- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events.
- Defined the Mongo schema for event patches, including key fields for provenance and trust verification.
- Documented the write path for ingesting provenance metadata and backfilling historical events.
- Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata.
- Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases.
- Outlined policy gates for managing VEX decisions based on provenance verification.
- Included UI nudges for displaying provenance information and implementation tasks for future enhancements.
---
Implement reachability lattice and scoring model
- Developed a comprehensive document detailing the reachability lattice and scoring model.
- Defined core types for reachability states, evidence, and mitigations with corresponding C# models.
- Established a scoring policy with base score contributions from various evidence classes.
- Mapped reachability states to VEX gates and provided a clear overview of evidence sources.
- Documented the event graph schema for persisting reachability data in MongoDB.
- Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks.
---
Introduce uncertainty states and entropy scoring
- Created a draft document for tracking uncertainty states and their impact on risk scoring.
- Defined core uncertainty states with associated entropy values and evidence requirements.
- Established a schema for storing uncertainty states alongside findings.
- Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments.
- Provided policy guidelines for handling uncertainty in decision-making processes.
- Outlined UI guidelines for displaying uncertainty information and suggested remediation actions.
---
Add Ruby package inventory management
- Implemented Ruby package inventory management with corresponding data models and storage mechanisms.
- Created C# records for Ruby package inventory, artifacts, provenance, and runtime details.
- Developed a repository for managing Ruby package inventory documents in MongoDB.
- Implemented a service for storing and retrieving Ruby package inventories.
- Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
feat(telemetry): Record chunk latency, result count, and source count in AdvisoryAiTelemetry
fix(endpoint): Include telemetry source count in advisory chunks endpoint response
test(metrics): Enhance WebServiceEndpointsTests to validate new metrics for chunk latency, results, and sources
refactor(tests): Update test utilities for Deno language analyzer tests
chore(tests): Add performance tests for AdvisoryGuardrail with scenarios and blocked phrases
docs: Archive Sprint 137 design document for scanner and surface enhancements
feat(ruby): Add RubyVendorArtifactCollector to collect vendor artifacts
test(deno): Add golden tests for Deno analyzer with various fixtures
test(deno): Create Deno module and package files for testing
test(deno): Implement Deno lock and import map for dependency management
test(deno): Add FFI and worker scripts for Deno testing
feat(ruby): Set up Ruby workspace with Gemfile and dependencies
feat(ruby): Add expected output for Ruby workspace tests
feat(signals): Introduce CallgraphManifest model for signal processing
- Created `execution-waves.md` to outline the execution waves for sprints, detailing shared prerequisites, parallelism guidance, and specific sprints involved in each wave.
- Added `function-level-evidence.md` to capture the requirements for stable function-level evidence in Stella Ops scanners, including goals, scope, advisory requirements, workstreams, schema/API touchpoints, and a handoff checklist for the next agent.
