stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
1,210 Commits 1 Branch 0 Tags
de6f3f0c33c5a9c5ca060681b4a6500c57fce896
Commit Graph

826 Commits

Author SHA1 Message Date
master
de6f3f0c33 feat(timeline): Postgres-backed unified audit ingest with hash chain (AUDIT-001) 
- Create timeline.unified_audit_events table with SHA-256 hash chain
- Create timeline.unified_audit_sequences for per-tenant tracking
- Replace IngestAuditEventStore (in-memory) with PostgresUnifiedAuditEventStore
- Preserve chain integrity via serializable isolation
- Mark AUDIT-001 as DONE in sprint tracker

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 16:25:31 +03:00
master
65106afe4c refactor: DB schema fixes + container renames + compose include + audit sprint 
- FindingsLedger: change schema from public to findings (V3-01)
- Add 9 migration module plugins: RiskEngine, Replay, ExportCenter, Integrations, Signer, IssuerDirectory, Workflow, PacksRegistry, OpsMemory (V4-01 to V4-09)
- Remove 16 redundant inline CREATE SCHEMA patterns (V4-10)
- Rename export→export-web, excititor→excititor-web for consistency
- Compose stella-ops.yml: thin wrapper using include: directive
- Fix dead /api/v1/jobengine/* gateway routes → release-orchestrator/packsregistry
- Scheduler plugin architecture: ISchedulerJobPlugin + ScanJobPlugin + DoctorJobPlugin
- Create unified audit sink sprint plan
- VulnExplorer integration tests + gap analysis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 16:10:36 +03:00
master
6592cdcc9b refactor(graph): absorb Cartographer into graph-api + wire Graph Indexer 
- Wire Graph Indexer library + Persistence into graph-api (csproj refs + DI)
- Add build/overlay endpoints matching Scheduler HTTP contracts
  (POST/GET /api/graphs/builds, POST/GET /api/graphs/overlays)
- Add PostgresGraphRepository for reading from graph.graph_nodes/edges
- Register SBOM ingest, analytics, change-stream, and inspector pipelines
- Comment out Cartographer container in compose (empty shell, Slot 21)
- Add cartographer.stella-ops.local as backwards-compat alias on graph-api
- Update Scheduler config to target graph.stella-ops.local
- Update services-matrix.env, hosts file, port-registry, module-matrix
- Update component-map, architecture docs, Scanner/Graph READMEs
- Eliminates 1 container (stellaops-cartographer)

All 133 existing tests pass (77 Api + 37 Indexer + 19 Core).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 15:48:18 +03:00
master
87eac86fb9 feat(web): crypto provider picker UI (CP-003/004/005) 
- Add crypto provider panel to Platform Settings at /setup/crypto-providers
- Show provider health status with status dots, latency, and last-checked time
- Collapsible start commands with copy-to-clipboard for stopped providers
- Auto-refresh every 30s using interval+switchMap, stopped on destroy
- Provider selection with confirmation dialog via existing ConfirmDialogComponent
- Priority ordering via number input per provider preference
- Active provider banner and per-card active badge
- Disabled "Set as Active" for stopped/unreachable providers with tooltip
- Algorithm scope mapping table for configured preferences
- Backward-compatible redirect from /settings/crypto-providers
- Setup overview card added for Crypto Providers
- Sprint CP-003/CP-004 marked DONE with execution log

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 15:36:10 +03:00
master
0e25344bd7 refactor(jobengine): delete TaskRunner service 
- Remove TaskRunner source, tests, libraries (3 directories)
- Remove from compose, services-matrix, nginx, hosts, smoke tests
- Remove CLI commands, UI references, Authority scopes
- Remove docs, OpenAPI spec, QA state files
- Leave task_runner_id DB columns as nullable legacy
- PacksRegistry preserved (independent service)
- Eliminates 2 containers (taskrunner-web + taskrunner-worker)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 14:11:20 +03:00
master
80c33d3c59 Merge branch 'worktree-agent-a09ac2bf' 2026-04-08 13:45:25 +03:00
master
886ff6f9d2 refactor: JobEngine cleanup + crypto compose refactor + sprint plans + timeline merge prep 
- Remove zombie JobEngine WebService (no container runs it)
- Remove dangling STELLAOPS_JOBENGINE_URL, replace with RELEASE_ORCHESTRATOR_URL
- Update Timeline audit paths to release-orchestrator
- Extract smremote to docker-compose.crypto-provider.smremote.yml
- Rename crypto compose files for consistent naming
- Add crypto provider health probe API (CP-001) + tenant preferences (CP-002)
- Create sprint plans: crypto picker, VulnExplorer merge, scheduler plugins
- Timeline merge prep: ingestion worker relocated to infrastructure lib

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 13:45:19 +03:00
master
6b15d9827d refactor(findings): merge VulnExplorer into Findings Ledger 
- Move VulnExplorer DTOs into Ledger WebService Contracts/VulnExplorer/
  (VulnModels, VexDecisionModels, TriageWorkflowModels, AttestationModels,
   FixVerificationModels, EvidenceSubgraphContracts)
- Create VulnExplorerEndpoints.cs mounting all 10 original endpoints
  (/v1/vulns, /v1/vex-decisions, /v1/evidence-subgraph,
   /v1/fix-verifications, /v1/audit-bundles)
- Create adapter services (VulnExplorerAdapters.cs) that delegate to
  existing Ledger services (FindingSummaryService, VulnerabilityDetailService,
  EvidenceGraphBuilder, VexConsensusService)
- Wire VulnExplorer authorization policies and service registrations
  in Ledger Program.cs
- Comment out api (VulnExplorer) container in docker-compose.stella-ops.yml
- Add vulnexplorer.stella-ops.local as network alias on findings-ledger-web
- Update gateway route: /api/vuln-explorer(..) -> findings.stella-ops.local
- Update STELLAOPS_VULNEXPLORER_URL -> findings.stella-ops.local
- Comment out VulnExplorer in services-matrix.env and hosts file
- Update docs: port-registry, component-map, module-matrix, webservice-catalog,
  findings-ledger README
- Eliminates 1 container (stellaops-api)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 13:43:04 +03:00
master
59ba757eaa feat(crypto): extract crypto providers to overlay compose files + health probe API 
- Extract smremote to docker-compose.crypto-provider.smremote.yml
- Rename cryptopro/crypto-sim compose files for consistent naming
- Add crypto provider health probe endpoint (CP-001)
- Add tenant crypto provider preferences API + migration (CP-002)
- Update docs and compliance env examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 13:21:50 +03:00
master
c1ecc75ace refactor(policy): merge policy gateway into policy-engine 
- Move 24 gateway source files (endpoints, services, contracts) into engine
  under Endpoints/Gateway/, Services/Gateway/, Contracts/Gateway/ namespaces
- Add gateway DI registrations and endpoint mappings to engine Program.cs
- Add missing project references (StellaOps.Policy.Scoring, DeltaVerdict, Localization)
- Remove HTTP proxy layer (PolicyEngineClient, DPoP, forwarding context not copied)
- Update gateway routes in router appsettings to point to policy-engine
- Comment out policy service in docker-compose, add backwards-compat network alias
- Update services-matrix (gateway build line commented out)
- Update all codebase references: AdvisoryAI, JobEngine, CLI, router tests, helm
- Update docs: OFFLINE_KIT, configuration-migration, gateway guide, port-registry
- Deprecate etc/policy-gateway.yaml.sample with notice
- Eliminates 1 container, 9 HTTP round-trips, DPoP token flow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 13:19:09 +03:00
master
9eec100204 refactor(notify): merge Notifier WebService into Notify WebService 
- Delete dead Notify Worker (NoOp handler)
- Move 51 source files (endpoints, contracts, services, compat stores)
- Transform namespaces from Notifier.WebService to Notify.WebService
- Update DI registrations, WebSocket support, v2 endpoint mapping
- Comment out notifier-web in compose, update gateway routes
- Update architecture docs, port registry, rollout matrix
- Notifier Worker stays as separate delivery engine container

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-08 13:17:13 +03:00
master
3a95f315bd feat(airgap): multi-source import (server path, URL, file upload) with overlay UX 
Import now supports three sources: server-side path (USB/NFS volumes),
backend URL download, and browser file upload. Export/import workflows
refactored from routed pages to overlay dialogs. Docs updated with
volume mount instructions and source comparison table.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-07 15:33:21 +03:00
master
071209a2ae Complete TASK-5 source coverage audit and archive all 20 finished sprints 
Add docs/modules/concelier/source-coverage.md with 70-source audit (33/70
connectors implemented, P1 fully covered, 9 P2 gaps identified).
Archive all 20 completed sprints from docs/implplan/ to docs-archived/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 09:58:33 +03:00
master
50abd2137f Update docs, sprint plans, and compose configuration 
Add 12 new sprint files (Integrations, Graph, JobEngine, FE, Router,
AdvisoryAI), archive completed scheduler UI sprint, update module
architecture docs (router, graph, jobengine, web, integrations),
and add Gitea entrypoint script for local dev.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 08:53:50 +03:00
master
5d6435fdb2 ElkSharp edge routing: boundary slots, gateway repairs, corridor spacing 
Major edge routing improvements including corridor spacing, crossing reduction,
focused gateway boundary repairs, setter families, and advanced restabilization.
Adds workflow renderer tests for document-processing and artifact inspection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 08:52:02 +03:00
master
de5bc63f89 Quiet web test lane warnings and align scheduler spec 2026-04-06 00:51:50 +03:00
master
f8e4bf65fb Stabilize web test lane warning cleanup 2026-04-06 00:51:15 +03:00
master
fc798a1573 Harden remaining runtime transport lifecycles 2026-04-06 00:24:16 +03:00
master
751546084e Harden runtime HTTP transport lifecycles 2026-04-05 23:52:14 +03:00
master
1151c30e3a elksharp: stabilize document-processing terminal routing 2026-04-05 15:02:12 +03:00
master
2141fea4b6 Add integration e2e coverage: GitHubApp, advisory pipeline, Rekor, eBPF hardening 
- GitHubApp: 11 new tests (health, CRUD lifecycle, update, delete, UI SCM tab)
- Advisory pipeline: 16 tests (fixture data verification, source management smoke,
  initial/incremental sync, cross-source merge, canonical query API, UI catalog)
  with KEV/GHSA/EPSS fixture data files for deterministic testing
- Rekor transparency: 7 tests (container health, submit/get/verify round-trip,
  log consistency, attestation API) gated behind E2E_REKOR=1
- eBPF agent: 3 edge case tests (unreachable endpoint, coexistence, degraded health)
  plus mock limitation documentation in test header
- Fix UI search race: wait for table rows before counting rowsBefore
- Advisory fixture now serves real data (KEV JSON, GHSA list, EPSS CSV)
- Runtime host fixture adds degraded health endpoint

Suite: 143 passed, 0 failed, 32 skipped in 13.5min (up from 123 tests)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-03 10:34:04 +03:00
master
3a95165221 Archive sprint 008: NodeSpacing=50 robustness complete 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 19:02:12 +03:00
master
fafcadbc9a Split clearance: node-size for face detections, spacing-scaled for routing 
Target-join and boundary-slot detection now use ResolveNodeSizeClearance
(node dimensions only), while under-node/proximity use
ResolveMinLineClearance (scales with NodeSpacing via ElkLayoutClearance).

Face slot gaps depend on node face geometry, not inter-node spacing.
Routing corridors should scale with spacing for visual breathing room.

Created sprint 008 for wider spacing robustness. NodeSpacing=50 still
fails on target-join (scoring/test detection mismatch needs investigation).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 17:15:24 +03:00
master
42a644f29a Archive sprint 006: all ElkSharp sprints complete 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 14:29:58 +03:00
master
b6513528be Replace coarse lock-key batching with conflict-zone-aware scheduling 
Replace string-based conflict keys (source:{nodeId}, target:{nodeId}) with
geometric bounding-box overlap detection. Edges now conflict only when their
routed path bounding boxes overlap spatially (with 40px margin) or share a
repeat-collector label on the same source-target pair.

This enables true spatial parallelism: edges using different sides of the
same node can now be repaired in parallel instead of being serialized.

Sprint 006 TASK-001 final criterion met. All 4 tasks DONE.

Tests verified: StraightExit 2/2, HybridDeterministicMode 3/3,
DocumentProcessingWorkflow artifact 1/1 (all 44+ assertions pass).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 14:29:51 +03:00
master
8a28e25d05 Decompose EvaluateStrategy (644->480 lines) and close sprint 006 TASK-002/003/004 
Extract BuildMaxRetryState, DetectStrategyStagnation, and DecideStrategyAttemptOutcome
into ElkEdgeRouterIterative.StrategyRepair.Evaluate.Helpers.cs (174 lines).

Sprint 006 status: TASK-002 DONE (hybrid parity coverage), TASK-003 DONE (file
decomposition), TASK-004 DONE (docs). TASK-001 remains DOING (conflict-zone scheduling).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 14:24:16 +03:00
master
d04483560b Complete ElkSharp document rendering cleanup and source decomposition 
- Fix target-join (edge/4+edge/17): gateway face overflow redirect to left tip
- Fix under-node (edge/14,15,20): push-first corridor reroute instead of top corridor
- Fix boundary-slots (4->0): snap after gateway polish reordering
- Fix gateway corner diagonals (2->0): post-pipeline straightening pass
- Fix gateway interior adjacent: polygon-aware IsInsideNodeShapeInterior
- Fix gateway source face mismatch (2->0): per-edge redirect with lenient validation
- Fix gateway source scoring (5->0): per-edge scoring candidate application
- Fix edge-node crossing (1->0): push horizontal segment above blocking node
- Decompose 7 oversized files (~20K lines) into 55+ partials under 400 lines each
- Archive sprints 004 (document cleanup), 005 (decomposition), 007 (render speed)

All 44+ document-processing artifact assertions pass. Hybrid deterministic mode
documented as recommended path for LeftToRight layouts.

Tests verified: StraightExit 2/2, BoundarySlotOffenders 2/2, HybridDeterministicMode 3/3,
DocumentProcessingWorkflow artifact 1/1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 14:16:10 +03:00
master
31634a8c13 docs: update ElkSharp sprint execution logs and block status 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 10:35:31 +03:00
master
07f7cd91b0 feat(web): close sprint 006 onboarding ux 2026-04-01 03:59:48 +03:00
master
a4c4690fef Rewrite UI API clients from /api/v2/releases to /api/v1/release-orchestrator 
Completes Sprint 323 TASK-001 using Option C (direct URL rewrite):
- release-management.client.ts: readBaseUrl and legacyBaseUrl now use
  /api/v1/release-orchestrator/releases, eliminating the v2 proxy dependency
- All 15+ component files updated: activity, approvals, runs, versions,
  bundle-organizer, sidebar queries, topology pages
- Spec files updated to match new URL patterns
- Added /releases/activity and /releases/versions backend route aliases
  in ReleaseEndpoints.cs with ListActivity and ListVersions handlers
- Fixed orphaned audit-log-dashboard.component import → audit-log-table
- Both Angular build and JobEngine build pass clean

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 00:16:32 +03:00
master
f96c6cb9ed Complete release compatibility and host inventory sprints 
Signed-off-by: master <>
 2026-03-31 23:53:45 +03:00
master
b6bf113b99 feat(web): harden split release promotion handoff 
Signed-off-by: master <>
 2026-03-31 23:52:32 +03:00
master
0d858ba9d1 fix(platform): make topology probe fallback truthful 
Signed-off-by: master <>
 2026-03-31 23:44:40 +03:00
master
152c1b1357 doctor: complete runtime check documentation sprint 
Signed-off-by: master <>
 2026-03-31 23:26:24 +03:00
master
404d50bcb7 feat(web): complete topology host verification ui 2026-03-31 23:24:10 +03:00
master
a6ffb38ecf Update module architecture docs and workflow tutorials 
- Module dossiers: attestor, authority, cli, graph, scanner
- Policy assistant parameters guide
- UI v2-rewire navigation rendering policy
- Test suite overview update
- Workflow engine requirements and tutorial series (01-08)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 17:25:37 +03:00
master
89a075ea21 Add integration connector plugins and compose fixtures 
Scaffold connector plugins for DockerRegistry, GitLab, Gitea,
Jenkins, and Nexus. Wire plugin discovery in IntegrationService
and add compose fixtures for local integration testing.

- 5 new connector plugins under src/Integrations/__Plugins/
- docker-compose.integrations.yml for local fixture services
- Advisory source catalog and source management API updates
- Integration e2e test specs and Playwright config
- Integration hub docs under docs/integrations/

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 17:24:56 +03:00
master
bc255188d2 Archive 6 completed sprints, add 4 new ElkSharp + FE sprint plans 
Archived to docs-archived/implplan/:
- SPRINT_20260320_001 FE Releases Table & Wizard (4/4 DONE)
- SPRINT_20260324_001 Platform Scripts/Variables (7/7 DONE)
- SPRINT_20260323_002 ElkSharp Bounded Edge Refinement (11/11 DONE)
- SPRINT_20260328_003 ElkSharp Compound Sugiyama (3/3 DONE)
- SPRINT_20260329_006 FE Audit Menu Consolidation (12/12 DONE)
- SPRINT_20260329_007 FE Unified Stella Assistant (7/7 DONE)

New sprint plans for in-progress work:
- ElkSharp document rendering cleanup, source decomposition,
  hybrid iterative routing
- FE DevOps onboarding UX

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 17:23:52 +03:00
master
e91cf98f8f Add ElkSharp rendering architecture docs, ADRs, tutorial, AGENTS rules 
Five documentation deliverables for the ElkSharp rendering improvements:

1. docs/workflow/engine/16-elksharp-rendering-architecture.md (453 lines)
   Full pipeline: Sugiyama stages, edge routing strategies, hybrid
   deterministic mode, gateway geometry, 18-category scoring system,
   corridor routing, Y-gutter expansion, diagnostics.

2. docs/workflow/engine/17-elksharp-architectural-decisions.md (259 lines)
   Six ADRs: short-stub normalization, gateway vertex entries, Y-gutter
   expansion, corridor rerouting, FinalScore adjustment, alongside
   detection.

3. docs/workflow/tutorials/10-rendering/README.md (234 lines)
   Practical tutorial: setup, layout options, SVG/PNG rendering,
   diagnostics capture, violation reports, full end-to-end example.

4. src/__Libraries/StellaOps.ElkSharp/AGENTS.md — 7 new local rules
   for Y-gutter, corridor reroute, gateway vertices, FinalScore
   adjustments, short-stub normalization, alongside detection,
   target-join spread.

5. docs/workflow/ENGINE.md — replaced monolithic ElkSharp paragraph
   with structured pipeline overview, effort-level table, and links
   to the new architecture docs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 11:37:32 +03:00
master
e8f7ad7652 Refactor ElkSharp hybrid routing and document speed path 2026-03-29 19:33:46 +03:00
master
717316d5a0 Add ElkSharp compound node support 2026-03-28 13:36:52 +02:00
master
7057819f4d Refactor ElkSharp routing sources into partial modules 2026-03-28 11:56:35 +02:00
master
07f8d1d0e4 Docs: update workflow engine documentation 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 12:28:56 +02:00
master
7abdb5334d Platform: add script variables API and scope/policy updates 
Add CRUD endpoints for script variables with validation and diff-compatible
models (ScriptEndpoints, ScriptApiModels, IScriptService, InMemoryScriptService).
Update PlatformScopes and PlatformPolicies for script.read/write permissions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 12:28:17 +02:00
master
c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 12:28:00 +02:00
master
2bc06169f8 Fix fake orthogonal target-entry hook detection 2026-03-26 14:39:55 +02:00
master
c210115224 Fix ElkSharp gateway target peer conflict polish 2026-03-26 13:57:47 +02:00
master
71edccd485 elksharp stabilization 2026-03-24 08:38:09 +02:00
master
d788ee757e release control ui simplificatiosn 2026-03-24 01:20:40 +02:00
master
dd29786e38 Implement missing backend endpoints for release orchestration 
TASK-002: 11 deployment monitoring endpoints in JobEngine
  (list, get, logs, events, metrics, pause/resume/cancel/rollback/retry)
TASK-003: 6 evidence management endpoints in JobEngine
  (list, get, verify, export, raw, timeline)
TASK-005: 3 release dashboard endpoints in JobEngine
  (dashboard summary, approve/reject promotion)
TASK-006: 2 registry image search endpoints in Scanner
  (search with 9 mock images, digests lookup)

All endpoints return seed/mock data for testing. Auth policies
match existing patterns. Dual route registration on both
/api/ and /api/v1/ prefixes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 15:52:20 +02:00