 | EPSS-SCAN-009 | TODO | Backend | 2h | Implement `GET /epss/history` time-series API |
| 10 | EPSS-SCAN-010 | TODO | Backend | 4h | Unit tests for EPSS provider |
| 2 | EPSS-SCAN-002 | DONE | Agent | 2h | Create `EpssEvidence` record type |
| 3 | EPSS-SCAN-003 | DONE | Agent | 4h | Implement `IEpssProvider` interface |
| 4 | EPSS-SCAN-004 | DONE | Agent | 4h | Implement `EpssProvider` with PostgreSQL lookup |
| 5 | EPSS-SCAN-005 | DONE | Agent | 2h | Add optional Valkey cache layer |
| 6 | EPSS-SCAN-006 | DONE | Agent | 4h | Integrate EPSS into `ScanProcessor` via EpssEnrichmentStageExecutor |
| 7 | EPSS-SCAN-007 | DONE | — | 2h | Add EPSS weight to scoring configuration (EpssMultiplier in ScoreExplanationWeights) |
| 8 | EPSS-SCAN-008 | DONE | Agent | 4h | Implement `GET /epss/current` bulk lookup API |
| 9 | EPSS-SCAN-009 | DONE | Agent | 2h | Implement `GET /epss/history` time-series API |
| 10 | EPSS-SCAN-010 | DONE | Agent | 4h | Unit tests for EPSS provider (13 tests passing) |
| 11 | EPSS-SCAN-011 | TODO | Backend | 4h | Integration tests for EPSS endpoints |
| 12 | EPSS-SCAN-012 | DONE | Agent | 2h | Create EPSS integration architecture doc |
@@ -132,6 +132,7 @@ scoring:
| 2025-12-17 | Sprint created from advisory processing | Agent |
| 2025-12-17 | EPSS-SCAN-001: Created 008_epss_integration.sql in Scanner Storage | Agent |
| 2025-12-17 | EPSS-SCAN-012: Created docs/modules/scanner/epss-integration.md | Agent |
| 2025-12-18 | EPSS-SCAN-005: Implemented CachingEpssProvider with Valkey cache layer. Created EpssServiceCollectionExtensions for DI registration. | Agent |
---

113
docs/implplan/SPRINT_3413_0001_0001_epss_live_enrichment.md
View File

@@ -37,15 +37,15 @@ This sprint implements live EPSS enrichment for existing vulnerability instances
| # | Status | Task | Notes |
|---|--------|------|-------|
| 1 | TODO | Implement `EpssEnrichmentJob` service | Core enrichment logic |
| 2 | TODO | Create `vuln_instance_triage` schema updates | Add `current_epss_*` columns |
| 3 | TODO | Implement `epss_changes` flag logic | NEW_SCORED, CROSSED_HIGH, BIG_JUMP, DROPPED_LOW |
| 4 | TODO | Add efficient targeting filter | Only update instances with flags set |
| 5 | TODO | Implement priority band calculation | Map percentile to CRITICAL/HIGH/MEDIUM/LOW |
| 6 | TODO | Emit `vuln.priority.changed` event | Only when band changes |
| 7 | TODO | Add configurable thresholds | `HighPercentile`, `HighScore`, `BigJumpDelta` |
| 8 | TODO | Implement bulk update optimization | Batch updates for performance |
| 9 | TODO | Add `EpssEnrichmentOptions` configuration | Environment-specific settings |
| 1 | DONE | Implement `EpssEnrichmentJob` service | Created EpssEnrichmentJob.cs with background processing |
| 2 | DONE | Create `vuln_instance_triage` schema updates | Created 014_epss_triage_columns.sql with EPSS columns and batch_update_epss_triage() |
| 3 | DONE | Implement `epss_changes` flag logic | `EpssChangeFlags` enum with NEW_SCORED, CROSSED_HIGH, BIG_JUMP, DROPPED_LOW |
| 4 | DONE | Add efficient targeting filter | Added GetChangesAsync() to IEpssRepository; EpssEnrichmentJob uses flag filtering |
| 5 | DONE | Implement priority band calculation | `EpssPriorityCalculator` maps percentile to CRITICAL/HIGH/MEDIUM/LOW |
| 6 | DONE | Emit `vuln.priority.changed` event | Added IEpssSignalPublisher.PublishPriorityChangedAsync() in EpssEnrichmentJob |
| 7 | DONE | Add configurable thresholds | `EpssEnrichmentOptions` with HighPercentile, HighScore, BigJumpDelta, etc. |
| 8 | DONE | Implement bulk update optimization | Added batch_update_epss_triage() PostgreSQL function |
| 9 | DONE | Add `EpssEnrichmentOptions` configuration | Environment-specific settings in Scanner.Core.Configuration |
| 10 | TODO | Create unit tests for enrichment logic | Flag detection, band calculation |
| 11 | TODO | Create integration tests | End-to-end enrichment flow |
| 12 | TODO | Add Prometheus metrics | `epss_enrichment_*` metrics |
@@ -58,10 +58,12 @@ This sprint implements live EPSS enrichment for existing vulnerability instances
| # | Status | Task | Notes |
|---|--------|------|-------|
| R1 | TODO | Create `epss_raw` table migration | `011_epss_raw_layer.sql` - Full JSONB payload storage |
| R2 | TODO | Update `EpssIngestJob` to store raw payload | Decompress CSV, convert to JSONB array, store in `epss_raw` |
| R3 | TODO | Add retention policy for raw data | `prune_epss_raw()` function - Keep 365 days |
| R4 | TODO | Implement `ReplayFromRawAsync()` method | Re-normalize from stored raw without re-downloading |
| R1 | DONE | Create `epss_raw` table migration | `011_epss_raw_layer.sql` - Full JSONB payload storage |
| R2 | DONE | Update `EpssIngestJob` to store raw payload | Added StoreRawPayloadAsync(), converts to JSONB, stores in `epss_raw` |
| R3 | DONE | Add retention policy for raw data | `prune_epss_raw()` function in migration - Keep 365 days |
| R4 | DONE | Implement `ReplayFromRawAsync()` method | Created EpssReplayService with ReplayFromRawAsync() and ReplayRangeAsync() |
| R5 | DONE | Implement `IEpssRawRepository` interface | Created with CRUD operations |
| R6 | DONE | Implement `PostgresEpssRawRepository` | PostgreSQL implementation with DI registration |
### Signal-Ready Layer Tasks (S1-S12)
@@ -69,16 +71,16 @@ This sprint implements live EPSS enrichment for existing vulnerability instances
| # | Status | Task | Notes |
|---|--------|------|-------|
| S1 | TODO | Create `epss_signal` table migration | `012_epss_signal_layer.sql` - Tenant-scoped with dedupe_key |
| S2 | TODO | Implement `IEpssSignalRepository` interface | Signal CRUD operations |
| S3 | TODO | Implement `PostgresEpssSignalRepository` | PostgreSQL implementation |
| S4 | TODO | Implement `ComputeExplainHash()` | Deterministic SHA-256 of signal inputs |
| S5 | TODO | Create `EpssSignalJob` service | Runs after enrichment, per-tenant |
| S6 | TODO | Add "observed CVEs" filter | Only signal for CVEs in tenant's inventory |
| S7 | TODO | Implement model version change detection | Compare vs previous day's `model_version_tag` |
| S8 | TODO | Add `MODEL_UPDATED` event type | Summary event instead of 300k individual deltas |
| S9 | TODO | Connect to Notify/Router | Publish to `signals.epss` topic |
| S10 | TODO | Add signal deduplication | Idempotent via `dedupe_key` constraint |
| S1 | DONE | Create `epss_signal` table migration | `012_epss_signal_layer.sql` - Tenant-scoped with dedupe_key |
| S2 | DONE | Implement `IEpssSignalRepository` interface | Signal CRUD operations with config support |
| S3 | DONE | Implement `PostgresEpssSignalRepository` | PostgreSQL implementation with DI registration |
| S4 | DONE | Implement `ComputeExplainHash()` | Created EpssExplainHashCalculator with deterministic SHA-256 |
| S5 | DONE | Create `EpssSignalJob` service | Created EpssSignalJob.cs with batch processing and tenant support |
| S6 | DONE | Add "observed CVEs" filter | Created IObservedCveRepository and PostgresObservedCveRepository; integrated in EpssSignalJob |
| S7 | DONE | Implement model version change detection | Added in EpssSignalJob with _lastModelVersion tracking |
| S8 | DONE | Add `MODEL_UPDATED` event type | EmitModelUpdatedSignalAsync() creates summary event |
| S9 | DONE | Connect to Notify/Router | Created IEpssSignalPublisher interface; EpssSignalJob publishes via PublishBatchAsync() |
| S10 | DONE | Add signal deduplication | Idempotent via `dedupe_key` constraint in repository |
| S11 | TODO | Unit tests for signal generation | Flag logic, explain hash, dedupe key |
| S12 | TODO | Integration tests for signal flow | End-to-end tenant-scoped signal emission |
| S13 | TODO | Add Prometheus metrics for signals | `epss_signals_emitted_total{event_type, tenant_id}` |
@@ -175,15 +177,36 @@ concelier:
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-18 | Task #1: Implemented `EpssEnrichmentJob` with batch processing, priority band calculation, and trigger mechanism | Agent |
| 2025-12-18 | R5-R6: Implemented `IEpssRawRepository` and `PostgresEpssRawRepository` for raw payload storage | Agent |
| 2025-12-18 | S2-S3: Implemented `IEpssSignalRepository` and `PostgresEpssSignalRepository` with tenant config support | Agent |
| 2025-12-18 | Registered new repositories in DI: `EpssRawRepository`, `EpssSignalRepository` | Agent |
| 2025-12-18 | Task #2: Created 014_epss_triage_columns.sql migration with EPSS columns and batch_update_epss_triage() function | Agent |
| 2025-12-18 | R2: Updated EpssIngestJob with StoreRawPayloadAsync() to store raw JSONB payload | Agent |
| 2025-12-18 | S4: Created EpssExplainHashCalculator with ComputeExplainHash() and ComputeDedupeKey() | Agent |
| 2025-12-18 | S5, S7, S8: Created EpssSignalJob with model version detection and MODEL_UPDATED event support | Agent |
| 2025-12-18 | EPSS-SCAN-006: Created EpssEnrichmentStageExecutor for scan pipeline integration | Agent |
| 2025-12-18 | R4: Created EpssReplayService with ReplayFromRawAsync() and ReplayRangeAsync() | Agent |
| 2025-12-18 | S6: Created IObservedCveRepository, PostgresObservedCveRepository; integrated tenant-scoped filtering in EpssSignalJob | Agent |
| 2025-12-18 | S9: Created IEpssSignalPublisher interface; integrated PublishBatchAsync() in EpssSignalJob | Agent |
| 2025-12-18 | Task #4: Added GetChangesAsync() to IEpssRepository; EpssEnrichmentJob uses flag-based targeting | Agent |
| 2025-12-18 | Task #6: Added PublishPriorityChangedAsync() to IEpssSignalPublisher; EpssEnrichmentJob emits events | Agent |
---
## Exit Criteria
- [ ] `EpssEnrichmentJob` updates vuln_instance_triage with current EPSS
- [ ] Only instances with material changes are updated (flag-based targeting)
- [ ] `vuln.priority.changed` event emitted only when band changes
- [ ] Raw payload stored in `epss_raw` for replay capability
- [ ] Signals emitted only for observed CVEs per tenant
- [ ] Model version changes suppress noisy delta signals
- [ ] Each signal has deterministic `explain_hash`
- [x] `EpssEnrichmentJob` updates vuln_instance_triage with current EPSS
- [x] Only instances with material changes are updated (flag-based targeting)
- [x] `vuln.priority.changed` event emitted only when band changes
- [x] Raw payload stored in `epss_raw` for replay capability
- [x] Signals emitted only for observed CVEs per tenant
- [x] Model version changes suppress noisy delta signals
- [x] Each signal has deterministic `explain_hash`
- [ ] All unit and integration tests pass
- [ ] Documentation updated
@@ -195,17 +218,29 @@ concelier:
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/011_epss_raw_layer.sql`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/012_epss_signal_layer.sql`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Services/EpssSignalJob.cs`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Services/EpssExplainHashCalculator.cs`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Repositories/IEpssSignalRepository.cs`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Repositories/PostgresEpssSignalRepository.cs`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Repositories/IEpssRawRepository.cs`
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Repositories/PostgresEpssRawRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/014_epss_triage_columns.sql`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssSignalRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssRawRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IObservedCveRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssSignalRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRawRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresObservedCveRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssReplayService.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssExplainHashCalculator.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentStageExecutor.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs`
### Existing Files to Update
### Existing Files Updated
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Jobs/EpssIngestJob.cs` - Store raw payload
- `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Jobs/EpssEnrichmentJob.cs` - Add model version detection
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/ServiceCollectionExtensions.cs` - Added EPSS repository registrations
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/MigrationIds.cs` - Added new migration IDs
- `src/Scanner/StellaOps.Scanner.Worker/Processing/ScanStageNames.cs` - Added EpssEnrichment stage
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - Added raw payload storage
- `src/Scanner/StellaOps.Scanner.Worker/Program.cs` - Registered EpssEnrichmentStageExecutor
---

40
docs/implplan/SPRINT_3500_0010_0001_pe_full_parser.md
View File

@@ -210,23 +210,23 @@ The Rich Header is a Microsoft compiler/linker fingerprint:
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | PE-001 | TODO | Create PeIdentity.cs data model |
| 2 | PE-002 | TODO | Create PeCompilerHint.cs data model |
| 3 | PE-003 | TODO | Create PeSubsystem.cs enum |
| 4 | PE-004 | TODO | Create PeReader.cs skeleton |
| 5 | PE-005 | TODO | Implement DOS header validation |
| 6 | PE-006 | TODO | Implement COFF header parsing |
| 7 | PE-007 | TODO | Implement Optional header parsing |
| 8 | PE-008 | TODO | Implement Debug directory parsing |
| 9 | PE-009 | TODO | Implement CodeView GUID extraction |
| 10 | PE-010 | TODO | Implement Version resource parsing |
| 11 | PE-011 | TODO | Implement Rich header parsing |
| 12 | PE-012 | TODO | Implement Export directory parsing |
| 13 | PE-013 | TODO | Update NativeBinaryIdentity.cs |
| 14 | PE-014 | TODO | Update NativeFormatDetector.cs |
| 15 | PE-015 | TODO | Create PeReaderTests.cs unit tests |
| 1 | PE-001 | DONE | Create PeIdentity.cs data model |
| 2 | PE-002 | DONE | Create PeCompilerHint.cs data model |
| 3 | PE-003 | DONE | Create PeSubsystem.cs enum (already existed in PeDeclaredDependency.cs) |
| 4 | PE-004 | DONE | Create PeReader.cs skeleton |
| 5 | PE-005 | DONE | Implement DOS header validation |
| 6 | PE-006 | DONE | Implement COFF header parsing |
| 7 | PE-007 | DONE | Implement Optional header parsing |
| 8 | PE-008 | DONE | Implement Debug directory parsing |
| 9 | PE-009 | DONE | Implement CodeView GUID extraction |
| 10 | PE-010 | DONE | Implement Version resource parsing |
| 11 | PE-011 | DONE | Implement Rich header parsing |
| 12 | PE-012 | DONE | Implement Export directory parsing |
| 13 | PE-013 | DONE | Update NativeBinaryIdentity.cs |
| 14 | PE-014 | DONE | Update NativeFormatDetector.cs |
| 15 | PE-015 | DONE | Create PeReaderTests.cs unit tests |
| 16 | PE-016 | TODO | Add golden fixtures (MSVC, MinGW, Clang PEs) |
| 17 | PE-017 | TODO | Verify deterministic output |
| 17 | PE-017 | DONE | Verify deterministic output |
---
@@ -296,6 +296,14 @@ The Rich Header is a Microsoft compiler/linker fingerprint:
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Implemented PE-001 through PE-015, PE-017: Created PeIdentity.cs, PeCompilerHint.cs, full PeReader.cs with CodeView GUID extraction, Rich header parsing, version resource parsing, export directory parsing. Updated NativeBinaryIdentity.cs with PE-specific fields. Updated NativeFormatDetector.cs to wire up PeReader. Created comprehensive PeReaderTests.cs with 20+ test cases. | Agent |
---
## References
- [PE Format Documentation](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)

60
docs/implplan/SPRINT_3500_0010_0002_macho_full_parser.md
View File

@@ -218,25 +218,25 @@ Fat binaries (universal) contain multiple architectures:
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | MACH-001 | TODO | Create MachOIdentity.cs data model |
| 2 | MACH-002 | TODO | Create MachOCodeSignature.cs data model |
| 3 | MACH-003 | TODO | Create MachOPlatform.cs enum |
| 4 | MACH-004 | TODO | Create MachOReader.cs skeleton |
| 5 | MACH-005 | TODO | Implement Mach header parsing (32/64-bit) |
| 6 | MACH-006 | TODO | Implement Fat binary detection and parsing |
| 7 | MACH-007 | TODO | Implement LC_UUID extraction |
| 8 | MACH-008 | TODO | Implement LC_BUILD_VERSION parsing |
| 9 | MACH-009 | TODO | Implement LC_VERSION_MIN_* parsing |
| 10 | MACH-010 | TODO | Implement LC_CODE_SIGNATURE parsing |
| 11 | MACH-011 | TODO | Implement CodeDirectory parsing |
| 12 | MACH-012 | TODO | Implement CDHash computation |
| 13 | MACH-013 | TODO | Implement Entitlements extraction |
| 1 | MACH-001 | DONE | Create MachOIdentity.cs data model |
| 2 | MACH-002 | DONE | Create MachOCodeSignature.cs data model |
| 3 | MACH-003 | DONE | Create MachOPlatform.cs enum |
| 4 | MACH-004 | DONE | Create MachOReader.cs skeleton |
| 5 | MACH-005 | DONE | Implement Mach header parsing (32/64-bit) |
| 6 | MACH-006 | DONE | Implement Fat binary detection and parsing |
| 7 | MACH-007 | DONE | Implement LC_UUID extraction |
| 8 | MACH-008 | DONE | Implement LC_BUILD_VERSION parsing |
| 9 | MACH-009 | DONE | Implement LC_VERSION_MIN_* parsing |
| 10 | MACH-010 | DONE | Implement LC_CODE_SIGNATURE parsing |
| 11 | MACH-011 | DONE | Implement CodeDirectory parsing |
| 12 | MACH-012 | DONE | Implement CDHash computation |
| 13 | MACH-013 | DONE | Implement Entitlements extraction |
| 14 | MACH-014 | TODO | Implement LC_DYLD_INFO export extraction |
| 15 | MACH-015 | TODO | Update NativeBinaryIdentity.cs |
| 16 | MACH-016 | TODO | Refactor MachOLoadCommandParser.cs |
| 17 | MACH-017 | TODO | Create MachOReaderTests.cs unit tests |
| 15 | MACH-015 | DONE | Update NativeBinaryIdentity.cs |
| 16 | MACH-016 | DONE | Refactor NativeFormatDetector.cs to use MachOReader |
| 17 | MACH-017 | DONE | Create MachOReaderTests.cs unit tests (26 tests) |
| 18 | MACH-018 | TODO | Add golden fixtures (signed/unsigned binaries) |
| 19 | MACH-019 | TODO | Verify deterministic output |
| 19 | MACH-019 | DONE | Verify deterministic output |
---
@@ -281,15 +281,23 @@ Fat binaries (universal) contain multiple architectures:
## Acceptance Criteria
- [ ] LC_UUID extracted and formatted consistently
- [ ] LC_CODE_SIGNATURE parsed for TeamId and CDHash
- [ ] LC_BUILD_VERSION parsed for platform info
- [ ] Fat binary handling with per-slice UUIDs
- [ ] Legacy LC_VERSION_MIN_* commands supported
- [ ] Entitlements keys extracted (not values)
- [ ] 32-bit and 64-bit Mach-O handled correctly
- [ ] Deterministic output
- [ ] All unit tests passing
- [x] LC_UUID extracted and formatted consistently
- [x] LC_CODE_SIGNATURE parsed for TeamId and CDHash
- [x] LC_BUILD_VERSION parsed for platform info
- [x] Fat binary handling with per-slice UUIDs
- [x] Legacy LC_VERSION_MIN_* commands supported
- [x] Entitlements keys extracted (not values)
- [x] 32-bit and 64-bit Mach-O handled correctly
- [x] Deterministic output
- [x] All unit tests passing (26 tests)
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created MachOPlatform.cs, MachOCodeSignature.cs, MachOIdentity.cs, MachOReader.cs. Updated NativeBinaryIdentity.cs and NativeFormatDetector.cs. Created MachOReaderTests.cs with 26 tests. All tests pass. 17/19 tasks DONE. | Agent |
---

32
docs/implplan/SPRINT_3500_0011_0001_buildid_mapping_index.md
View File

@@ -68,23 +68,31 @@ public enum BuildIdConfidence { Exact, Inferred, Heuristic }
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | BID-001 | TODO | Create IBuildIdIndex interface |
| 2 | BID-002 | TODO | Create BuildIdLookupResult model |
| 3 | BID-003 | TODO | Create BuildIdIndexOptions |
| 4 | BID-004 | TODO | Create OfflineBuildIdIndex implementation |
| 5 | BID-005 | TODO | Implement NDJSON parsing |
| 1 | BID-001 | DONE | Create IBuildIdIndex interface |
| 2 | BID-002 | DONE | Create BuildIdLookupResult model |
| 3 | BID-003 | DONE | Create BuildIdIndexOptions |
| 4 | BID-004 | DONE | Create OfflineBuildIdIndex implementation |
| 5 | BID-005 | DONE | Implement NDJSON parsing |
| 6 | BID-006 | TODO | Implement DSSE signature verification |
| 7 | BID-007 | TODO | Implement batch lookup |
| 8 | BID-008 | TODO | Add to OfflineKitOptions |
| 9 | BID-009 | TODO | Unit tests |
| 7 | BID-007 | DONE | Implement batch lookup |
| 8 | BID-008 | DONE | Add BuildIdIndexPath + RequireBuildIdIndexSignature to OfflineKitOptions |
| 9 | BID-009 | DONE | Unit tests (19 tests) |
| 10 | BID-010 | TODO | Integration tests |
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created IBuildIdIndex, BuildIdLookupResult, BuildIdIndexOptions, BuildIdIndexEntry, OfflineBuildIdIndex. Created 19 unit tests. 7/10 tasks DONE. | Agent |
---
## Acceptance Criteria
- [ ] Index loads from offline kit path
- [x] Index loads from offline kit path
- [ ] DSSE signature verified before use
- [ ] Lookup returns PURL for known build-ids
- [ ] Unknown build-ids return null (not throw)
- [ ] Batch lookup efficient for many binaries
- [x] Lookup returns PURL for known build-ids
- [x] Unknown build-ids return null (not throw)
- [x] Batch lookup efficient for many binaries

24
docs/implplan/SPRINT_3500_0012_0001_binary_sbom_emission.md
View File

@@ -56,18 +56,26 @@ public sealed record NativeBinaryMetadata {
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | BSE-001 | TODO | Create INativeComponentEmitter |
| 2 | BSE-002 | TODO | Create NativeComponentEmitter |
| 3 | BSE-003 | TODO | Create NativePurlBuilder |
| 4 | BSE-004 | TODO | Create NativeComponentMapper |
| 5 | BSE-005 | TODO | Add NativeBinaryMetadata |
| 6 | BSE-006 | TODO | Update CycloneDxComposer |
| 7 | BSE-007 | TODO | Add stellaops:binary.* properties |
| 8 | BSE-008 | TODO | Unit tests |
| 1 | BSE-001 | DONE | Create INativeComponentEmitter |
| 2 | BSE-002 | DONE | Create NativeComponentEmitter |
| 3 | BSE-003 | DONE | Create NativePurlBuilder |
| 4 | BSE-004 | DONE | Create NativeComponentMapper (layer fragment generation) |
| 5 | BSE-005 | DONE | Add NativeBinaryMetadata (with Imports/Exports/PE/Mach-O fields) |
| 6 | BSE-006 | DONE | Update CycloneDxComposer via LayerComponentMapping.ToFragment() |
| 7 | BSE-007 | DONE | Add stellaops:binary.* properties in ToComponentRecord() |
| 8 | BSE-008 | DONE | Unit tests (22 tests passing) |
| 9 | BSE-009 | TODO | Integration tests |
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created NativeBinaryMetadata, NativePurlBuilder, INativeComponentEmitter, NativeComponentEmitter. Created 22 tests. Fixed dependency issues in Reachability and SmartDiff. 5/9 tasks DONE. | Agent |
---
## Acceptance Criteria
- [ ] Native binaries appear as `file` type components

40
docs/implplan/SPRINT_3500_0013_0001_native_unknowns.md
View File

@@ -45,11 +45,33 @@ Extend the Unknowns registry with native binary-specific classification reasons,
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | NUC-001 | TODO | Add UnknownKind enum values |
| 2 | NUC-002 | TODO | Create NativeUnknownContext |
| 3 | NUC-003 | TODO | Create NativeUnknownClassifier |
| 4 | NUC-004 | TODO | Integration with native analyzer |
| 5 | NUC-005 | TODO | Unit tests |
| 1 | NUC-001 | DONE | Add UnknownKind enum values (MissingBuildId, UnknownBuildId, UnresolvedNativeLibrary, HeuristicDependency, UnsupportedBinaryFormat) |
| 2 | NUC-002 | DONE | Create NativeUnknownContext model |
| 3 | NUC-003 | DONE | Create NativeUnknownClassifier service |
| 4 | NUC-003A | TODO | Approve + add `StellaOps.Unknowns.Core` reference from `src/Scanner/StellaOps.Scanner.Worker` (avoid circular deps; document final dependency direction) |
| 5 | NUC-003B | TODO | Wire native analyzer outputs to Unknowns: call `NativeUnknownClassifier` and persist via Unknowns repository/service from scan pipeline |
| 6 | NUC-004 | BLOCKED | Integrate with native analyzer (BLOCKED on NUC-003A/NUC-003B) |
| 7 | NUC-005 | TODO | Unit tests |
---
## Unblock Task Notes (NUC-003A/NUC-003B)
### NUC-003A: Project reference + dependency direction
- **Goal:** make the integration unambiguous: Scanner Worker emits Unknowns during scan; Unknowns.Core provides the domain + classifier.
- **Touchpoints (expected):**
- `src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj` (add project reference)
- If persistence from Worker is required, also reference `src/Unknowns/__Libraries/StellaOps.Unknowns.Storage.Postgres/` and ensure migrations are applied by Scanner startup.
- **Acceptance criteria (minimum):**
- `dotnet build src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj` succeeds with no circular references.
### NUC-003B: Wiring from native analyzer to Unknowns
- **Goal:** convert analyzer-side identification/resolution gaps into first-class Unknowns records.
- **Touchpoints (expected):**
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/` (where classification context is produced)
- `src/Scanner/StellaOps.Scanner.Worker/` (where results are persisted/emitted)
- **Acceptance criteria (minimum):**
- A missing build-id produces `UnknownKind.MissingBuildId` with a populated `NativeUnknownContext` and is visible via existing Unknowns API surfaces.
---
@@ -58,3 +80,11 @@ Extend the Unknowns registry with native binary-specific classification reasons,
- [ ] Binaries without build-id create MissingBuildId unknowns
- [ ] Build-IDs not in index create UnknownBuildId unknowns
- [ ] Unknowns emit to registry, not core SBOM
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Added unblock tasks NUC-003A/NUC-003B; NUC-004 remains BLOCKED until dependency direction + wiring are implemented. | Project Mgmt |

6
docs/implplan/SPRINT_3500_0014_0001_native_analyzer_integration.md
View File

@@ -51,10 +51,10 @@ public sealed class NativeAnalyzerOptions
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | NAI-001 | TODO | Create NativeAnalyzerExecutor |
| 2 | NAI-002 | TODO | Create NativeBinaryDiscovery |
| 1 | NAI-001 | DONE | Create NativeAnalyzerExecutor |
| 2 | NAI-002 | DONE | Create NativeBinaryDiscovery |
| 3 | NAI-003 | TODO | Update CompositeScanAnalyzerDispatcher |
| 4 | NAI-004 | TODO | Add ScannerWorkerOptions.NativeAnalyzers |
| 4 | NAI-004 | DONE | Add ScannerWorkerOptions.NativeAnalyzers |
| 5 | NAI-005 | TODO | Integration tests |
---

30
docs/implplan/SPRINT_3600_0004_0001_ui_evidence_chain.md
View File

@@ -787,15 +787,15 @@ public sealed class DriftSarifGenerator
| # | Task ID | Status | Description | Notes |
|---|---------|--------|-------------|-------|
| 1 | UI-001 | TODO | Create PathNode TypeScript interface | Angular model |
| 2 | UI-002 | TODO | Create CompressedPath TypeScript interface | Angular model |
| 3 | UI-003 | TODO | Create PathViewerComponent | Core visualization |
| 4 | UI-004 | TODO | Style PathViewerComponent | SCSS styling |
| 5 | UI-005 | TODO | Create DriftedSink TypeScript interface | Angular model |
| 6 | UI-006 | TODO | Create DriftResult TypeScript interface | Angular model |
| 7 | UI-007 | TODO | Create RiskDriftCardComponent | Summary card |
| 8 | UI-008 | TODO | Style RiskDriftCardComponent | SCSS styling |
| 9 | UI-009 | TODO | Create drift API service | Angular HTTP service |
| 1 | UI-001 | DONE | Create PathNode TypeScript interface | `path-viewer.models.ts` |
| 2 | UI-002 | DONE | Create CompressedPath TypeScript interface | `path-viewer.models.ts` |
| 3 | UI-003 | DONE | Create PathViewerComponent | `components/path-viewer/` |
| 4 | UI-004 | DONE | Style PathViewerComponent | SCSS with BEM |
| 5 | UI-005 | DONE | Create DriftedSink TypeScript interface | `drift.models.ts` |
| 6 | UI-006 | DONE | Create DriftResult TypeScript interface | `drift.models.ts` |
| 7 | UI-007 | DONE | Create RiskDriftCardComponent | `components/risk-drift-card/` |
| 8 | UI-008 | DONE | Style RiskDriftCardComponent | SCSS with BEM |
| 9 | UI-009 | DONE | Create drift API service | `drift-api.service.ts` |
| 10 | UI-010 | TODO | Integrate PathViewer into scan details | Page integration |
| 11 | UI-011 | TODO | Integrate RiskDriftCard into PR view | Page integration |
| 12 | UI-012 | TODO | Unit tests for PathViewerComponent | Jest tests |
@@ -805,12 +805,12 @@ public sealed class DriftSarifGenerator
| 16 | UI-016 | TODO | Implement drift attestation service | DSSE signing |
| 17 | UI-017 | TODO | Add attestation to drift API | API integration |
| 18 | UI-018 | TODO | Unit tests for attestation | Predicate validation |
| 19 | UI-019 | TODO | Create DriftCommand for CLI | CLI command |
| 20 | UI-020 | TODO | Implement table output | Spectre.Console |
| 21 | UI-021 | TODO | Implement JSON output | JSON serialization |
| 22 | UI-022 | TODO | Create DriftSarifGenerator | SARIF 2.1.0 |
| 23 | UI-023 | TODO | Implement SARIF output for CLI | CLI integration |
| 24 | UI-024 | TODO | Update CLI documentation | docs/cli/ |
| 19 | UI-019 | DONE | Create DriftCommand for CLI | `Commands/DriftCommandGroup.cs` |
| 20 | UI-020 | DONE | Implement table output | Spectre.Console tables |
| 21 | UI-021 | DONE | Implement JSON output | JSON serialization |
| 22 | UI-022 | DONE | Create DriftSarifGenerator | SARIF 2.1.0 (placeholder) |
| 23 | UI-023 | DONE | Implement SARIF output for CLI | `CommandHandlers.Drift.cs` |
| 24 | UI-024 | DONE | Update CLI documentation | `docs/cli/drift-cli.md` |
| 25 | UI-025 | TODO | Integration tests for CLI | End-to-end |
---

41
docs/implplan/SPRINT_3620_0001_0001_reachability_witness_dsse.md
View File

@@ -332,22 +332,33 @@ cas://reachability/graphs/{blake3:hash}/
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | RWD-001 | TODO | Create ReachabilityWitnessStatement.cs |
| 2 | RWD-002 | TODO | Create ReachabilityWitnessOptions.cs |
| 3 | RWD-003 | TODO | Add PredicateTypes.StellaOpsReachabilityWitness |
| 4 | RWD-004 | TODO | Create ReachabilityWitnessDsseBuilder.cs |
| 5 | RWD-005 | TODO | Create IReachabilityWitnessPublisher.cs |
| 6 | RWD-006 | TODO | Create ReachabilityWitnessPublisher.cs |
| 7 | RWD-007 | TODO | Implement CAS storage integration |
| 8 | RWD-008 | TODO | Implement Rekor submission |
| 9 | RWD-009 | TODO | Integrate with RichGraphWriter |
| 10 | RWD-010 | TODO | Add service registration |
| 11 | RWD-011 | TODO | Unit tests for DSSE builder |
| 12 | RWD-012 | TODO | Unit tests for publisher |
| 1 | RWD-001 | DONE | Create ReachabilityWitnessStatement.cs |
| 2 | RWD-002 | DONE | Create ReachabilityWitnessOptions.cs |
| 3 | RWD-003 | DONE | Add PredicateTypes.StellaOpsReachabilityWitness |
| 4 | RWD-004 | DONE | Create ReachabilityWitnessDsseBuilder.cs |
| 5 | RWD-005 | DONE | Create IReachabilityWitnessPublisher.cs |
| 6 | RWD-006 | DONE | Create ReachabilityWitnessPublisher.cs |
| 7 | RWD-007 | TODO | Implement CAS storage integration (placeholder done) |
| 8 | RWD-008 | TODO | Implement Rekor submission (placeholder done) |
| 9 | RWD-009 | DONE | Integrate with RichGraphWriter (AttestingRichGraphWriter) |
| 10 | RWD-010 | DONE | Add service registration |
| 11 | RWD-011 | DONE | Unit tests for DSSE builder (15 tests) |
| 12 | RWD-012 | DONE | Unit tests for publisher (8 tests) |
| 13 | RWD-013 | TODO | Integration tests with Attestor |
| 14 | RWD-014 | TODO | Add golden fixture: graph-only.golden.json |
| 15 | RWD-015 | TODO | Add golden fixture: graph-with-runtime.golden.json |
| 16 | RWD-016 | TODO | Verify deterministic DSSE output |
| 14 | RWD-014 | DONE | Add golden fixture: graph-only.golden.json |
| 15 | RWD-015 | DONE | Add golden fixture: graph-with-runtime.golden.json |
| 16 | RWD-016 | DONE | Verify deterministic DSSE output (4 tests) |
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created ReachabilityWitnessStatement, ReachabilityWitnessOptions, ReachabilityWitnessDsseBuilder, IReachabilityWitnessPublisher, ReachabilityWitnessPublisher. Created 15 DSSE builder tests. 6/16 tasks DONE. | Agent |
| 2025-12-18 | Added PredicateTypes.StellaOpsReachabilityWitness to Signer.Core. Created ReachabilityAttestationServiceCollectionExtensions.cs for DI. Created ReachabilityWitnessPublisherTests.cs (8 tests). 9/16 tasks DONE. | Agent |
| 2025-12-18 | Fixed PathExplanationServiceTests.cs (RichGraph/RichGraphEdge constructor updates). Fixed RichGraphWriterTests.cs assertion. All 119 tests pass. | Agent |
| 2025-12-18 | Created AttestingRichGraphWriter.cs for integrated attestation. Created golden fixtures. Created AttestingRichGraphWriterTests.cs (4 tests). 13/16 tasks DONE. All 123 tests pass. | Agent |
---

12
docs/implplan/SPRINT_3620_0002_0001_path_explanation.md
View File

@@ -87,13 +87,13 @@ Final multiplier: 30%
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | PES-001 | TODO | Create PathExplanationModels |
| 2 | PES-002 | TODO | Create PathExplanationService |
| 3 | PES-003 | TODO | Create PathRenderer (text) |
| 4 | PES-004 | TODO | Create PathRenderer (markdown) |
| 5 | PES-005 | TODO | Create PathRenderer (json) |
| 1 | PES-001 | DONE | Create PathExplanationModels |
| 2 | PES-002 | DONE | Create PathExplanationService |
| 3 | PES-003 | DONE | Create PathRenderer (text) |
| 4 | PES-004 | DONE | Create PathRenderer (markdown) |
| 5 | PES-005 | DONE | Create PathRenderer (json) |
| 6 | PES-006 | TODO | Add CLI command: stella graph explain |
| 7 | PES-007 | TODO | Unit tests |
| 7 | PES-007 | DONE | Unit tests |
---

14
docs/implplan/SPRINT_3620_0003_0001_cli_graph_verify.md
View File

@@ -86,13 +86,13 @@ Edge Bundles: 2 verified
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | CGV-001 | TODO | Create GraphVerifyCommand |
| 2 | CGV-002 | TODO | Implement DSSE verification |
| 3 | CGV-003 | TODO | Implement --include-bundles |
| 4 | CGV-004 | TODO | Implement --rekor-proof |
| 5 | CGV-005 | TODO | Implement --cas-root offline mode |
| 6 | CGV-006 | TODO | Create GraphBundlesCommand |
| 7 | CGV-007 | TODO | Create GraphExplainCommand |
| 1 | CGV-001 | DONE | Create GraphVerifyCommand |
| 2 | CGV-002 | DONE | Implement DSSE verification |
| 3 | CGV-003 | DONE | Implement --include-bundles |
| 4 | CGV-004 | DONE | Implement --rekor-proof |
| 5 | CGV-005 | DONE | Implement --cas-root offline mode |
| 6 | CGV-006 | DONE | Create GraphBundlesCommand |
| 7 | CGV-007 | TODO | Create GraphExplainCommand (uses existing explain) |
| 8 | CGV-008 | TODO | Unit tests |
---

27
docs/implplan/SPRINT_3700_0001_0001_triage_db_schema.md
View File

@@ -3,7 +3,7 @@
**Epic:** Triage Infrastructure
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Triage/`
**Status:** TODO
**Status:** DOING
**Created:** 2025-12-17
**Target Completion:** TBD
**Depends On:** None
@@ -34,18 +34,18 @@ Implement the PostgreSQL database schema for the Narrative-First Triage UX syste
| ID | Task | Owner | Status | Notes |
|----|------|-------|--------|-------|
| T1 | Create migration script from `docs/db/triage_schema.sql` | — | TODO | |
| T2 | Create PostgreSQL enums (7 types) | — | TODO | See schema |
| T3 | Create `TriageFinding` entity | — | TODO | |
| T4 | Create `TriageEffectiveVex` entity | — | TODO | |
| T5 | Create `TriageReachabilityResult` entity | — | TODO | |
| T6 | Create `TriageRiskResult` entity | — | TODO | |
| T7 | Create `TriageDecision` entity | — | TODO | |
| T8 | Create `TriageEvidenceArtifact` entity | — | TODO | |
| T9 | Create `TriageSnapshot` entity | — | TODO | |
| T10 | Create `TriageDbContext` with Fluent API | — | TODO | |
| T11 | Implement `v_triage_case_current` view mapping | — | TODO | |
| T12 | Add performance indexes | — | TODO | |
| T1 | Create migration script from `docs/db/triage_schema.sql` | Agent | DONE | `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations/V3700_001__triage_schema.sql` |
| T2 | Create PostgreSQL enums (7 types) | Agent | DONE | `TriageEnums.cs` |
| T3 | Create `TriageFinding` entity | Agent | DONE | |
| T4 | Create `TriageEffectiveVex` entity | Agent | DONE | |
| T5 | Create `TriageReachabilityResult` entity | Agent | DONE | |
| T6 | Create `TriageRiskResult` entity | Agent | DONE | |
| T7 | Create `TriageDecision` entity | Agent | DONE | |
| T8 | Create `TriageEvidenceArtifact` entity | Agent | DONE | |
| T9 | Create `TriageSnapshot` entity | Agent | DONE | |
| T10 | Create `TriageDbContext` with Fluent API | Agent | DONE | Full index + relationship config |
| T11 | Implement `v_triage_case_current` view mapping | Agent | DONE | `TriageCaseCurrent` keyless entity |
| T12 | Add performance indexes | Agent | DONE | In DbContext OnModelCreating |
| T13 | Write integration tests with Testcontainers | — | TODO | |
| T14 | Validate query performance (explain analyze) | — | TODO | |
@@ -230,6 +230,7 @@ public class TriageSchemaTests : IAsyncLifetime
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-17 | Sprint file created | Claude |
| 2025-12-18 | Created Triage library with all entities (T1-T12 DONE): TriageEnums, TriageFinding, TriageEffectiveVex, TriageReachabilityResult, TriageRiskResult, TriageDecision, TriageEvidenceArtifact, TriageSnapshot, TriageCaseCurrent, TriageDbContext. Migration script created. Build verified. | Agent |
---

83
docs/implplan/SPRINT_3700_0001_0001_witness_foundation.md
View File

@@ -1,6 +1,6 @@
# SPRINT_3700_0001_0001 - Witness Foundation
**Status:** TODO
**Status:** BLOCKED (WIT-008 blocked on WIT-007A/WIT-007B; WIT-009 blocked on WIT-007C/WIT-007D)
**Priority:** P0 - CRITICAL
**Module:** Scanner, Attestor
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`
@@ -39,21 +39,45 @@ Before starting, read:
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | WIT-001 | TODO | Add Blake3.NET package to Scanner.Reachability |
| 2 | WIT-002 | TODO | Update RichGraphWriter.ComputeHash to use BLAKE3 |
| 3 | WIT-003 | TODO | Update meta.json hash format to `blake3:` prefix |
| 4 | WIT-004 | TODO | Create WitnessSchema.cs with stellaops.witness.v1 |
| 5 | WIT-005 | TODO | Create PathWitness record model |
| 6 | WIT-006 | TODO | Create IPathWitnessBuilder interface |
| 7 | WIT-007 | TODO | Implement PathWitnessBuilder service |
| 8 | WIT-008 | TODO | Integrate with ReachabilityAnalyzer output |
| 9 | WIT-009 | TODO | Add DSSE envelope generation via Attestor |
| 10 | WIT-010 | TODO | Create WitnessEndpoints.cs (GET /witness/{id}) |
| 11 | WIT-011 | TODO | Create 012_witness_storage.sql migration |
| 12 | WIT-012 | TODO | Create PostgresWitnessRepository |
| 13 | WIT-013 | TODO | Update RichGraphWriterTests for BLAKE3 |
| 14 | WIT-014 | TODO | Add PathWitnessBuilderTests |
| 15 | WIT-015 | TODO | Create docs/contracts/witness-v1.md |
| 1 | WIT-001 | DONE | Add Blake3.NET package to Scanner.Reachability (via StellaOps.Cryptography HashPurpose.Graph) |
| 2 | WIT-002 | DONE | Update RichGraphWriter.ComputeHash to use BLAKE3 (via ComputePrefixedHashForPurpose) |
| 3 | WIT-003 | DONE | Update meta.json hash format to compliance-aware prefix (blake3:, sha256:, etc.) |
| 4 | WIT-004 | DONE | Create WitnessSchema.cs with stellaops.witness.v1 |
| 5 | WIT-005 | DONE | Create PathWitness record model |
| 6 | WIT-006 | DONE | Create IPathWitnessBuilder interface |
| 7 | WIT-007 | DONE | Implement PathWitnessBuilder service |
| 8 | WIT-007A | TODO | Define ReachabilityAnalyzer → PathWitnessBuilder output contract (types, ordering, limits, fixtures) |
| 9 | WIT-007B | TODO | Refactor ReachabilityAnalyzer to surface deterministic paths to sinks (enables witness generation) |
| 10 | WIT-007C | TODO | Define witness predicate + DSSE payloadType constants (Attestor) and align `docs/contracts/witness-v1.md` |
| 11 | WIT-007D | TODO | Implement DSSE sign+verify for witness payload using `StellaOps.Attestor.Envelope`; add golden fixtures |
| 12 | WIT-008 | BLOCKED | Integrate witness generation with ReachabilityAnalyzer output (BLOCKED on WIT-007A, WIT-007B) |
| 13 | WIT-009 | BLOCKED | Add DSSE envelope generation (BLOCKED on WIT-007C, WIT-007D) |
| 14 | WIT-010 | DONE | Create WitnessEndpoints.cs (GET /witness/{id}, list, verify) |
| 15 | WIT-011 | DONE | Create 013_witness_storage.sql migration |
| 16 | WIT-012 | DONE | Create PostgresWitnessRepository + IWitnessRepository |
| 17 | WIT-013 | DONE | Add UsesBlake3HashForDefaultProfile test to RichGraphWriterTests |
| 18 | WIT-014 | DONE | Add PathWitnessBuilderTests |
| 19 | WIT-015 | DONE | Create docs/contracts/witness-v1.md |
---
## Unblock Task Notes (WIT-007A..WIT-007D)
### WIT-007A: ReachabilityAnalyzer → witness output contract
- **Goal:** define the exact path output shape (entrypoint → sink), including stable ordering and caps (max depth/path count) so witness generation is deterministic.
- **Touchpoints (expected):** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Analysis/ReachabilityAnalyzer.cs` and `src/Scanner/__Tests/StellaOps.Scanner.CallGraph.Tests/` (fixtures + determinism assertions).
- **Evidence:** fixture graphs + expected path lists committed and validated by tests.
### WIT-007B: ReachabilityAnalyzer refactor (sink-aware + path export)
- **Acceptance criteria (minimum):** analyzer accepts explicit sinks and returns deterministic path(s) per reachable sink without breaking existing tests/behaviour.
### WIT-007C: Witness predicate + DSSE payloadType constants
- **Goal:** remove ambiguity about predicate URI/media type; Scanner/Attestor must sign/verify the same bytes.
- **Touchpoints (expected):** `src/Attestor/StellaOps.Attestor/Predicates/` and `docs/contracts/witness-v1.md`.
### WIT-007D: DSSE signing + verification for witnesses
- **Preferred implementation:** use `src/Attestor/StellaOps.Attestor.Envelope/` (serializer + `EnvelopeSignatureService`) for Ed25519 first.
- **Evidence:** golden fixture payload + DSSE envelope + public key, plus unit tests proving deterministic serialization and successful verification.
---
@@ -340,14 +364,14 @@ public static class WitnessPredicates
## Success Criteria
- [ ] RichGraphWriter uses BLAKE3 for graph_hash
- [ ] meta.json uses `blake3:` prefix
- [ ] All existing RichGraph tests pass
- [ ] PathWitness model serializes correctly
- [ ] PathWitnessBuilder generates valid witnesses
- [ ] DSSE signatures verify correctly
- [ ] `/witness/{id}` endpoint returns witness JSON
- [ ] Documentation complete
- [x] RichGraphWriter uses BLAKE3 for graph_hash
- [x] meta.json uses `blake3:` prefix
- [x] All existing RichGraph tests pass
- [x] PathWitness model serializes correctly
- [x] PathWitnessBuilder generates valid witnesses
- [ ] DSSE signatures verify correctly (BLOCKED: WIT-009; blocked on WIT-007C/WIT-007D)
- [x] `/witness/{id}` endpoint returns witness JSON
- [x] Documentation complete
---
@@ -358,6 +382,8 @@ public static class WitnessPredicates
| WIT-DEC-001 | Use Blake3.NET library | Well-tested, MIT license |
| WIT-DEC-002 | Store witnesses in Postgres JSONB | Flexible queries, no separate store |
| WIT-DEC-003 | Ed25519 signatures only | Simplicity, Ed25519 is default for DSSE |
| WIT-DEC-004 | Convert ReachabilityAnalyzer blocker into explicit tasks | Track contract+refactor as WIT-007A/WIT-007B; keep WIT-008 BLOCKED until complete |
| WIT-DEC-005 | Convert DSSE signing blocker into explicit tasks | Track predicate+sign/verify as WIT-007C/WIT-007D; keep WIT-009 BLOCKED until complete |
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
@@ -371,3 +397,12 @@ public static class WitnessPredicates
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent |
| 2025-12-18 | Completed WIT-011: Created 013_witness_storage.sql migration with witnesses and witness_verifications tables | Agent |
| 2025-12-18 | Completed WIT-012: Created IWitnessRepository and PostgresWitnessRepository with full CRUD + verification recording | Agent |
| 2025-12-18 | Completed WIT-015: Created docs/contracts/witness-v1.md with schema definition, DSSE signing, API endpoints | Agent |
| 2025-12-18 | Updated MigrationIds.cs to include WitnessStorage entry | Agent |
| 2025-12-18 | Registered IWitnessRepository in ServiceCollectionExtensions.cs | Agent |
| 2025-12-18 | Completed WIT-010: Created WitnessEndpoints.cs with GET /witnesses/{id}, list (by scan/cve/graphHash), by-hash, verify endpoints | Agent |
| 2025-12-18 | Registered MapWitnessEndpoints() in Scanner.WebService Program.cs | Agent |
| 2025-12-18 | Completed WIT-013: Added UsesBlake3HashForDefaultProfile test to RichGraphWriterTests.cs | Agent |
| 2025-12-18 | Added unblock tasks WIT-007A..WIT-007D and updated WIT-008/WIT-009 dependencies accordingly. | Project Mgmt |

35
docs/implplan/SPRINT_3700_0002_0001_vuln_surfaces_core.md
View File

@@ -88,30 +88,30 @@ Before starting, read:
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | SURF-001 | TODO | Create StellaOps.Scanner.VulnSurfaces project |
| 2 | SURF-002 | TODO | Create IPackageDownloader interface |
| 3 | SURF-003 | TODO | Implement NuGetPackageDownloader |
| 1 | SURF-001 | DONE | Create StellaOps.Scanner.VulnSurfaces project |
| 2 | SURF-002 | DONE | Create IPackageDownloader interface |
| 3 | SURF-003 | DONE | Implement NuGetPackageDownloader |
| 4 | SURF-004 | TODO | Implement NpmPackageDownloader |
| 5 | SURF-005 | TODO | Implement MavenPackageDownloader |
| 6 | SURF-006 | TODO | Implement PyPIPackageDownloader |
| 7 | SURF-007 | TODO | Create IMethodFingerprinter interface |
| 8 | SURF-008 | TODO | Implement CecilMethodFingerprinter (.NET IL hash) |
| 7 | SURF-007 | DONE | Create IMethodFingerprinter interface |
| 8 | SURF-008 | DONE | Implement CecilMethodFingerprinter (.NET IL hash) |
| 9 | SURF-009 | TODO | Implement BabelMethodFingerprinter (Node.js AST) |
| 10 | SURF-010 | TODO | Implement AsmMethodFingerprinter (Java bytecode) |
| 11 | SURF-011 | TODO | Implement PythonAstFingerprinter |
| 12 | SURF-012 | TODO | Create MethodKey normalizer per ecosystem |
| 13 | SURF-013 | TODO | Create MethodDiffEngine service |
| 14 | SURF-014 | TODO | Create 011_vuln_surfaces.sql migration |
| 15 | SURF-015 | TODO | Create VulnSurface, VulnSurfaceSink models |
| 16 | SURF-016 | TODO | Create PostgresVulnSurfaceRepository |
| 17 | SURF-017 | TODO | Create VulnSurfaceBuilder orchestrator service |
| 18 | SURF-018 | TODO | Create IVulnSurfaceBuilder interface |
| 19 | SURF-019 | TODO | Add surface builder metrics |
| 20 | SURF-020 | TODO | Create NuGetDownloaderTests |
| 21 | SURF-021 | TODO | Create CecilFingerprinterTests |
| 22 | SURF-022 | TODO | Create MethodDiffEngineTests |
| 13 | SURF-013 | DONE | Create MethodDiffEngine service |
| 14 | SURF-014 | DONE | Create 014_vuln_surfaces.sql migration |
| 15 | SURF-015 | DONE | Create VulnSurface, VulnSurfaceSink models |
| 16 | SURF-016 | DONE | Create PostgresVulnSurfaceRepository |
| 17 | SURF-017 | DONE | Create VulnSurfaceBuilder orchestrator service |
| 18 | SURF-018 | DONE | Create IVulnSurfaceBuilder interface |
| 19 | SURF-019 | DONE | Add surface builder metrics |
| 20 | SURF-020 | DONE | Create NuGetDownloaderTests (9 tests) |
| 21 | SURF-021 | DONE | Create CecilFingerprinterTests (7 tests) |
| 22 | SURF-022 | DONE | Create MethodDiffEngineTests (8 tests) |
| 23 | SURF-023 | TODO | Integration test with real CVE (Newtonsoft.Json) |
| 24 | SURF-024 | TODO | Create docs/contracts/vuln-surface-v1.md |
| 24 | SURF-024 | DONE | Create docs/contracts/vuln-surface-v1.md |
---
@@ -447,3 +447,6 @@ Expected Changed Methods:
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent |
| 2025-12-18 | Created CecilMethodFingerprinterTests.cs (7 tests) and MethodDiffEngineTests.cs (8 tests). 12/24 tasks DONE. All 26 VulnSurfaces tests pass. | Agent |
| 2025-12-18 | Created NuGetPackageDownloaderTests.cs (9 tests). Fixed IVulnSurfaceRepository interface/implementation mismatch. Added missing properties to VulnSurfaceSink model. 19/24 tasks DONE. All 35 VulnSurfaces tests pass. | Agent |
| 2025-12-18 | Created VulnSurfaceMetrics.cs with counters, histograms, and gauges. Integrated metrics into VulnSurfaceBuilder. 20/24 tasks DONE. | Agent |

16
docs/implplan/SPRINT_3700_0003_0001_trigger_extraction.md
View File

@@ -76,20 +76,20 @@ Extract **trigger methods** from vulnerability surfaces:
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | TRIG-001 | TODO | Create IInternalCallGraphBuilder interface |
| 2 | TRIG-002 | TODO | Implement CecilInternalGraphBuilder (.NET) |
| 1 | TRIG-001 | DONE | Create IInternalCallGraphBuilder interface |
| 2 | TRIG-002 | DONE | Implement CecilInternalGraphBuilder (.NET) |
| 3 | TRIG-003 | TODO | Implement BabelInternalGraphBuilder (Node.js) |
| 4 | TRIG-004 | TODO | Implement AsmInternalGraphBuilder (Java) |
| 5 | TRIG-005 | TODO | Implement PythonAstInternalGraphBuilder |
| 6 | TRIG-006 | TODO | Create VulnSurfaceTrigger model |
| 7 | TRIG-007 | TODO | Create ITriggerMethodExtractor interface |
| 8 | TRIG-008 | TODO | Implement TriggerMethodExtractor service |
| 9 | TRIG-009 | TODO | Implement forward BFS from public methods to sinks |
| 6 | TRIG-006 | DONE | Create VulnSurfaceTrigger model |
| 7 | TRIG-007 | DONE | Create ITriggerMethodExtractor interface |
| 8 | TRIG-008 | DONE | Implement TriggerMethodExtractor service |
| 9 | TRIG-009 | DONE | Implement forward BFS from public methods to sinks |
| 10 | TRIG-010 | TODO | Store trigger→sink paths in vuln_surface_triggers |
| 11 | TRIG-011 | TODO | Add interface/base method expansion |
| 11 | TRIG-011 | DONE | Add interface/base method expansion |
| 12 | TRIG-012 | TODO | Update VulnSurfaceBuilder to call trigger extraction |
| 13 | TRIG-013 | TODO | Add trigger_count to vuln_surfaces table |
| 14 | TRIG-014 | TODO | Create TriggerMethodExtractorTests |
| 14 | TRIG-014 | DONE | Create TriggerMethodExtractorTests |
| 15 | TRIG-015 | TODO | Integration test with Newtonsoft.Json CVE |
---

20
docs/implplan/SPRINT_3800_0001_0001_evidence_api_models.md
View File

@@ -32,11 +32,11 @@ Create the foundational data models for the unified evidence API contracts. Thes
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create FindingEvidenceContracts.cs in Scanner.WebService | TODO | | API contracts |
| Create BoundaryProof.cs in Scanner.SmartDiff.Detection | TODO | | Boundary model |
| Create ScoreExplanation.cs in Signals.Models | TODO | | Score breakdown |
| Create VexEvidence.cs in Scanner.SmartDiff.Detection | TODO | | VEX evidence model |
| Add unit tests for JSON serialization | TODO | | Determinism tests |
| Create FindingEvidenceContracts.cs in Scanner.WebService | DONE | Agent | API contracts with all DTOs |
| Create BoundaryProof.cs in Scanner.SmartDiff.Detection | DONE | Agent | Boundary model with surface, exposure, auth, controls |
| Create ScoreExplanation.cs in Signals.Models | DONE | Agent | Score breakdown with contributions and modifiers |
| Create VexEvidence.cs in Scanner.SmartDiff.Detection | DONE | Agent | VEX evidence model with status, justification, source |
| Add unit tests for JSON serialization | DONE | Agent | FindingEvidenceContractsTests.cs with round-trip tests |
## Implementation Details
@@ -95,11 +95,11 @@ public sealed record ScoreExplanation(
## Acceptance Criteria
- [ ] All models compile and follow existing naming conventions
- [ ] JSON serialization produces lowercase snake_case properties
- [ ] Models are immutable (record types with init properties)
- [ ] Unit tests verify JSON round-trip serialization
- [ ] Documentation comments on all public types
- [x] All models compile and follow existing naming conventions
- [x] JSON serialization produces lowercase snake_case properties
- [x] Models are immutable (record types with init properties)
- [x] Unit tests verify JSON round-trip serialization
- [x] Documentation comments on all public types
## Decisions & Risks

24
docs/implplan/SPRINT_3800_0001_0002_score_explanation_service.md
View File

@@ -29,12 +29,12 @@ Implement the `ScoreExplanationService` that generates additive risk score break
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create IScoreExplanationService.cs | TODO | | Interface definition |
| Create ScoreExplanationService.cs | TODO | | Implementation |
| Add score weights to SignalsScoringOptions | TODO | | Configuration |
| Add DI registration | TODO | | ServiceCollectionExtensions |
| Unit tests for score computation | TODO | | Test various scenarios |
| Golden tests for score stability | TODO | | Determinism verification |
| Create IScoreExplanationService.cs | DONE | Agent | Interface with request model |
| Create ScoreExplanationService.cs | DONE | Agent | Full implementation with all factors |
| Add score weights to SignalsScoringOptions | DONE | Agent | ScoreExplanationWeights class |
| Add DI registration | DONE | Agent | Registered in Program.cs |
| Unit tests for score computation | DONE | Agent | ScoreExplanationServiceTests.cs |
| Golden tests for score stability | DONE | Agent | IsDeterministic test verifies stability |
## Implementation Details
@@ -98,12 +98,12 @@ public class ScoreExplanationWeights
## Acceptance Criteria
- [ ] `ScoreExplanationService` produces consistent output for same input
- [ ] Score contributions sum to the total risk_score (within floating point tolerance)
- [ ] All score factors have human-readable `reason` strings
- [ ] Gate detection from `ReachabilityStateDocument.Evidence.Gates` is incorporated
- [ ] Weights are configurable via `SignalsScoringOptions`
- [ ] Unit tests cover all bucket types and gate combinations
- [x] `ScoreExplanationService` produces consistent output for same input
- [x] Score contributions sum to the total risk_score (within floating point tolerance)
- [x] All score factors have human-readable `reason` strings
- [x] Gate detection from `ReachabilityStateDocument.Evidence.Gates` is incorporated
- [x] Weights are configurable via `SignalsScoringOptions`
- [x] Unit tests cover all bucket types and gate combinations
## Decisions & Risks

12
docs/implplan/SPRINT_3800_0002_0001_boundary_richgraph.md
View File

@@ -31,12 +31,12 @@ Implement the base `RichGraphBoundaryExtractor` that extracts boundary proof (ex
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create IBoundaryProofExtractor.cs | TODO | | Interface with context |
| Create RichGraphBoundaryExtractor.cs | TODO | | Base implementation |
| Create BoundaryExtractionContext.cs | TODO | | Environment context |
| Integrate with AuthGateDetector results | TODO | | Reuse existing detection |
| Add DI registration | TODO | | ServiceCollectionExtensions |
| Unit tests for extraction | TODO | | Various root types |
| Create IBoundaryProofExtractor.cs | DONE | Agent | Interface with Priority & CanHandle |
| Create RichGraphBoundaryExtractor.cs | DONE | Agent | Full implementation with surface/exposure inference |
| Create BoundaryExtractionContext.cs | DONE | Agent | Environment context with gates |
| Integrate with AuthGateDetector results | DONE | Agent | Uses DetectedGate from Gates folder |
| Add DI registration | DONE | Agent | BoundaryServiceCollectionExtensions |
| Unit tests for extraction | DONE | Agent | RichGraphBoundaryExtractorTests.cs |
## Implementation Details

16
docs/implplan/SPRINT_3801_0001_0001_policy_decision_attestation.md
View File

@@ -31,14 +31,14 @@ Implement the `PolicyDecisionAttestationService` that creates signed `stella.ops
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Add StellaOpsPolicyDecision to PredicateTypes.cs | TODO | | Signer.Core |
| Create PolicyDecisionPredicate.cs | TODO | | Policy.Engine |
| Create IPolicyDecisionAttestationService.cs | TODO | | Interface |
| Create PolicyDecisionAttestationService.cs | TODO | | Implementation |
| Add configuration options | TODO | | PolicyDecisionAttestationOptions |
| Add DI registration | TODO | | ServiceCollectionExtensions |
| Unit tests for predicate creation | TODO | | |
| Integration tests with signing | TODO | | |
| Add StellaOpsPolicyDecision to PredicateTypes.cs | DONE | Agent | Added to allowed list |
| Create PolicyDecisionPredicate.cs | DONE | Agent | Full model with all records |
| Create IPolicyDecisionAttestationService.cs | DONE | Agent | Interface + request/result records |
| Create PolicyDecisionAttestationService.cs | DONE | Agent | Full impl with signer/rekor |
| Add configuration options | DONE | Agent | PolicyDecisionAttestationOptions |
| Add DI registration | DONE | Agent | AddPolicyDecisionAttestation ext |
| Unit tests for predicate creation | DONE | Agent | PolicyDecisionAttestationServiceTests |
| Integration tests with signing | TODO | | Requires live signer service |
## Implementation Details

12
docs/implplan/SPRINT_4100_0001_0001_triage_models.md
View File

@@ -29,12 +29,12 @@ Create TypeScript models and API clients for the unified evidence API. These mod
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create triage-evidence.models.ts | TODO | | Mirror backend contracts |
| Create triage-evidence.client.ts | TODO | | HttpClient with caching |
| Create attestation-chain.models.ts | TODO | | DSSE envelope types |
| Create attestation-chain.client.ts | TODO | | Chain verification client |
| Update core/api/index.ts exports | TODO | | |
| Add unit tests for client | TODO | | Mock HTTP responses |
| Create triage-evidence.models.ts | DONE | Agent | Full model coverage with helpers |
| Create triage-evidence.client.ts | DONE | Agent | HttpClient with caching + mock client |
| Create attestation-chain.models.ts | DONE | Agent | DSSE, in-toto, Rekor types |
| Create attestation-chain.client.ts | DONE | Agent | Chain verification + mock client |
| Update core/api/index.ts exports | DONE | Agent | Created triage-api.index.ts barrel |
| Add unit tests for client | DONE | Agent | triage-evidence.client.spec.ts |
## Implementation Details

0
docs/implplan/SPRINT_0340_0001_0001_scanner_offline_config.md → docs/implplan/archived/SPRINT_0340_0001_0001_scanner_offline_config.md
View File

0
docs/implplan/SPRINT_0341_0001_0001_observability_audit.md → docs/implplan/archived/SPRINT_0341_0001_0001_observability_audit.md
View File

0
docs/implplan/SPRINT_0341_0001_0001_ttfs_enhancements.md → docs/implplan/archived/SPRINT_0341_0001_0001_ttfs_enhancements.md
View File

0
docs/implplan/SPRINT_1200_001_000_router_rate_limiting_master.md → docs/implplan/archived/SPRINT_1200_001_000_router_rate_limiting_master.md
View File

0
docs/implplan/SPRINT_1200_001_001_router_rate_limiting_core.md → docs/implplan/archived/SPRINT_1200_001_001_router_rate_limiting_core.md
View File

0
docs/implplan/SPRINT_1200_001_002_router_rate_limiting_per_route.md → docs/implplan/archived/SPRINT_1200_001_002_router_rate_limiting_per_route.md
View File

0
docs/implplan/SPRINT_1200_001_003_router_rate_limiting_rule_stacking.md → docs/implplan/archived/SPRINT_1200_001_003_router_rate_limiting_rule_stacking.md
View File

0
docs/implplan/SPRINT_1200_001_004_router_rate_limiting_service_migration.md → docs/implplan/archived/SPRINT_1200_001_004_router_rate_limiting_service_migration.md
View File

0
docs/implplan/SPRINT_1200_001_005_router_rate_limiting_tests.md → docs/implplan/archived/SPRINT_1200_001_005_router_rate_limiting_tests.md
View File

0
docs/implplan/SPRINT_1200_001_006_router_rate_limiting_docs.md → docs/implplan/archived/SPRINT_1200_001_006_router_rate_limiting_docs.md
View File

0
docs/implplan/SPRINT_1200_001_IMPLEMENTATION_GUIDE.md → docs/implplan/archived/SPRINT_1200_001_IMPLEMENTATION_GUIDE.md
View File

0
docs/implplan/SPRINT_1200_001_README.md → docs/implplan/archived/SPRINT_1200_001_README.md
View File

0
docs/implplan/SPRINT_3103_0001_0001_scanner_api_ingestion_completion.md → docs/implplan/archived/SPRINT_3103_0001_0001_scanner_api_ingestion_completion.md
View File

8
docs/implplan/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md → docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md
View File

@@ -52,8 +52,10 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Sprint created; awaiting staffing. | Planning |
| 2025-12-18 | Started SIG-CG-3104-001 (projection contract + implementation). | Agent |
| 2025-12-18 | Completed SIG-CG-3104-001..005; validated via `dotnet test src/Signals/StellaOps.Signals.Storage.Postgres.Tests/StellaOps.Signals.Storage.Postgres.Tests.csproj -c Release` (5 tests). | Agent |
| 2025-12-18 | Verified existing implementations: ICallGraphSyncService, CallGraphSyncService, PostgresCallGraphProjectionRepository all exist and are wired. Wired SyncAsync call into CallgraphIngestionService post-upsert path. Updated CallgraphIngestionServiceTests with StubCallGraphSyncService. Tasks 1-3 DONE. | Agent |
| 2025-12-18 | Added unit tests (CallGraphSyncServiceTests.cs) and integration tests (CallGraphProjectionIntegrationTests.cs). All tasks DONE. | Agent |
| 2025-12-18 | Validated via `dotnet test src/Signals/StellaOps.Signals.Storage.Postgres.Tests/StellaOps.Signals.Storage.Postgres.Tests.csproj -c Release`. | Agent |
## Next Checkpoints
- 2025-12-18: Projection service skeleton + first passing integration test (if staffed).
- 2025-12-18: Sprint completed.

0
docs/implplan/SPRINT_3401_0002_0001_score_replay_proof_bundle.md → docs/implplan/archived/SPRINT_3401_0002_0001_score_replay_proof_bundle.md
View File

0
docs/implplan/SPRINT_3420_0001_0001_bitemporal_unknowns_schema.md → docs/implplan/archived/SPRINT_3420_0001_0001_bitemporal_unknowns_schema.md
View File

0
docs/implplan/SPRINT_3421_0001_0001_rls_expansion.md → docs/implplan/archived/SPRINT_3421_0001_0001_rls_expansion.md
View File

0
docs/implplan/SPRINT_3423_0001_0001_generated_columns.md → docs/implplan/archived/SPRINT_3423_0001_0001_generated_columns.md
View File

0
docs/implplan/SPRINT_3500_0002_0001_smart_diff_foundation.md → docs/implplan/archived/SPRINT_3500_0002_0001_smart_diff_foundation.md
View File

2
docs/implplan/SPRINT_3500_0003_0001_smart_diff_detection.md → docs/implplan/archived/SPRINT_3500_0003_0001_smart_diff_detection.md
View File

@@ -1,6 +1,6 @@
# SPRINT_3500_0003_0001 - Smart-Diff Detection Rules
**Status:** TODO
**Status:** DONE
**Priority:** P0 - CRITICAL
**Module:** Scanner, Policy, Excititor
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/`

0
docs/implplan/SPRINT_3600_0002_0001_call_graph_infrastructure.md → docs/implplan/archived/SPRINT_3600_0002_0001_call_graph_infrastructure.md
View File

0
docs/implplan/SPRINT_3600_0003_0001_drift_detection_engine.md → docs/implplan/archived/SPRINT_3600_0003_0001_drift_detection_engine.md
View File

0
docs/implplan/SPRINT_3602_0001_0001_evidence_decision_apis.md → docs/implplan/archived/SPRINT_3602_0001_0001_evidence_decision_apis.md
View File

0
docs/implplan/SPRINT_3603_0001_0001_offline_bundle_format.md → docs/implplan/archived/SPRINT_3603_0001_0001_offline_bundle_format.md
View File