stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Compare commits

base: stella-ops.org:91550196fee0e1a5949501672968a13d26c045d5
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons
..
compare: stella-ops.org:feature/docs-mdx-skeletons
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons

4 Commits
91550196fe ... feature/do

Author SHA1 Message Date
StellaOps Bot
43c281a8b2 Merge remote-tracking branch 'origin/main' into feature/docs-mdx-skeletons
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Symbols Server CI / symbols-smoke (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details
2025-12-05 23:14:58 +02:00
StellaOps Bot
579236bfce Add MongoDB storage library and update acceptance tests with deterministic stubs
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details 
- Created StellaOps.Notify.Storage.Mongo project with initial configuration.
- Added expected output files for acceptance tests (at1.txt to at10.txt).
- Added fixture input files for acceptance tests (at1 to at10).
- Created input and signature files for test cases fc1 to fc5.
 2025-12-05 22:56:01 +02:00
StellaOps Bot
18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
 2025-12-05 21:24:34 +02:00
StellaOps Bot
347c88342c Add draft skeletons for various documentation topics 
- Created draft documentation for enabling reachability, CLI authentication, EntryTrace heuristics, Go stripped binaries, Java and Python lockfiles, Rust fingerprint enrichment, SAST integration, Windows/macOS analyzer coverage, scanner engine surface, multi-tenancy operations, RLS and data isolation, ABAC overlays, VEX trust model, VEX ops runbook, VEX mapping, scopes and roles, tenancy overview, VEX signatures, contract testing, VEX consensus algorithm, VEX consensus API, VEX consensus console, VEX consensus overview, and VEX issuer directory.
- Each document includes a status placeholder, purpose, and open TODOs for future updates.
 2025-12-05 21:23:21 +02:00
347 changed files with 13626 additions and 4335 deletions
Expand all files Collapse all files

2
.gitea/workflows/airgap-sealed-ci.yml
View File

@@ -20,6 +20,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install dnslib
run: pip install dnslib
- name: Run sealed-mode smoke

6
.gitea/workflows/aoc-guard.yml
View File

@@ -32,6 +32,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh
@@ -78,6 +81,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

2
.gitea/workflows/api-governance.yml
View File

@@ -17,6 +17,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/attestation-bundle.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Build bundle
run: |
chmod +x scripts/attest/build-attestation-bundle.sh

3
.gitea/workflows/authority-key-rotation.yml
View File

@@ -58,6 +58,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Resolve Authority configuration
id: config
run: |

2
.gitea/workflows/bench-determinism.yml
View File

@@ -8,6 +8,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python
uses: actions/setup-python@v5

12
.gitea/workflows/build-test-deploy.yml
View File

@@ -111,6 +111,10 @@ jobs:
- name: Validate telemetry storage configuration
run: python3 ops/devops/telemetry/validate_storage_stack.py
- name: Task Pack offline bundle fixtures
run: |
python3 scripts/packs/run-fixtures-check.sh
- name: Telemetry tenant isolation smoke
env:
COMPOSE_DIR: ${GITHUB_WORKSPACE}/deploy/compose
@@ -203,6 +207,14 @@ jobs:
--results-directory "$TEST_RESULTS_DIR"
done
- name: Run TimelineIndexer tests (EB1 evidence linkage gate)
run: |
mkdir -p "$TEST_RESULTS_DIR"
dotnet test src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln \
--configuration $BUILD_CONFIGURATION \
--logger "trx;LogFileName=timelineindexer-tests.trx" \
--results-directory "$TEST_RESULTS_DIR"
- name: Lint policy DSL samples
run: dotnet run --project tools/PolicyDslValidator/PolicyDslValidator.csproj -- --strict docs/examples/policies/*.yaml

3
.gitea/workflows/cli-build.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/cli-chaos-parity.yml
View File

@@ -18,6 +18,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/concelier-attestation-tests.yml
View File

@@ -17,6 +17,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 preview
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/console-ci.yml
View File

@@ -24,6 +24,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/containers-multiarch.yml
View File

@@ -25,6 +25,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

3
.gitea/workflows/cryptopro-optin.yml
View File

@@ -19,6 +19,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 (preview)
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/devportal-offline.yml
View File

@@ -11,6 +11,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node (corepack/pnpm)
uses: actions/setup-node@v4
with:

3
.gitea/workflows/docs.yml
View File

@@ -29,6 +29,9 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

28
.gitea/workflows/evidence-locker.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Emit retention summary
env:
RETENTION_TARGET: ${{ github.event.inputs.retention_target }}
@@ -31,14 +34,35 @@ jobs:
needs: check-evidence-locker
env:
STAGED_DIR: evidence-locker/zastava/2025-12-02
MODULE_ROOT: docs/modules/zastava
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Package staged Zastava artefacts
run: |
test -d "$STAGED_DIR" || { echo "missing $STAGED_DIR" >&2; exit 1; }
tar -cf /tmp/zastava-evidence.tar -C "$STAGED_DIR" .
test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
tmpdir=$(mktemp -d)
rsync -a --relative \
"$MODULE_ROOT/SHA256SUMS" \
"$MODULE_ROOT/schemas/" \
"$MODULE_ROOT/exports/" \
"$MODULE_ROOT/thresholds.yaml" \
"$MODULE_ROOT/thresholds.yaml.dsse" \
"$MODULE_ROOT/kit/verify.sh" \
"$MODULE_ROOT/kit/README.md" \
"$MODULE_ROOT/kit/ed25519.pub" \
"$MODULE_ROOT/kit/zastava-kit.tzst" \
"$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
"$MODULE_ROOT/evidence/README.md" \
"$tmpdir/"
(cd "$tmpdir/docs/modules/zastava" && sha256sum --check SHA256SUMS)
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
-cf /tmp/zastava-evidence.tar -C "$tmpdir/docs/modules/zastava" .
sha256sum /tmp/zastava-evidence.tar
- name: Upload staged artefacts (fallback)
uses: actions/upload-artifact@v4

3
.gitea/workflows/export-ci.yml
View File

@@ -28,6 +28,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/export-compat.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Trivy
uses: aquasecurity/trivy-action@v0.24.0
with:

3
.gitea/workflows/graph-load.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install k6
run: |
sudo apt-get update -qq

3
.gitea/workflows/graph-ui-sim.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node
uses: actions/setup-node@v4
with:

3
.gitea/workflows/lnm-backfill.yml
View File

@@ -26,6 +26,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/lnm-vex-backfill.yml
View File

@@ -30,6 +30,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/mirror-sign.yml
View File

@@ -24,6 +24,9 @@ jobs:
dotnet-version: 10.0.100-rc.2.25502.107
include-prerelease: true
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Verify signing prerequisites
run: scripts/mirror/check_signing_prereqs.sh

3
.gitea/workflows/oas-ci.yml
View File

@@ -20,6 +20,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/obs-slo.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python (telemetry schema checks)
uses: actions/setup-python@v5
with:

3
.gitea/workflows/obs-stream.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install nats CLI
run: |
curl -sSL https://github.com/nats-io/natscli/releases/download/v0.1.4/nats-0.1.4-linux-amd64.tar.gz -o /tmp/natscli.tgz

3
.gitea/workflows/policy-lint.yml
View File

@@ -26,6 +26,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/policy-simulate.yml
View File

@@ -27,6 +27,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/promote.yml
View File

@@ -25,6 +25,9 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Resolve staging credentials
id: staging
run: |

3
.gitea/workflows/provenance-check.yml
View File

@@ -9,6 +9,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Emit provenance summary
run: |
mkdir -p out/provenance

3
.gitea/workflows/release.yml
View File

@@ -44,6 +44,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Validate NuGet restore source ordering
run: python3 ops/devops/validate_restore_sources.py

3
.gitea/workflows/scanner-analyzers-release.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/scanner-determinism.yml
View File

@@ -9,6 +9,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/sdk-generator.yml
View File

@@ -17,6 +17,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/sdk-publish.yml
View File

@@ -33,6 +33,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 RC
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/signals-ci.yml
View File

@@ -31,6 +31,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 RC
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/signals-dsse-sign.yml
View File

@@ -34,6 +34,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install cosign
uses: sigstore/cosign-installer@v3
with:

67
.gitea/workflows/signals-evidence-locker.yml Normal file
View File

@@ -0,0 +1,67 @@
name: signals-evidence-locker
on:
workflow_dispatch:
inputs:
retention_target:
description: "Retention days target"
required: false
default: "180"
jobs:
prepare-signals-evidence:
runs-on: ubuntu-latest
env:
MODULE_ROOT: docs/modules/signals
OUT_DIR: evidence-locker/signals/2025-12-05
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Build deterministic signals evidence tar
run: |
set -euo pipefail
test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
tmpdir=$(mktemp -d)
rsync -a --relative \
"$OUT_DIR/SHA256SUMS" \
"$OUT_DIR/confidence_decay_config.sigstore.json" \
"$OUT_DIR/unknowns_scoring_manifest.sigstore.json" \
"$OUT_DIR/heuristics_catalog.sigstore.json" \
"$MODULE_ROOT/decay/confidence_decay_config.yaml" \
"$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
"$MODULE_ROOT/heuristics/heuristics.catalog.json" \
"$tmpdir/"
(cd "$tmpdir/$OUT_DIR" && sha256sum --check SHA256SUMS)
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
-cf /tmp/signals-evidence.tar -C "$tmpdir" .
sha256sum /tmp/signals-evidence.tar > /tmp/signals-evidence.tar.sha256
- name: Upload artifact (fallback)
uses: actions/upload-artifact@v4
with:
name: signals-evidence-2025-12-05
path: |
/tmp/signals-evidence.tar
/tmp/signals-evidence.tar.sha256
- name: Push to Evidence Locker
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
env:
TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
URL: ${{ env.EVIDENCE_LOCKER_URL }}
run: |
curl -f -X PUT "$URL/signals/2025-12-05/signals-evidence.tar" \
-H "Authorization: Bearer $TOKEN" \
--data-binary @/tmp/signals-evidence.tar
- name: Skip push (missing secret or URL)
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
run: |
echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2

3
.gitea/workflows/symbols-ci.yml
View File

@@ -26,6 +26,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

3
.gitea/workflows/symbols-release.yml
View File

@@ -17,6 +17,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

2
.gitea/workflows/vex-proof-bundles.yml
View File

@@ -21,6 +21,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python
uses: actions/setup-python@v5

21
.gitignore vendored
View File

@@ -39,6 +39,27 @@ build/
/src/Sdk/StellaOps.Sdk.Release/out/**
/src/Sdk/StellaOps.Sdk.Generator/out/**
/out/scanner-analyzers/**
# Node / frontend
node_modules/
dist/
.build/
.cache/
# .NET
bin/
obj/
# IDEs
.vscode/
.idea/
*.user
*.suo
# Misc
logs/
tmp/
coverage/
.nuget/
local-nugets/
local-nuget/

24
docs/advisories/explorer-integration.md Normal file
View File

@@ -0,0 +1,24 @@
# Advisories Integration with Vuln Explorer (Md.XI draft)
> Status: DRAFT — waiting on export bundle spec + provenance notes; keep TODO.
## Scope
- Describe advisory normalization, withdrawn handling, provenance, and export bundle linkage for Vuln Explorer.
- Deterministic examples with hashes in `docs/assets/vuln-explorer/SHA256SUMS`.
## Dependencies
- Export bundle spec/provenance notes (in progress).
- GRAP0101 identifiers.
## Outline
- Advisory ingestion flow and key normalization.
- Withdrawn/updated advisory handling.
- Provenance: DSSE/Rekor optional; bundle manifests.
- Cross-links to findings ledger and VEX decisions.
### Hash Capture Checklist (when spec arrives)
- `assets/vuln-explorer/advisory-normalized.json`
- `assets/vuln-explorer/advisory-withdrawn.json`
- `assets/vuln-explorer/advisory-bundle-manifest.json`
_Last updated: 2025-12-05 (UTC)_

1
docs/airgap/SHA256SUMS Normal file
View File

@@ -0,0 +1 @@
# Placeholder hashes; replace with real asset sums when inputs arrive

17
docs/airgap/risk-bundles.md Normal file
View File

@@ -0,0 +1,17 @@
# Risk Bundles (Airgap) — outline
- TBD pending export bundle shapes + hashing inputs.
## Pending Inputs
- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
## Determinism Checklist
- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
- [ ] Note source/approver for any provided captures or schemas.
## Sections to fill (once inputs arrive)
- Bundle structure and manifest fields.
- Build workflow (offline).
- Verification workflow with hash list.
- Import/consumption steps and error handling.

15
docs/api/authentication.md Normal file
View File

@@ -0,0 +1,15 @@
# API Authentication — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: token schema, scopes grammar, rate limits.
## Token Types
- JWT/DSSE? (awaiting confirmation), PAT, service tokens.
## Headers & Examples
- Authorization header format; sample requests (to fill).
## Error Handling
- Standard error codes; retry rules.
## Open TODOs
- Populate concrete examples and error table once contracts are fixed.

15
docs/api/signals.md Normal file
View File

@@ -0,0 +1,15 @@
# Signals API (outline)
## Pending Inputs
- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
## Determinism Checklist
- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
- [ ] Note source/approver for any provided captures or schemas.
## Sections to fill (once inputs arrive)
- Endpoint list and path parameters.
- Payload schemas and ETag behavior.
- Error model and deterministic examples.
- Hashes for any sample responses/fixtures.

4
docs/assets/vuln-explorer/README.md Normal file
View File

@@ -0,0 +1,4 @@
Asset staging for Vuln Explorer Md.XI
- Record SHA256 hashes in ../SHA256SUMS when dropping assets.
- Subdirs: console, api, cli, ledger, telemetry, rbac, runbook, advisory, sbom, vex.
- Keep filenames deterministic and stable.

83
docs/assets/vuln-explorer/SHA256SUMS Normal file
View File

@@ -0,0 +1,83 @@
# Vuln Explorer Md.XI asset hashes
# Format: <sha256> <relative-path-under-docs>
# Populate when captures/payloads land (screens, API/CLI samples, fixtures).
# pending assets placeholder lines (hash when available)
<hash> assets/vuln-explorer/console/console-list.png
<hash> assets/vuln-explorer/console/console-detail.png
<hash> assets/vuln-explorer/console/console-shortcuts.md
<hash> assets/vuln-explorer/console/console-saved-view.json
<hash> assets/vuln-explorer/api/api-findings-list.json
<hash> assets/vuln-explorer/api/api-finding-detail.json
<hash> assets/vuln-explorer/api/api-action-post.json
<hash> assets/vuln-explorer/api/api-report-create.json
<hash> assets/vuln-explorer/api/api-vex-decision.json
<hash> assets/vuln-explorer/cli/cli-findings-list.json
<hash> assets/vuln-explorer/cli/cli-findings-view.json
<hash> assets/vuln-explorer/cli/cli-action.json
<hash> assets/vuln-explorer/cli/cli-report-create.json
<hash> assets/vuln-explorer/cli/cli-export-offline.json
<hash> assets/vuln-explorer/cli/cli-vex-decision.json
<hash> assets/vuln-explorer/ledger/ledger-history.jsonl
<hash> assets/vuln-explorer/ledger/ledger-actions.jsonl
<hash> assets/vuln-explorer/ledger/ledger-replay-output.json
<hash> assets/vuln-explorer/ledger/ledger-manifest.json
<hash> assets/vuln-explorer/telemetry/metrics-sample.json
<hash> assets/vuln-explorer/telemetry/logs-sample.jsonl
<hash> assets/vuln-explorer/telemetry/traces-sample.json
<hash> assets/vuln-explorer/telemetry/dashboard.json
<hash> assets/vuln-explorer/rbac/rbac-scope-table.md
<hash> assets/vuln-explorer/rbac/abac-claims.json
<hash> assets/vuln-explorer/rbac/attachment-token-flow.json
<hash> assets/vuln-explorer/runbook/runbook-projector-lag.md
<hash> assets/vuln-explorer/runbook/runbook-resolver-storm.json
<hash> assets/vuln-explorer/runbook/runbook-export-failure.json
<hash> assets/vuln-explorer/runbook/runbook-policy-activation.md
<hash> assets/vuln-explorer/advisory/advisory-normalized.json
<hash> assets/vuln-explorer/advisory/advisory-withdrawn.json
<hash> assets/vuln-explorer/advisory/advisory-bundle-manifest.json
<hash> assets/vuln-explorer/sbom/sbom-component-resolution.json
<hash> assets/vuln-explorer/sbom/sbom-path-dedupe.json
<hash> assets/vuln-explorer/sbom/safe-version-hints.json
<hash> assets/vuln-explorer/vex/vex-csaf-sample.json
<hash> assets/vuln-explorer/vex/vex-mapping-output.json
<hash> assets/vuln-explorer/vex/vex-precedence-table.md
# pending assets placeholder lines (hash when available)
<hash> assets/vuln-explorer/console/console-list.png
<hash> assets/vuln-explorer/console/console-detail.png
<hash> assets/vuln-explorer/console/console-shortcuts.md
<hash> assets/vuln-explorer/console/console-saved-view.json
<hash> assets/vuln-explorer/api/api-findings-list.json
<hash> assets/vuln-explorer/api/api-finding-detail.json
<hash> assets/vuln-explorer/api/api-action-post.json
<hash> assets/vuln-explorer/api/api-report-create.json
<hash> assets/vuln-explorer/api/api-vex-decision.json
<hash> assets/vuln-explorer/cli/cli-findings-list.json
<hash> assets/vuln-explorer/cli/cli-findings-view.json
<hash> assets/vuln-explorer/cli/cli-action.json
<hash> assets/vuln-explorer/cli/cli-report-create.json
<hash> assets/vuln-explorer/cli/cli-export-offline.json
<hash> assets/vuln-explorer/cli/cli-vex-decision.json
<hash> assets/vuln-explorer/ledger/ledger-history.jsonl
<hash> assets/vuln-explorer/ledger/ledger-actions.jsonl
<hash> assets/vuln-explorer/ledger/ledger-replay-output.json
<hash> assets/vuln-explorer/ledger/ledger-manifest.json
<hash> assets/vuln-explorer/telemetry/metrics-sample.json
<hash> assets/vuln-explorer/telemetry/logs-sample.jsonl
<hash> assets/vuln-explorer/telemetry/traces-sample.json
<hash> assets/vuln-explorer/telemetry/dashboard.json
<hash> assets/vuln-explorer/rbac/rbac-scope-table.md
<hash> assets/vuln-explorer/rbac/abac-claims.json
<hash> assets/vuln-explorer/rbac/attachment-token-flow.json
<hash> assets/vuln-explorer/runbook/runbook-projector-lag.md
<hash> assets/vuln-explorer/runbook/runbook-resolver-storm.json
<hash> assets/vuln-explorer/runbook/runbook-export-failure.json
<hash> assets/vuln-explorer/runbook/runbook-policy-activation.md
<hash> assets/vuln-explorer/advisory/advisory-normalized.json
<hash> assets/vuln-explorer/advisory/advisory-withdrawn.json
<hash> assets/vuln-explorer/advisory/advisory-bundle-manifest.json
<hash> assets/vuln-explorer/sbom/sbom-component-resolution.json
<hash> assets/vuln-explorer/sbom/sbom-path-dedupe.json
<hash> assets/vuln-explorer/sbom/safe-version-hints.json
<hash> assets/vuln-explorer/vex/vex-csaf-sample.json
<hash> assets/vuln-explorer/vex/vex-mapping-output.json
<hash> assets/vuln-explorer/vex/vex-precedence-table.md

1
docs/assets/vuln-explorer/advisory/README.md Normal file
View File

@@ -0,0 +1 @@
# ADVISORY assets (hash before publish)

1
docs/assets/vuln-explorer/api/README.md Normal file
View File

@@ -0,0 +1 @@
# API assets (hash before publish)

1
docs/assets/vuln-explorer/cli/README.md Normal file
View File

@@ -0,0 +1 @@
# CLI assets (hash before publish)

1
docs/assets/vuln-explorer/console/README.md Normal file
View File

@@ -0,0 +1 @@
# CONSOLE assets (hash before publish)

1
docs/assets/vuln-explorer/ledger/README.md Normal file
View File

@@ -0,0 +1 @@
# LEDGER assets (hash before publish)

1
docs/assets/vuln-explorer/rbac/README.md Normal file
View File

@@ -0,0 +1 @@
# RBAC assets (hash before publish)

1
docs/assets/vuln-explorer/runbook/README.md Normal file
View File

@@ -0,0 +1 @@
# RUNBOOK assets (hash before publish)

1
docs/assets/vuln-explorer/sbom/README.md Normal file
View File

@@ -0,0 +1 @@
# SBOM assets (hash before publish)

1
docs/assets/vuln-explorer/telemetry/README.md Normal file
View File

@@ -0,0 +1 @@
# TELEMETRY assets (hash before publish)

1
docs/assets/vuln-explorer/vex/README.md Normal file
View File

@@ -0,0 +1 @@
# VEX assets (hash before publish)

14
docs/console/admin-tenants.md Normal file
View File

@@ -0,0 +1,14 @@
# Console: Admin Tenants — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Depends on Console UX assets and DVDO0110.
## Tasks
- Create/edit/delete tenants.
- Assign roles/scopes via Console.
## Safety
- Imposed rule reminder; audit logging expectations.
## Open TODOs
- Add screenshots/flows when assets arrive.
- Link to multi-tenancy and scopes docs.

17
docs/console/risk-ui.md Normal file
View File

@@ -0,0 +1,17 @@
# Risk UI (outline)
- TBD once console assets arrive (authoring, simulation, dashboards).
## Pending Inputs
- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
## Determinism Checklist
- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
- [ ] Note source/approver for any provided captures or schemas.
## Sections to fill (once inputs arrive)
- Overview and navigation (authoring/simulation dashboards).
- Data inputs and validation.
- Simulation flows and dashboards.
- Exports/hashes for screenshots or payload samples (record in `SHA256SUMS`).

1
docs/diagrams/sbom-vex-blueprint.svg Normal file
View File

@@ -0,0 +1 @@
<!-- Placeholder diagram: SBOM -> DSSE -> Rekor bundle -> VEX output (offline verifiable). -->

186
docs/implplan/BLOCKED_DEPENDENCY_TREE.md
View File

@@ -1,6 +1,5 @@
# BLOCKED Tasks Dependency Tree
> **Last Updated:** 2025-12-05 (13 specs + 3 implementations = ~84+ tasks unblocked)
> **Last Updated:** 2025-12-06 (post Md.IX sync; 13 specs + 3 implementations = ~84+ tasks unblocked)
> **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
## How to Use This Document
@@ -201,6 +200,105 @@ attestor SDK transport contract (scanner analyzers ✅ COMPILE)
---
## 7. DOCS MD.IX (SPRINT_0309_0001_0009_docs_tasks_md_ix)
**Root Blocker:** `DOCS-RISK-67-002 draft (risk API)` (due 2025-12-09; reminder ping 2025-12-09, escalate 2025-12-13)
```
DOCS-RISK-67-002 draft missing
+-- DOCS-RISK-67-003 (risk UI docs)
+-- DOCS-RISK-67-004 (CLI risk guide)
+-- DOCS-RISK-68-001 (airgap risk bundles)
+-- DOCS-RISK-68-002 (AOC invariants update)
```
**Impact:** 4 docs tasks (risk chain)
**To Unblock:** API Guild to deliver DOCS-RISK-67-002 draft by 2025-12-09; Console Guild to provide UI captures/hashes by 2025-12-10.
---
**Root Blocker:** `Signals schema + UI overlay assets` (due 2025-12-09; reminder ping 2025-12-09, escalate 2025-12-13)
```
Signals schema/overlays missing
+-- DOCS-SIG-26-001 (reachability states/scores)
+-- DOCS-SIG-26-002 (callgraph formats)
+-- DOCS-SIG-26-003 (runtime facts)
+-- DOCS-SIG-26-004 (signals weighting)
+-- DOCS-SIG-26-005 (UI overlays)
+-- DOCS-SIG-26-006 (CLI reachability guide)
+-- DOCS-SIG-26-007 (API reference)
```
**Impact:** 7 docs tasks (signals chain)
**To Unblock:** Signals Guild + UI Guild to drop schema notes and overlay assets by 2025-12-09; Policy Guild to supply SPL weighting examples by 2025-12-10; DevEx/CLI Guild to share CLI recipes by 2025-12-12.
---
**Root Blocker:** `SDK generator sample outputs (TS/Python/Go/Java)` (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
```
SDK generator outputs pending
+-- DOCS-SDK-62-001 (SDK overview + language guides)
```
**Impact:** 1 docs task (+ downstream parity/CLI consumers)
**To Unblock:** SDK Generator Guild to deliver frozen samples by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Export bundle shapes + hashing inputs` (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
```
Export bundle shapes pending
+-- DOCS-RISK-68-001 (airgap risk bundles guide)
+-- DOCS-RISK-68-002 (AOC invariants update)
```
**Impact:** 2 docs tasks
**To Unblock:** Export Guild to send bundle shapes + hash inputs by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Security scope matrix + privacy controls` (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
```
Security scopes/privacy inputs pending
+-- DOCS-SEC-62-001 (auth scopes)
+-- DOCS-SEC-OBS-50-001 (redaction & privacy)
```
**Impact:** 2 docs tasks
**To Unblock:** Security Guild + Authority Core to provide scope matrix/tenancy header rules and privacy/opt-in debug guidance by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Ops incident checklist` (due 2025-12-10; reminder ping 2025-12-09, escalate 2025-12-13)
```
Ops incident checklist missing
+-- DOCS-RUNBOOK-55-001 (incident runbook)
```
**Impact:** 1 docs task
**To Unblock:** Ops Guild to hand over activation/escalation/retention checklist by 2025-12-10.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
## 7. CONSOLE OBSERVABILITY DOCS (CONOBS5201)
**Root Blocker:** Observability Hub widget captures + deterministic sample payload hashes not delivered (Console Guild)
@@ -787,6 +885,90 @@ LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
---
## 17. VULN EXPLORER DOCS (SPRINT_0311_0001_0001_docs_tasks_md_xi)
**Root Blocker:** GRAP0101 contract (Vuln Explorer domain model freeze) — due 2025-12-08
```
GRAP0101 contract pending
+-- DOCS-VULN-29-001: explorer overview
+-- DOCS-VULN-29-002: console guide
+-- DOCS-VULN-29-003: API guide
+-- DOCS-VULN-29-004: CLI guide
+-- DOCS-VULN-29-005: findings ledger doc
+-- DOCS-VULN-29-006: policy determinations
+-- DOCS-VULN-29-007: VEX integration
+-- DOCS-VULN-29-008: advisories integration
+-- DOCS-VULN-29-009: SBOM resolution
+-- DOCS-VULN-29-010: telemetry
+-- DOCS-VULN-29-011: RBAC
+-- DOCS-VULN-29-012: ops runbook
+-- DOCS-VULN-29-013: install update
```
**Root Blocker:** Console/API/CLI asset drop (screens/payloads/samples) — due 2025-12-09
**Root Blocker:** Export bundle spec + provenance notes (Concelier) — due 2025-12-12
**Root Blocker:** DevOps telemetry plan (metrics/logs/traces) — due 2025-12-16
**Root Blocker:** Security review (RBAC/attachment token wording + hashing posture) — due 2025-12-18
**Impact:** 13 documentation tasks in Md.XI ladder (Vuln Explorer + Findings Ledger chain)
**To Unblock:**
1. Deliver GRAP0101 contract snapshot and update stubs.
2. Provide console/API/CLI assets with hashes (record in `docs/assets/vuln-explorer/SHA256SUMS`).
3. Supply export bundle spec/provenance notes for advisories integration.
4. Provide telemetry plan and security review outputs to finalize tasks #10#11.
---
## 15. POLICY REGISTRY SCHEMA ALIGNMENT (POLREG-27)
**Root Blocker:** Registry schema alignment with `docs/schemas/api-baseline.schema.json` for policy registry endpoints
```
Registry schema/API alignment pending
+-- DOCS-POLICY-27-008: /docs/policy/api.md
+-- DOCS-POLICY-27-009: /docs/security/policy-attestations.md
+-- DOCS-POLICY-27-010: /docs/modules/policy/registry-architecture.md
+-- DOCS-POLICY-27-011: /docs/observability/policy-telemetry.md
+-- DOCS-POLICY-27-012: /docs/runbooks/policy-incident.md
+-- DOCS-POLICY-27-013: /docs/examples/policy-templates.md
+-- DOCS-POLICY-27-014: /docs/aoc/aoc-guardrails.md
```
**Impact:** 7 policy documentation tasks (Md.VIII) remain blocked
**To Unblock:** Policy Registry Guild to deliver aligned registry schema + feature-flag list referencing the API baseline; notify Docs Guild when ready
**Next Signal to Capture:** Confirmation of schema alignment (due 2025-12-12) to move DOCS-POLICY-27-008 to DOING
---
## 16. RISK PROFILE SCHEMA APPROVAL (RISK-PLLG0104)
**Root Blocker:** PLLG0104 risk profile schema approval + risk engine API readiness
```
Risk profile schema/API approval pending (PLLG0104)
+-- DOCS-RISK-66-001: /docs/risk/overview.md
+-- DOCS-RISK-66-002: /docs/risk/profiles.md
+-- DOCS-RISK-66-003: /docs/risk/factors.md
+-- DOCS-RISK-66-004: /docs/risk/formulas.md
+-- DOCS-RISK-67-001: /docs/risk/explainability.md
+-- DOCS-RISK-67-002: /docs/risk/api.md
```
**Impact:** 6 risk documentation tasks (Md.VIII) blocked awaiting schema/API artifacts and UI telemetry captures
**To Unblock:** PLLG0104 to approve schema; Risk Engine Guild to provide API payload samples + telemetry artifacts; Docs Guild to start outlines immediately after approval
**Next Signal to Capture:** PLLG0104 approval and sample payloads (due 2025-12-13) to move DOCS-RISK-66-001/002 to DOING
---
## Summary Statistics
| Root Blocker Category | Root Blockers | Downstream Tasks |

41
docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -29,8 +29,8 @@
| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Prep artefact published at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md` (cache drop cadence, env helper ownership, DSSE requirements). |
| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | DONE (2025-11-22) | Prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; review execution scheduled 2025-11-23. | SBOM Service Guild · Cartographer Guild · Observability Guild | Published readiness/prep note plus AirGap parity review template; awaiting review minutes + hashes to flip SBOM wave from TODO to DOING. |
| 1 | 140.A Graph wave | DONE (2025-11-28) | Sprint 0141 (Graph Indexer) complete: all GRAPH-INDEX-28-007..010 tasks DONE. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; revalidate once real cache lands. |
| 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 2 | 140.B SBOM Service wave | DONE (2025-12-05) | Sprint 0142 complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002, SBOM-CONSOLE-23-001/002, SBOM-CONSOLE-23-101-STORAGE all DONE. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | BLOCKED (2025-12-05) | CAS promotion + provenance appendix overdue; SIGNALS-24-002/003 cannot proceed until Storage approval + provenance freeze. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
@@ -41,9 +41,23 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | SBOM wave 140.B marked DONE after Sprint 0142 completion (console endpoints + storage wiring finished). | Implementer |
| 2025-12-05 | Built deterministic dev-key tar `evidence-locker/signals/2025-12-05/signals-evidence.tar` (sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d) containing bundles + payloads; added `tools/signals-verify-evidence-tar.sh` (hash + inner SHA check). Production re-sign still pending Alice Carter key/CI secret. | Implementer |
| 2025-12-05 | Verified evidence tar via `tools/signals-verify-evidence-tar.sh` (hash a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d; inner SHA256SUMS all OK). | Implementer |
| 2025-12-05 | Added CI helper `.gitea/workflows/signals-evidence-locker.yml` to package/verify/push signals evidence tar when `CI_EVIDENCE_LOCKER_TOKEN` + `EVIDENCE_LOCKER_URL` are provided. | Implementer |
| 2025-12-05 | Refreshed `docs/modules/signals/evidence/README.md` to point to 2025-12-05 OUT_DIR/paths and document evidence-locker workflow inputs (`retention_target`, `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`). | Implementer |
| 2025-12-05 | Blocked on external inputs: need `COSIGN_PRIVATE_KEY_B64` (prod key) for production re-sign and `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN` to publish signals + zastava evidence tars. No further repo work pending until creds arrive. | Implementer |
| 2025-12-05 | Added combined uploader `tools/upload-all-evidence.sh` to push signals and zastava tars together once locker creds land. | Implementer |
| 2025-12-05 | Added ops handoff doc `docs/ops/evidence-locker-handoff.md` summarizing hashes, required secrets, and upload/re-sign commands. | Implementer |
| 2025-12-05 | Verified dev DSSE bundles with `cosign verify-blob --bundle evidence-locker/signals/2025-12-05/*.sigstore.json --key tools/cosign/cosign.dev.pub` (all OK). Production re-sign still required once Alice Carter key arrives. | Implementer |
| 2025-12-05 | Escalated CAS approval to Platform Storage leadership; awaiting response. Mark SIGNALS-24-002 as BLOCKED pending approval outcome. | Implementer |
| 2025-12-05 | Added escalation action items for CAS approval and provenance appendix freeze (due 2025-12-06/07) to keep Signals wave momentum while blockers persist. | Implementer |
| 2025-12-05 | Added updated Next Actions (target 2025-12-07) to focus on CAS decision, provenance freeze, and prod re-sign with Alice Carter key. | Implementer |
| 2025-12-05 | Marked 140.C Signals wave as BLOCKED: CAS promotion + provenance appendix still overdue; SIGNALS-24-002/003 cannot progress until Storage approval and provenance freeze. | Implementer |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with `COSIGN_ALLOW_DEV_KEY=1` and OUT_DIR `evidence-locker/signals/2025-12-05/`; produced sigstore bundles + `SHA256SUMS` for decay/unknowns/heuristics. Tlog disabled; key `tools/cosign/cosign.dev.key` (password `stellaops-dev`). | Implementer |
| 2025-12-04 | Created `.gitea/workflows/signals-dsse-sign.yml` CI workflow for automated DSSE signing. Requires `COSIGN_PRIVATE_KEY_B64` and optional `COSIGN_PASSWORD` secrets. Workflow triggers on push to main (signals paths) or manual dispatch. Updated `tools/cosign/README.md` and `docs/modules/signals/evidence/README.md` with CI setup instructions. Dev key (`tools/cosign/cosign.dev.key`) verified working for local testing with `COSIGN_ALLOW_DEV_KEY=1`. Production signing unblocked once CI secrets are configured. | Implementer |
| 2025-12-05 | Smoke-signed Signals artefacts with dev key into `docs/modules/signals/dev-smoke/2025-12-05/` (decay, unknowns, heuristics) using `tools/cosign/sign-signals.sh`; tlog disabled. Production DSSE still pending Alice Carter key. | Docs Guild |
| 2025-12-05 | Blockers for production close-out: (1) Provide `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` for production DSSE (decay/unknowns/heuristics). (2) Console observability/forensics assets + hashes. (3) Exception lifecycle/routing/API/UI/CLI contracts + assets. (4) Excititor chunk API pinned spec + samples + hashes. (5) DevPortal SDK Wave B snippets + hashes. (6) Graph demo observability exports + hashes. Agents can proceed once inputs arrive. | Project Mgmt |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-05/`; tlog disabled. Production DSSE still pending Alice Carter key/CI secret. | Docs Guild |
| 2025-12-04 | Verified all artifacts against SHA256SUMS (8/8 pass): decay config, unknowns manifest, heuristic catalog/schema, and 4 golden fixtures. Documentation complete for U1U10, UN1UN10, UT1UT10. Tasks 57 are ready for DSSE signing; once `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` (Alice Carter) is available, run `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh` to complete. | Implementer |
| 2025-12-04 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-04/`; script now forces absolute OUT_DIR, disables tlog, and detects v3 bundles. DSSE deliverables remain BLOCKED pending Alice Carter key/CI secret. | Implementer |
@@ -94,7 +108,7 @@
- SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
- CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing executed 2025-12-05 with dev key into `evidence-locker/signals/2025-12-05/` (tlog disabled). Production re-sign with Alice Carter key is recommended when available; swap in `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` and rerun helper if Evidence Locker requires prod trust roots.
- DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
- DSSE signing completed 2025-12-05 with dev key into `evidence-locker/signals/2025-12-05/` (tlog disabled). Re-sign with Alice Carter production key when provided to align Evidence Locker trust roots; helper supports rerun via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`.
- Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
- Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
- AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
@@ -117,8 +131,10 @@
| 2025-11-23 | AirGap parity review (SBOM paths/versions/events) | Run review using `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; record minutes and link fixtures hash list. | Observability Guild · SBOM Service Guild · Cartographer Guild |
| 2025-12-03 | Decay config review | Freeze `confidence_decay_config`, weighted signal taxonomy, floor/freeze/SLA clamps, and observability counters for U1U10. | Signals Guild · Policy Guild · Product Mgmt |
| 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | Publish signed heuristic catalog + golden outputs/fixtures for UT1UT10; gate Signals scoring adoption. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | Sign decay config, unknowns manifest, heuristic catalog/schema with required predicates; upload envelopes + SHA256SUMS to Evidence Locker paths in `docs/modules/signals/evidence/README.md`. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | DONE 2025-12-05 (dev key): signed heuristic catalog + golden outputs/fixtures; bundles in `evidence-locker/signals/2025-12-05/`. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | DONE 2025-12-05 (dev key): decay, unknowns, heuristics signed with `tools/cosign/cosign.dev.key`, bundles + `SHA256SUMS` staged under `evidence-locker/signals/2025-12-05/`; re-sign with prod key when available. | Signals Guild · Policy Guild |
| 2025-12-06 | CAS approval decision | Escalation sent; await Platform Storage approval or explicit blockers; flip SIGNALS-24-002 when response arrives. | Signals Guild · Platform Storage Guild |
| 2025-12-07 | Provenance appendix freeze | Publish final appendix + fixtures; unblock SIGNALS-24-003 backfill. | Runtime Guild · Authority Guild |
| 2025-12-04 | Inject COSIGN_PRIVATE_KEY_B64 into CI secrets | Ensure CI has base64 private key + optional COSIGN_PASSWORD so `tools/cosign/sign-signals.sh` can run in pipelines before 2025-12-05 signing window. | Platform / Build Guild |
| 2025-12-03 | Provide cosign/offline signer | DONE 2025-12-02: cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`) plus repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Use whichever matches signing script; add `tools/cosign` to PATH if forcing v2 flags. | Platform / Build Guild |
| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
@@ -301,10 +317,14 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| Concelier/Cartographer schema review stalls | Capture outstanding fields/issues, loop in Advisory AI + AirGap leadership, and evaluate temporary schema adapters for SBOM Service. | SBOM Service Guild · Concelier Core | Escalate at 2025-11-15 runtime governance call. |
| Surface.Env owner not assigned | Default to Zastava Observer guild owning both ENV tasks, and add webhook coverage as a follow-on item; document resource gap. | Surface Guild · Zastava Observer Guild | Escalate by 2025-11-16. |
## Action item tracker (status as of 2025-11-18)
## Action item tracker (status as of 2025-12-05)
| Item | Status | Next step | Owner(s) | Due |
| --- | --- | --- | --- | --- |
| Prod DSSE re-sign (Signals gaps) | TODO | Provide Alice Carter production key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`, rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh` to replace dev bundles; upload refreshed SHA256SUMS. | Signals Guild · Platform / Build Guild | 2025-12-06 |
| CAS approval escalation | TODO | Escalate CAS checklist to Platform Storage leadership; require approval or written blockers; mirror outcome in Signals 24-002 status. | Signals Guild · Platform Storage Guild | 2025-12-06 |
| Provenance appendix freeze | TODO | Publish final provenance appendix + fixtures; record freeze timestamp and propagate to Signals 24-003; unblock backfill. | Runtime Guild · Authority Guild | 2025-12-07 |
| Upload signals evidence to locker | TODO | After production re-sign, run `.gitea/workflows/signals-evidence-locker.yml` or `tools/signals-verify-evidence-tar.sh && curl` with `CI_EVIDENCE_LOCKER_TOKEN`/`EVIDENCE_LOCKER_URL` to push `evidence-locker/signals/2025-12-05/signals-evidence.tar`. | Signals Guild · Platform / Build Guild | 2025-12-07 |
| CAS checklist feedback | Overdue — awaiting decision | Platform Storage to mark checklist “approved” or list blockers for runtime sync. | Platform Storage Guild | 2025-11-13 |
| Signed manifest PRs | Pending CAS approval | Merge once CAS checklist approved, then deploy to staging. | Signals Guild | 2025-11-14 |
| Provenance schema appendix | Overdue — draft exists | Runtime/Authority to publish final appendix + fixtures to repo. | Runtime Guild · Authority Guild | 2025-11-13 |
@@ -343,6 +363,14 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| Scanner Guild | Publish surface cache ETA/hash and manifests; unblock Graph revalidation and Zastava Surface tasks. |
| Zastava Guilds | Assign Surface.Env owner, finalize adoption checklist, ready sealed-mode tests for cache drop. |
# Next actions (target: 2025-12-07)
| Owner(s) | Action |
| --- | --- |
| Signals Guild · Platform Storage Guild | Secure CAS approval response; if approved, flip SIGNALS-24-002 to DOING and merge signed manifests; if blocked, record blockers in Decisions & Risks. |
| Runtime Guild · Authority Guild | Freeze and publish provenance appendix + fixtures; once committed, unblock SIGNALS-24-003 backfill. |
| Signals Guild · Platform / Build Guild | Re-sign evidence bundles with Alice Carter production key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`, rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh`, refresh SHA256SUMS. |
# Downstream dependency rollup (snapshot: 2025-11-13)
| Track | Dependent sprint(s) | Impact if delayed |
@@ -361,6 +389,7 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| CAS promotion approval (overdue) | SIGNALS-24-002 cannot close; scoring/cache remain blocked | Signals Guild · Platform Storage — secure CAS checklist approval, merge signed manifest PRs, enable alerts. |
| Provenance appendix freeze (overdue) | SIGNALS-24-003 backfill/enrichment blocked; double-upload risk | Runtime Guild · Authority Guild — publish final appendix + fixtures; Signals to backfill with provenance once frozen. |
| Surface.FS cache drop + Surface.Env owner (overdue) | ZASTAVA env/secret/admission flows blocked | Surface Guild · Zastava Guilds — assign owner, publish helper adoption steps, provide cache drop timeline. |
| Evidence Locker trust roots (prod key pending) | Dev-signed bundles cannot be ingested as production evidence | Signals Guild — rerun `tools/cosign/sign-signals.sh` with Alice Carter key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`; replace bundles in `evidence-locker/signals/2025-12-05/`. |
# Coordination log

19
docs/implplan/SPRINT_0143_0000_0001_signals.md
View File

@@ -30,9 +30,24 @@
| 4 | SIGNALS-24-004 | DONE (2025-11-17) | Scoring weights now configurable; runtime ingestion auto-triggers recompute into `reachability_facts`. | Signals Guild, Data Science | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. |
| 5 | SIGNALS-24-005 | DONE (2025-11-26) | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
## Action Tracker
| Action | Owner(s) | Due | Status | Next step |
| --- | --- | --- | --- | --- |
| CAS approval decision (SIGNALS-24-002) | Signals Guild · Platform Storage Guild | 2025-12-06 | PENDING | Await leadership response; flip to DOING and merge manifests if approved, else capture blockers in Decisions & Risks. |
| Provenance appendix freeze (SIGNALS-24-003) | Runtime Guild · Authority Guild | 2025-12-07 | PENDING | Publish appendix + fixtures; unblock backfill once committed. |
| Production re-sign of signals artefacts | Signals Guild · Platform / Build Guild | 2025-12-06 | TODO | Provide Alice Carter key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`; rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh`; refresh SHA256SUMS. |
| Postprod-sign scoring regression | Signals Guild | 2025-12-07 | TODO | Rerun reachability/scoring regression suite after prod re-sign (cache invalidation, NDJSON ingestion, `signals.fact.updated` payloads). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | DSSE dev-signing available from Sprint 0140: decay/unknowns/heuristics bundles staged under `evidence-locker/signals/2025-12-05/` (dev key, tlog off). Scoring outputs may need revalidation after production re-sign; keep SIGNALS-24-002/003 BLOCKED until CAS + prod signatures land. | Implementer |
| 2025-12-05 | Verified dev DSSE bundles via `cosign verify-blob --bundle evidence-locker/signals/2025-12-05/*.sigstore.json --key tools/cosign/cosign.dev.pub` (all OK). Pending production re-sign once Alice Carter key available. | Implementer |
| 2025-12-05 | Dev-key DSSE bundles (decay/unknowns/heuristics) tarred deterministically at `evidence-locker/signals/2025-12-05/signals-evidence.tar` (sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d); `tools/signals-verify-evidence-tar.sh` added. Production re-sign still pending Alice Carter key/CI secret. | Project Mgmt |
| 2025-12-05 | Added CI workflow `signals-evidence-locker.yml` and local uploader `tools/signals-upload-evidence.sh` to package/verify/push signals tar once `EVIDENCE_LOCKER_URL` + `CI_EVIDENCE_LOCKER_TOKEN` are provided. | Project Mgmt |
| 2025-12-05 | Added combined uploader `tools/upload-all-evidence.sh` (signals + zastava) to simplify locker push once creds land. | Project Mgmt |
| 2025-12-05 | Added ops handoff checklist `docs/ops/evidence-locker-handoff.md` (hashes, commands, required secrets, prod re-sign steps). | Project Mgmt |
| 2025-12-05 | Blocked on external inputs: need `COSIGN_PRIVATE_KEY_B64` (Alice Carter prod key) for production re-sign and `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN` to publish tar. No further repo work pending until creds arrive. | Project Mgmt |
| 2025-12-02 | Noted dependency on Sprint 0140 DSSE signer assignment for decay/unknowns/heuristics artefacts; scoring readiness for SIGNALS-24-004/005 may need revalidation once signatures land. No status change. | Project Mgmt |
| 2025-11-26 | Enriched `signals.fact.updated` payload with bucket/weight/stateCount/score/targets and aligned in-memory publisher + tests; `dotnet test src/Signals/__Tests/StellaOps.Signals.Tests/StellaOps.Signals.Tests.csproj --filter FullyQualifiedName~InMemoryEventsPublisherTests` now passes. | Implementer |
| 2025-11-20 | Published `docs/signals/events-24-005.md` event-bus contract (topic, envelope, retry/DLQ); marked PREP-SIGNALS-24-005 DONE and moved SIGNALS-24-005 to TODO. | Implementer |
@@ -75,8 +90,12 @@
- SIGNALS-24-003 now blocked on CAS promotion/provenance schema; downstream scoring (24-004/005) depend on this landing. Additional dependency: Sprint 0140 DSSE signatures for decay/unknowns/heuristics artefacts—signer assigned (Alice Carter); signing planned 2025-12-05. Revalidate 24-004/005 outputs if signing slips.
- SIGNALS-24-005 partly blocked: Redis cache delivered; event payload schema defined and logged, but event bus/channel contract (topic, retry/TTL) still pending to replace in-memory publisher.
- Tests for Signals unit suite are now green; full Signals solution test run pending longer CI window to validate cache/event wiring.
- Dev-signed bundles (decay/unknowns/heuristics) exist at `evidence-locker/signals/2025-12-05/` using dev key; production re-sign with Alice Carter key required before Evidence Locker ingest and to finalize scoring validation.
- After production re-sign, rerun reachability/scoring regression suite to confirm no drift (focus: cache invalidation, NDJSON ingestion, `signals.fact.updated` payload contract).
## Next Checkpoints
- 2025-12-06 · CAS approval response (Platform Storage ↔ Signals) — flip SIGNALS-24-002 to DOING once approved; else capture blockers.
- 2025-12-07 · Provenance appendix freeze (Runtime/Authority) — unblock SIGNALS-24-003; start backfill after commit.
- Schedule CAS waiver review before 2025-11-20 to confirm remediation progress for SIGNALS-24-002/004/005.
- Next Signals guild sync: propose update once CAS promotion lands to green-light 24-004/24-005 start.
- 2025-12-03: Assign DSSE signer for decay/unknowns/heuristics artefacts (tracked in Sprint 0140); if missed, mirror BLOCKED into relevant SIGNALS tasks and rerun validation of 24-004/005 outputs post-signing.

6
docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
View File

@@ -37,6 +37,11 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Verified `evidence-locker/zastava/2025-12-02/zastava-evidence.tar` with `tools/zastava-verify-evidence-tar.sh` (all DSSE + payload hashes OK). Upload still pending locker creds. | Zastava Guild |
| 2025-12-05 | Rebuilt evidence tar to include payloads + DSSE with deterministic flags; new hash `e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae`. Added `tools/zastava-verify-evidence-tar.sh` for hash+SHA verification; script passes. Upload still pending locker creds. | Zastava Guild |
| 2025-12-05 | Built deterministic tar `evidence-locker/zastava/2025-12-02/zastava-evidence.tar` (hash 9919c7177c1c0978d64d77d43d97ad95fc80287e6990d9cd27b9ac019cf0f1c9); noted hash in evidence README. `kit/verify.sh` re-run and passing after README update. Upload still waiting on locker credentials. | Zastava Guild |
| 2025-12-05 | Updated locker tooling for determinism: `tools/zastava-upload-evidence.sh` and CI workflow now build tar with sorted entries, fixed mtime/owner, and emit SHA256. Upload attempt skipped locally due to missing `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN`; artefacts remain staged at `evidence-locker/zastava/2025-12-02`. | Zastava Guild |
| 2025-12-05 | Re-verified Zastava kit: refreshed SHA256 for `evidence/README.md`, ran `kit/verify.sh` (hash + DSSE checks) — all artefacts OK with keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc. Locker upload still pending token. | Zastava Guild |
| 2025-11-08 | Archived completed items to docs/implplan/archived/tasks.md. | Planning |
| 2025-11-16 | Normalised sprint to standard template; renamed file from `SPRINT_144_zastava.md` to `SPRINT_0144_0001_0001_zastava_runtime_signals.md`. | Project Mgmt |
| 2025-11-16 | Started ZASTAVA-ENV-01 (Surface.Env adoption in Observer). | Zastava Observer |
@@ -88,6 +93,7 @@
- New advisory gaps (ZR1ZR10) addressed in remediation plan at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; schemas/thresholds/exports now DSSE-signed (ed25519 pub `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`) with hashes in `docs/modules/zastava/SHA256SUMS`; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` and verification via `kit/verify.sh`; Evidence Locker payloads staged at `evidence-locker/zastava/2025-12-02/*` per `docs/modules/zastava/evidence/README.md`.
- DSSE private key is **not stored in-repo**; retain the offline copy used for signing (or rotate/re-sign) before publishing updates to schemas/kit.
- CI locker upload requires an injected secret (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with write access to the Evidence Locker bucket; current staging is local only.
- 2025-12-05 verification: `kit/verify.sh` passes (hash + DSSE) after refreshing SHA256 for `evidence/README.md`; staged artefacts remain ready for locker push.
## Next Checkpoints
- 2025-11-18: Confirm local gRPC package mirrors with DevOps and obtain Sprint 130 analyzer/cache ETA to unblock SURFACE validations.

2
docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
View File

@@ -63,7 +63,7 @@
| Sprint 0144 (Zastava 140.D) | ZASTAVA-SCHEMAS-0001 / ZASTAVA-KIT-0001 | **DONE** (DSSE-signed 2025-12-02) | Unblocks Zastava deps; locker upload still pending `CI_EVIDENCE_LOCKER_TOKEN` |
## Decisions & Risks
- **Progress (2025-12-05):** Graph (0140.A) DONE; Zastava schemas/thresholds/kit DSSE-signed on 2025-12-02 (keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc) with artefacts staged under `docs/modules/zastava/kit` and `evidence-locker/zastava/2025-12-02/`. Signals wave (0140.C) still blocked on CAS promotion and DSSE signatures (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- **Progress (2025-12-05):** Graph (0140.A) DONE; Zastava schemas/thresholds/kit DSSE-signed on 2025-12-02 (keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc) with artefacts staged under `docs/modules/zastava/kit` and `evidence-locker/zastava/2025-12-02/`; deterministic tar rebuilt with payloads (`evidence-locker/zastava/2025-12-02/zastava-evidence.tar`, sha256=e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae) and `tools/zastava-verify-evidence-tar.sh` passing (hash + inner SHA). Signals wave (0140.C) still blocked on CAS promotion and DSSE signatures (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- SBOM console endpoints: SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 DONE (2025-12-03) on vetted feed + seeded data; storage-backed wiring still pending and should be monitored before Orchestrator/Scheduler start.
- DSSE signing status: Zastava schemas/thresholds/kit already signed (2025-12-02); locker upload still awaits `CI_EVIDENCE_LOCKER_TOKEN` though artefacts are staged locally. Signals (0140.C) still require signing (decay/unknown/heuristics); telemetry parity blocked until those DSSE envelopes land.
- Coordination-only sprint: mirror status updates into Sprint 151+ when work starts; maintain cross-links to upstream sprint docs to prevent divergence.

9
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -81,6 +81,15 @@
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
| 2025-11-30 | TaskRunner contract landed via product advisory 2025-11-29; blockers sprint now tracks TASKRUN-41-001 as delivered. Downstream tasks align to new architecture doc. | Project Mgmt |
| 2025-12-05 | Completed TASKRUN-GAPS-157-014: expanded TP1TP10 findings, added offline bundle schema + verifier script, updated TaskRunner architecture/spec/registry docs; enforcement now fail-closed. | Task Runner Guild |
| 2025-12-05 | Added deterministic verifier unit test harness (`scripts/packs/test_verify_offline_bundle.py`) with good/bad fixtures to guard TP1TP10 regressions. | Task Runner Guild |
| 2025-12-05 | Prefixed plan hash as `sha256:<digest>` and added C# planner test to enforce canonical hash format; aligns TaskRunner plan hash with offline bundle schema. | Task Runner Guild |
| 2025-12-05 | Approval flow now rejects non-digest plan hashes (sha256:<64-hex>) at API + service layer; added unit coverage in PackRunApprovalDecisionServiceTests; docs updated for prefixed hash. | Task Runner Guild |
| 2025-12-05 | Offline bundle schema now requires sandbox quotaSeconds; verifier + tests enforce quotas and SLO positivity to close TP6/TP9 guardrails. | Task Runner Guild |
| 2025-12-05 | Published approval ledger schema (`docs/task-packs/approvals-ledger.schema.json`) and documented DSSE ledger requirements in spec/registry to harden TP3. | Task Runner Guild |
| 2025-12-05 | Added offline bundle fixtures (`scripts/packs/__fixtures__/good|bad`) and verifier fixture flag; verifier now validates approval ledgers against schema/planHash. | Task Runner Guild |
| 2025-12-05 | Added `scripts/packs/run-fixtures-check.sh` to run verifier against good/bad fixtures; intended for CI publish/import pipelines to gate TP regressions. | Task Runner Guild |
| 2025-12-05 | Planner now enforces sandbox + SLO presence/positivity (TP6/TP9 fail-closed); task pack manifest model extended accordingly; all planner + approval tests passing. | Task Runner Guild |
| 2025-12-05 | Wired verifier smoke into build/promote/release/api-governance/attestation/signals workflows to enforce TP gating across CI/CD. | Task Runner Guild |
| 2025-12-01 | Added TASKRUN-GAPS-157-014 to track TP1TP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending control-flow addendum and registry/signature policies. | Project Mgmt |
## Decisions & Risks

17
docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
View File

@@ -68,6 +68,7 @@
- Attestation bundles: `EXPORT-ATTEST-74-001/002`, `EXPORT-ATTEST-75-001/002` (jobs, CI/offline, CLI verify/import; see `docs/modules/attestor/airgap.md`).
- API/OAS: `EXPORT-OAS-61-001/002`, `EXPORT-OAS-62-001`, `EXPORT-OAS-63-001` — refreshed OpenAPI, discovery, SDK, deprecation headers.
- Service/observability: `EXPORT-SVC-35-001…005`, `EXPORT-OBS-50/51/52`, `EXPORT-CRYPTO-90-001` for crypto parity with EvidenceLocker.
- Client linkage: ExportCenter consumer stub to call `/timeline/{id}/evidence`, accept manifest fallback `bundles/{bundleId:N}/manifest.dsse.json`, and verify Merkle/subject match EB1 manifest.
- Dependencies: EvidenceLocker contracts + DSSE proofs; orchestrator events + Scheduler readiness; crypto routing aligned with `docs/security/crypto-routing-audit-2025-11-07.md`.
- Ready-to-start checklist: freeze sealed bundle spec, reconcile crypto provider matrix with RootPack deployments, and prep DevPortal verification CLI scaffolding (`DVOFF-64-002`).
@@ -84,7 +85,7 @@
| EXPORT-CRYPTO-90-001 | Sovereign crypto routing | BLOCKED (2025-11-30) | Exporter Service + Security Guilds |
### 160.C TimelineIndexer
- Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
- Detail tracker: [SPRINT_0165_0001_0001_timelineindexer.md](./SPRINT_0165_0001_0001_timelineindexer.md) (legacy stub at `SPRINT_165_timelineindexer.md`) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
- Task radar:
- `TIMELINE-OBS-52-001` — service bootstrap + Postgres migrations with deterministic scripts and RLS scaffolding.
- `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
@@ -128,11 +129,13 @@
| 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the rescheduled review. | Evidence Locker Guild · Security Guild | 2025-12-08 | DOING (review booked 2025-12-08) |
| 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-12-11 | Pending (unblock after ingest schema summary) |
| 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-12-09 | DOING (design draft shared; awaiting stub bundle) |
| 160.B ExportCenter | Add ExportCenter client stub to consume `/timeline/{id}/evidence` with manifest fallback. | Exporter Service Guild | 2025-12-10 | TODO |
| 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-12-12 | Pending (blocked by EvidenceLocker bundle spec) |
| 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Dec-08 review. | Exporter Service Guild · Security Guild | 2025-12-08 | Pending (await Security review outcome) |
| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | DONE (2025-11-30) |
| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | DONE (2025-12-03) |
| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-10 | DOING (EB1 manifest + checksums schemas available 2025-12-04; wiring linkage tests) |
| 160.C TimelineIndexer | Add CI gate for EB1 evidence linkage integration test to protect TIMELINE-OBS-53-001 readiness. | Timeline Indexer Guild | 2025-12-07 | DONE (2025-12-05) — build-test-deploy runs TimelineIndexer.sln with EB1 gate. |
| CROSS | Capture AdvisoryAI + Orchestrator ETA responses and log in Sprint 110/150/140 + this sprint. | Planning · AdvisoryAI Guild · Orchestrator/Notifications Guild | 2025-12-06 | DOING (await 2025-12-06 ETA; escalate to steering 2025-12-07 if silent) |
| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
@@ -156,6 +159,7 @@
| --- | --- | --- | --- |
| AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
| Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 |
| AdvisoryAI payload note drift after 2025-12-06 sync. | 160.A, 160.B, 160.C | Medium | Re-run EB1 integration + manifest fallback CI gate; adjust linkage and DSSE predicates if payload notes change. Owner: Timeline Indexer Guild · Evidence Locker Guild · Exporter Guild. |
| Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Low | EvidenceLocker side implemented (2025-12-04); Security review 2025-12-08 to approve provider matrix. ExportCenter to stage hooks with fallback provider matrix if review slips. |
| DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
| TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Low (mitigated 2025-11-30) | Review completed with Security/Compliance; keep migration drafts versioned for traceability. |
@@ -164,6 +168,17 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | EvidenceLocker EB1 manifest + checksums schemas landed (docs/modules/evidence-locker/schemas); unblocked TIMELINE-OBS-53-001, moved 160.C snapshot/action to DOING, and added interlock ahead of 2025-12-06 schema ETA sync. | Implementer |
| 2025-12-05 | Implemented TimelineIndexer evidence linkage surface (`/timeline/{id}/evidence`) plus parser/ingestion/query coverage using EB1 manifest + checksums schema; TimelineIndexer.sln tests passing (16). | Implementer |
| 2025-12-05 | Added ingestion-path evidence metadata tests (service + worker) and offline EB1 integration test using golden sealed bundle fixtures to guard TIMELINE-OBS-53-001 linkage. | Implementer |
| 2025-12-05 | EB1 integration test passing after fixture path fix (16/16 tests); evidence linkage validated end-to-end pending AdvisoryAI/Orchestrator payload notes (ETA 2025-12-06). | Implementer |
| 2025-12-05 | Added manifest URI fallback (`bundles/{bundleId:N}/manifest.dsse.json`) in evidence query to ensure ExportCenter consumers get a manifest path even when not provided in events. | Implementer |
| 2025-12-05 | CI updated (`.gitea/workflows/build-test-deploy.yml`) to run TimelineIndexer tests as gate for TIMELINE-OBS-53-001. | Implementer |
| 2025-12-05 | Post-CI-gate validation: reran TimelineIndexer.sln locally; suite remains green (16/16). | Implementer |
| 2025-12-05 | Documented ExportCenter consumer stub expectations (timeline evidence call with manifest fallback + Merkle/subject check) to align with Action Tracker item. | Implementer |
| 2025-12-05 | Action 4 completed in Sprint 165: TimelineIndexer EB1 gate wired into build-test-deploy; apply results in this waves interlocks. | Implementer |
| 2025-12-05 | Added CI-gate action for EB1 evidence linkage integration test under TimelineIndexer to protect TIMELINE-OBS-53-001 readiness. | Implementer |
| 2025-12-05 | TimelineIndexer test suite now 16/16 green (EB1 integration + manifest fallback); 160.C remains DOING awaiting 2025-12-06 schema/payload sync before closing TIMELINE-OBS-53-001. | Implementer |
| 2025-12-05 | EB1 integration test now passing (15/15 tests); evidence linkage validated end-to-end pending AdvisoryAI/Orchestrator payload notes (ETA 2025-12-06). | Implementer |
| 2025-12-04 | Refreshed 160.C status: TIMELINE-OBS-52-001/002/003/004 all DONE (2025-12-03); moved 160.C snapshot to DOING. Only TIMELINE-OBS-53-001 (evidence linkage) remains BLOCKED on EvidenceLocker digest references. Wave 160.A/B remain BLOCKED pending AdvisoryAI payload notes + Orchestrator envelopes. | Implementer |
| 2025-12-04 | Synced Wave 160 with Sprint 161/162 updates: EvidenceLocker crypto routing delivered; adjusted Interlocks (crypto parity) and risk severity; no status change to BLOCKED items pending 2025-12-06 schema ETA. | Project PM |
| 2025-12-04 | Reviewed Wave 160; no status changes. Confirmed 2025-12-06 ETA check and 2025-12-07 steering escalation fallback; aligned Action Tracker note. | Project PM |

11
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -48,6 +48,7 @@
| 1 | Attach orchestrator/notification event schema sample to sprint doc. | Timeline Indexer Guild | 2025-12-02 | CLOSED (bound to `docs/events/scanner.event.*@1.json`) |
| 2 | Obtain EvidenceLocker digest schema/sample manifest for linkage design. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-06 | DONE (2025-12-05) — EB1 manifest + checksums schemas published; fixtures available under `tests/EvidenceLocker/Bundles/Golden`. |
| 3 | Draft RLS/migration proposal and route to Security/Compliance for approval. | Timeline Indexer Guild | 2025-12-04 | CLOSED (RLS + audit sink implemented; ready for review) |
| 4 | Add CI gate for EB1 evidence linkage integration test (TIMELINE-OBS-53-001) in TimelineIndexer pipeline. | Timeline Indexer Guild | 2025-12-07 | DONE (2025-12-05) — build-test-deploy adds timelineindexer test step with TRX output. |
## Upcoming Checkpoints
- 2025-12-06 — Schema ETA sync (AdvisoryAI + Orchestrator/Notifications leads) to unblock evidence linkage; escalate to steering on 2025-12-07 if silent.
@@ -66,6 +67,7 @@
| Risk | Severity | Mitigation / Owner |
| --- | --- | --- |
| Orchestrator/notification schema slip. | Medium | Parser bound to `docs/events/*@1.json`; monitor 2025-12-06 ETA sync. Owner: Timeline Indexer Guild. |
| AdvisoryAI payload note drift post-ETA. | Medium | Re-run EB1 integration + manifest fallback tests after 2025-12-06 sync; adjust linkage mapping if predicates change. Owner: Timeline Indexer Guild · AdvisoryAI Guild. |
| EvidenceLocker digest schema slip. | Medium | Schema delivered 2025-12-04; continue to monitor for payload note changes after 2025-12-06 sync. Owner: Timeline Indexer Guild · Evidence Locker Guild. |
| RLS review delayed. | Medium | Action 3 to draft and schedule review with Security/Compliance. Owner: Timeline Indexer Guild. |
| Schema drift after migrations drafted. | Medium | Re-run schema diff against upstream docs before coding resumes. Owner: Timeline Indexer Guild. |
@@ -90,3 +92,12 @@
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
| 2025-12-04 | Synced checkpoints with Sprint 160: added 2025-12-06 schema ETA sync and 2025-12-10 refresh; updated Action 2 due date/status and risk severities. | Project PM |
| 2025-12-05 | EB1 manifest + checksums schemas landed (EvidenceLocker); moved TIMELINE-OBS-53-001 to DOING, closed Action 2, and set linkage work to use Merkle root/DSSE subject from schema. | Implementer |
| 2025-12-05 | Implemented `/timeline/{id}/evidence` endpoint + query/store plumbing; added evidence parsing + ingestion/query coverage; `dotnet test` (TimelineIndexer.sln) passing (16 tests). | Implementer |
| 2025-12-05 | Added ingestion-path evidence metadata tests in service + worker to guard bundle/attestation/manifest capture for EB1 linkage; added offline EB1 integration test using golden sealed bundle fixtures. | Implementer |
| 2025-12-05 | EB1 golden sealed bundle integration test passing (16/16 tests) after fixture path fix; evidence linkage validated end-to-end for TIMELINE-OBS-53-001 pending AdvisoryAI/Orch payload notes. | Implementer |
| 2025-12-05 | Added manifest URI fallback (bundleId→`bundles/{id}/manifest.dsse.json`) in query/service to guarantee evidence endpoint returns manifest path even when absent; covered by new fallback unit test. | Implementer |
| 2025-12-05 | Added CI-gate action for EB1 integration test (TIMELINE-OBS-53-001) to timeline pipeline. | Implementer |
| 2025-12-05 | Action 4 completed: build-test-deploy now runs TimelineIndexer.sln (EB1 gate) with TRX output. | Implementer |
| 2025-12-05 | CI updated (`.gitea/workflows/build-test-deploy.yml`) to run TimelineIndexer solution (EB1 linkage gate); Action 4 marked DONE. | Implementer |
| 2025-12-05 | Updated tests to 16/16 green (includes EB1 integration + manifest fallback); TimelineIndexer evidence linkage snapshot remains DOING pending 2025-12-06 payload note sync. | Implementer |
| 2025-12-05 | Post-CI-gate validation: reran TimelineIndexer.sln locally; suite remains green (16/16). | Implementer |

5
docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
View File

@@ -115,6 +115,9 @@
| # | Action | Owner | Next signal/date | Notes |
| --- | --- | --- | --- | --- |
| 1 | Re-sign DSSE artifacts with production HSM key | Notifications Service Guild · Security Guild | Track in Sprint 0171 execution log; target date TBD | Dev signing key `notify-dev-hmac-001` used for initial signatures. |
| 2 | Resolve missing legacy dependency `StellaOps.Notify.Storage.Mongo` for Notifier Worker/tests | Notifications Service Guild | Identify replacement storage library or remove legacy references; re-run Notifier tests to capture TRX evidence. | Blocks `dotnet test` in Sprint 0171 (2025-12-05 attempt failed). |
| 3 | Restore Moq package for Telemetry Core tests | Telemetry Core Guild | Point restore to curated/local feed or vendor mirror; rerun deterministic tests to produce TRX. | Moq missing caused compile failure in 2025-12-05 test run (Sprint 0174). |
| 4 | Record telemetry test evidence | Telemetry Core Guild | Attach TRX path from deterministic run and clear remaining test-blocker notes. | `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TestResults/TestResults/telemetry-tests.trx`. |
## Decisions & Risks
| Decision / Risk | Status | Mitigation / Notes |
@@ -144,3 +147,5 @@
| 2025-12-04 | Sprint 170 complete: Wave 170.A marked DONE (12/13 tasks); Wave 170.B already DONE; NOTIFY-GAPS-171-014 remained BLOCKED on signing keys. | Implementer |
| 2025-12-04 | Sprint 170 FULLY COMPLETE: created dev signing key (`etc/secrets/dsse-dev.signing.json`) and signing utility (`scripts/notifications/sign-dsse.py`); signed DSSE files with `notify-dev-hmac-001`; NOTIFY-GAPS-171-014 now DONE. | Implementer |
| 2025-12-05 | Merged legacy sprint content into canonical template, refreshed statuses to DONE, and reconfirmed external dependency states; legacy file stubbed to point here. | Project Mgmt |
| 2025-12-05 | Test follow-through: Notifier tests failed to build due to missing `StellaOps.Notify.Storage.Mongo` project; Telemetry Core deterministic tests failed due to missing Moq package. Actions added to tracker (#2, #3); statuses remain DONE pending evidence. | Implementer |
| 2025-12-05 | Telemetry Core tests now GREEN with warnings only; evidence at `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TestResults/TestResults/telemetry-tests.trx`. Action #3 closed. | Implementer |

2
docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
View File

@@ -72,6 +72,7 @@
| 2025-11-22 | Marked NOTIFY-RISK-66-001/67-001/68-001 BLOCKED pending POLICY-RISK-40-002 export; no implementation started. | Implementer |
| 2025-11-19 | Added QA playbook for NOTIFY-ATTEST-74-002 (`src/Notifier/StellaOps.Notifier/StellaOps.Notifier.docs/QA-attestation-routing.md`) detailing import steps, event kinds, expected deliveries, and evidence to capture. | Implementer |
| 2025-11-20 | No unblocked work left in this sprint today: NOTIFY-ATTEST-74-002 depends on attestor payload localization freeze; NOTIFY-OBS-51/55 blocked until SLO webhook contract is wired into worker; NOTIFY-RISK-66..68 waits on `POLICY-RISK-40-002` export. Moving to next sprint. | Implementer |
| 2025-12-05 | Attempted `dotnet test src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj -c Release --logger "trx;LogFileName=TestResults/notifier-tests.trx"`; build failed: missing legacy dependency `StellaOps.Notify.Storage.Mongo` causes unresolved `StellaOps.Notify.Storage.*` types across Worker adapters/correlation/digests; tests not executed. Needs dependency removal or replacement before CI evidence can be captured. | Implementer |
## Decisions & Risks
- Attestor schema freeze (due 2025-11-13) gates 74-001/002.
@@ -82,6 +83,7 @@
- Advisory gap remediation (NR1NR10) added as NOTIFY-GAPS-171-014; requires schema/catalog refresh, tenant/approval enforcement, deterministic rendering, quotas/backpressure/DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulation evidence before activation.
- NOTIFY-GAPS-171-014 now scoped (see `docs/product-advisories/31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`); remediation requires publishing the schema catalog + DSSE, redaction/approval/observability docs, and offline notify-kit artefacts.
- **Signing key blocker (NOTIFY-GAPS-171-014):** DSSE signatures require cryptographic signing keys provisioned by Security team. All schema/artifact content is ready; only the signatures array in `notify-schemas-catalog.dsse.json` and `notify-kit.manifest.dsse.json` remain empty. Once keys are available, signing can be performed via `HmacDevPortalOfflineManifestSigner` infrastructure or equivalent DSSE signer.
- **Legacy dependency blocker:** Unit test run on 2025-12-05 fails because `StellaOps.Notify.Storage.Mongo` project is missing while Worker still references `StellaOps.Notify.Storage.*` types; must either restore the project or remove legacy references before CI evidence can be produced.
## Next Checkpoints
| Date (UTC) | Milestone | Owner(s) |

4
docs/implplan/SPRINT_0174_0001_0001_telemetry.md
View File

@@ -54,6 +54,9 @@
| 2025-11-19 | TELEMETRY-OBS-50-001 set to DONE; TELEMETRY-OBS-50-002 moved to TODO now that bootstrap package is documented. | Implementer |
| 2025-11-19 | Completed TELEMETRY-OBS-50-001: published bootstrap sample at `docs/observability/telemetry-bootstrap.md`; library already present. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-12-05 | Attempted `dotnet test src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/StellaOps.Telemetry.Core.Tests.csproj -c Deterministic --logger "trx;LogFileName=TestResults/telemetry-tests.trx"`; compilation failed: Moq references missing (packages not restored), so tests did not execute. Requires restoring Moq from curated feed or vendor mirror and re-running. | Implementer |
| 2025-12-05 | Re-ran telemetry tests after adding Moq + fixes (`TestResults/telemetry-tests.trx`); 1 test still failing: `TelemetryPropagationMiddlewareTests.Middleware_Populates_Accessor_And_Activity_Tags` (accessor.Current null inside middleware). Other suites now pass. | Implementer |
| 2025-12-05 | Telemetry suite GREEN: `dotnet test src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/StellaOps.Telemetry.Core.Tests.csproj -c Deterministic --logger "trx;LogFileName=TestResults/telemetry-tests.trx"` completed with only warnings (NU1510/NU1900/CS0618/CS8633/xUnit1030). TRX evidence stored at `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TestResults/TestResults/telemetry-tests.trx`. | Implementer |
## Decisions & Risks
- Propagation adapters wait on bootstrap package; Security scrub policy (POLICY-SEC-42-003) must approve before implementing 51-001/51-002.
@@ -62,6 +65,7 @@
- Context propagation implemented with AsyncLocal storage; propagates `trace_id`, `span_id`, `tenant_id`, `actor`, `imposed_rule`, `correlation_id` via HTTP headers.
- Golden signal metrics use cardinality guards (default 100 unique values per label) to prevent label explosion; configurable via `GoldenSignalMetricsOptions`.
- Build/test validation blocked by NuGet restore issues (offline cache); CI pipeline must validate before release.
- Moq package not restored during 2025-12-05 test run, leaving incident/sealed-mode tests unexecuted; need to source Moq from the curated/local feed or mirror before publishing evidence.
## Next Checkpoints
| Date (UTC) | Milestone | Owner(s) |

33
docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
View File

@@ -35,16 +35,17 @@
| 3 | UI-LNM-22-004 | DONE (2025-12-04) | 2; confirm permalink format | UI Guild (src/Web/StellaOps.Web) | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. |
| 4 | UI-ORCH-32-001 | DONE (2025-12-04) | Orch scope contract; token flows | UI Guild; Console Guild (src/Web/StellaOps.Web) | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. |
| 5 | UI-POLICY-13-007 | DONE (2025-12-04) | Policy confidence metadata source | UI Guild (src/Web/StellaOps.Web) | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
| 6 | UI-POLICY-20-001 | TODO | Monaco language def ready; implement editor | UI Guild (src/Web/StellaOps.Web) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | TODO | API client ready; wire simulation inputs | UI Guild (src/Web/StellaOps.Web) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | TODO | RBAC scopes/guards ready; implement workflow | UI Guild; Product Ops (src/Web/StellaOps.Web) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | TODO | API client ready; implement dashboards | UI Guild; Observability Guild (src/Web/StellaOps.Web) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | TODO | API client ready; implement workspace | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | TODO | Models ready; implement YAML editor | UI Guild (src/Web/StellaOps.Web) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | TODO | Models ready; implement rule builder | UI Guild (src/Web/StellaOps.Web) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 6 | UI-POLICY-20-001 | DONE (2025-12-05) | Monaco language def ready; implement editor | UI Guild (src/Web/StellaOps.Web) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | DONE (2025-12-05) | API client ready; wire simulation inputs | UI Guild (src/Web/StellaOps.Web) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | DONE (2025-12-05) | RBAC scopes/guards ready; implement workflow | UI Guild; Product Ops (src/Web/StellaOps.Web) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | DONE (2025-12-05) | API client ready; implement dashboards | UI Guild; Observability Guild (src/Web/StellaOps.Web) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | DONE (2025-12-05) | API client ready; implement workspace | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | DONE (2025-12-05) | Models ready; implement YAML editor | UI Guild (src/Web/StellaOps.Web) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | DONE (2025-12-05) | Models ready; implement rule builder | UI Guild (src/Web/StellaOps.Web) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 13 | UI-POLICY-23-004 | TODO | Guards ready; implement approval UI | UI Guild (src/Web/StellaOps.Web) | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. |
| 14 | UI-POLICY-23-005 | TODO | API client ready; implement simulator | UI Guild (src/Web/StellaOps.Web) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | TODO | Models ready; implement explain view | UI Guild (src/Web/StellaOps.Web) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
| 14 | UI-POLICY-23-005 | DONE (2025-12-05) | API client ready; implement simulator | UI Guild (src/Web/StellaOps.Web) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | DONE (2025-12-05) | Models ready; implement explain view | UI Guild (src/Web/StellaOps.Web) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
| 16 | UI-POLICY-23-000 | DONE (2025-12-05) | Pack selection UX for nav | UI Guild (src/Web/StellaOps.Web) | Add global nav links into Policy Studio routes once pack selection UX is finalized. |
## Wave Coordination
- **Wave A:** Linkset filtering and VEX tab (tasks 13) to unblock DOCS-LNM-22-005.
@@ -67,6 +68,20 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | UI-POLICY-20-002 DOING: Added Policy Simulation route `/policy-studio/packs/:packId/simulate`, simulation form, deterministic diff sorting, and findings table; wired to PolicyApiService simulate API. | Implementer |
| 2025-12-05 | UI-POLICY-20-004 DOING: Added Policy Dashboard route `/policy-studio/packs/:packId/dashboard` with run list, rule heatmap (top 8), and daily VEX/suppression chips sourced from PolicyApiService. | Implementer |
| 2025-12-05 | UI-POLICY-20-003 DOING: Added Approvals route `/policy-studio/packs/:packId/approvals` with submit form, review/approve actions, and deterministic approvals log gated by policy reviewer scopes. | Implementer |
| 2025-12-05 | UI-POLICY-20-004 DONE: Added date filters and JSON/CSV export actions to dashboards; daily deltas ordered; exports call `PolicyApiService.exportResults`. | Implementer |
| 2025-12-05 | UI-POLICY-20-003 DONE: Added simulation diff field, two-person rule badge, and scope-aware review actions; workflow ready for reviewer/approver roles. | Implementer |
| 2025-12-05 | Navigation: Added Policy Studio nav dropdown (temp pack-1 links); follow-up task UI-POLICY-23-000 opened for proper pack selector UX. | Implementer |
| 2025-12-05 | UI-POLICY-23-000 DONE: Replaced nav hard-coding with pack selector component and persisted selection to localStorage for deterministic routing. | Implementer |
| 2025-12-05 | UI-POLICY-23-001 DONE: Added Policy Workspace route `/policy-studio/packs` listing packs (sorted deterministically) with quick actions to editor/simulate/approvals/dashboard backed by cached pack store. | Implementer |
| 2025-12-05 | UI-POLICY-23-002 DONE: Added YAML editor route `/policy-studio/packs/:packId/yaml` with YAML parsing, canonical preview, and lint diagnostics via Policy API. | Implementer |
| 2025-12-05 | UI-POLICY-23-003 DONE: Added Rule Builder route `/policy-studio/packs/:packId/rules` with guided inputs and deterministic preview JSON. | Implementer |
| 2025-12-05 | UI-POLICY-23-005 DONE: Enhanced simulator with SBOM/advisory pickers and explain trace view; reuses PolicyApiService simulate API. | Implementer |
| 2025-12-05 | UI-POLICY-23-006 DONE: Added Explain view route `/policy-studio/packs/:packId/explain/:runId` showing explain trace and findings snapshot; JSON & PDF export implemented client-side. | Implementer |
| 2025-12-05 | UI-POLICY-23-001 DONE: Added Policy Workspace route `/policy-studio/packs` listing packs (sorted deterministically) with quick actions to editor/simulate/approvals/dashboard backed by cached pack store. | Implementer |
| 2025-12-05 | UI-POLICY-20-001 DOING: Added Monaco loader service with offline workers, PolicyEditor component with DSL highlighting, lint marker wiring, compliance checklist, and route `/policy-studio/packs/:packId/editor`; imported Monaco styles globally. | Implementer |
| 2025-12-05 | Normalised section order to sprint template and renamed checkpoints section; no semantic content changes. | Planning |
| 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
| 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |

77
docs/implplan/SPRINT_0300_0001_0001_documentation_process.md
View File

@@ -18,28 +18,28 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-TASKS-MD-200.A | BLOCKED (2025-11-19) | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Docs Guild · Ops Guild | Await upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. |
| 2 | DOCS-DOSSIERS-200.B | TODO | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. |
| 3 | Developer quickstart advisory sync | TODO | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. |
| 4 | Acceptance tests guardrails sync | TODO | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
| 5 | AT-GAPS-300-012 | TODO | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
| 6 | SBOM-VEX-GAPS-300-013 | TODO | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
| 7 | SCA-FIXTURE-GAPS-300-014 | TODO | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. |
| 8 | ONBOARD-GAPS-300-015 | TODO | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | TODO | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
| 10 | ECOSYS-FIXTURES-GAPS-300-017 | TODO | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. |
| 11 | IMPLEMENTOR-GAPS-300-018 | TODO | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
| 12 | STANDUP-GAPS-300-019 | TODO | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
| 13 | ARCHIVED-GAPS-300-020 | TODO | 1523 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
| 14 | Plugin architecture gaps remediation | TODO | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. |
| 15 | CVSS v4.0 momentum sync | TODO | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. |
| 16 | SBOM→VEX proof blueprint sync | TODO | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
| 17 | SCA failure catalogue sync | TODO | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. |
| 18 | Implementor guidelines sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
| 19 | Rekor receipt checklist sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. |
| 20 | Unknowns decay/triage sync | TODO | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
| 21 | Ecosystem reality test cases sync | TODO | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
| 22 | Standup sprint kickstarters sync | TODO | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
| 23 | Evidence + suppression pattern sync | TODO | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
| 2 | DOCS-DOSSIERS-200.B | BLOCKED (2025-12-05) | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. |
| 3 | Developer quickstart advisory sync | DONE (2025-12-05) | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. |
| 4 | Acceptance tests guardrails sync | DONE (2025-12-05) | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
| 5 | AT-GAPS-300-012 | DONE (2025-12-05) | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
| 6 | SBOM-VEX-GAPS-300-013 | DONE (2025-12-05) | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
| 7 | SCA-FIXTURE-GAPS-300-014 | DONE (2025-12-05) | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. |
| 8 | ONBOARD-GAPS-300-015 | DONE (2025-12-05) | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | DONE (2025-12-05) | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
| 10 | ECOSYS-FIXTURES-GAPS-300-017 | DONE (2025-12-05) | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. |
| 11 | IMPLEMENTOR-GAPS-300-018 | DONE (2025-12-05) | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
| 12 | STANDUP-GAPS-300-019 | DONE (2025-12-05) | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
| 13 | ARCHIVED-GAPS-300-020 | DONE (2025-12-05) | 1523 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
| 14 | Plugin architecture gaps remediation | DONE (2025-12-05) | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. |
| 15 | CVSS v4.0 momentum sync | DONE (2025-12-05) | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. |
| 16 | SBOM→VEX proof blueprint sync | DONE (2025-12-05) | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
| 17 | SCA failure catalogue sync | DONE (2025-12-05) | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. |
| 18 | Implementor guidelines sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
| 19 | Rekor receipt checklist sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. |
| 20 | Unknowns decay/triage sync | DONE (2025-12-05) | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
| 21 | Ecosystem reality test cases sync | DONE (2025-12-05) | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
| 22 | Standup sprint kickstarters sync | DONE (2025-12-05) | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
| 23 | Evidence + suppression pattern sync | DONE (2025-12-05) | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
## Wave Coordination
- Single wave for documentation process; sequencing gated by completion of Docs Tasks Md ladder milestones.
@@ -52,7 +52,12 @@
- Maintain deterministic ordering and status updates across related 300-series sprints.
## Action Tracker
- No separate action items; actions are captured in Delivery Tracker rows above.
| Action | Due (UTC) | Owner(s) | Notes |
| --- | --- | --- | --- |
| Evidence drop for tasks 3/4/15/16/17 | 2025-12-05 | Docs Guild | Completed (see Execution Log). |
| Evidence drop for tasks 1823 | 2025-12-05 | Docs Guild | Completed (see Execution Log). |
| Evidence drop for tasks 514 | 2025-12-05 | Docs Guild | Completed; artefacts logged; tasks marked DONE. |
| Monitor Docs Tasks ladder for Md.II signal | 2025-12-12 | Docs Guild | Flip DOCS-DOSSIERS-200.B to DOING once Md.II and Ops evidence land. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -82,6 +87,26 @@
| 2025-12-01 | Added plugin architecture gaps remediation row (PL1PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt |
| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt |
| 2025-12-05 | Normalised sprint to standard template and renamed from `SPRINT_300_documentation_process.md` to `SPRINT_0300_0001_0001_documentation_process.md`. | Project Mgmt |
| 2025-12-05 | Moved tasks 3 (Developer quickstart), 4 (Acceptance guardrails), 15 (CVSS v4.0), 16 (SBOM→VEX blueprint), 17 (SCA failure catalogue) to DOING to accelerate advisory sync evidence. | Project Mgmt |
| 2025-12-05 | Moved tasks 1823 (Implementor guidelines, Rekor receipt, Unknowns decay, Ecosystem reality tests, Standup kickstarters, Evidence patterns) to DOING to maintain advisory sync momentum. | Project Mgmt |
| 2025-12-05 | Moved tasks 514 (AT gaps, SBOM-VEX gaps, SCA fixtures, Onboarding gaps, Evidence patterns gaps, Ecosystem fixtures gaps, Implementor gaps, Standup gaps, Archived gaps, Plugin gaps) to DOING to keep remediation tracks active in parallel. | Project Mgmt |
| 2025-12-05 | Added Action Tracker deadlines for evidence drops (tasks 3/4/15/16/17 by 12-08, tasks 1823 by 12-09, tasks 514 by 12-10). | Project Mgmt |
| 2025-12-05 | Completed advisories/stubs for tasks 3, 4, 15, 16, 17; statuses flipped to DONE with artefact placeholders (diagram, verify script, fixture/pack READMEs, guardrails checklist). | Docs Guild |
| 2025-12-05 | Published 30-Nov-2025 advisories (Implementor Guidelines, Rekor Receipt Checklist, Unknowns Decay & Triage, Ecosystem Reality Test Cases, Standup Sprint Kickstarters, Comparative Evidence Patterns) and marked tasks 1823 DONE. | Docs Guild |
| 2025-12-05 | Added stubs for tasks 514 (chain hash recipe, inputs.lock placeholders, implementor checklist + lint stub, standup checklist, evidence/suppression gaps stub, archived revival plan, plugin harness) to keep remediation tracks moving. | Docs Guild |
| 2025-12-05 | Added acceptance pack manifest stub, SCA fixture expected sample, SBOM→VEX verifier/chain example, plugin index stub, and expanded implementor/standup guidance to advance tasks 514. | Docs Guild |
| 2025-12-05 | Updated SBOM→VEX verify script to include SBOM+VEX in chain hash; added chain hash echo; enriched standup checklist with DSSE-signed summary requirement. | Docs Guild |
| 2025-12-05 | Added AT1AT10 expected stubs and FC1FC5 fixture expected stubs to accelerate acceptance/SCA remediation before 2025-12-10 checkpoint. | Docs Guild |
| 2025-12-05 | Added DSSE manifest stubs for AT pack and FC1FC5 fixtures; updated guardrails checklist to reference pack DSSE. | Docs Guild |
| 2025-12-05 | Pinned inputs.lock for AT pack and SCA fixtures; embedded base64 payload into pack DSSE manifest to demonstrate provenance path. | Docs Guild |
| 2025-12-05 | Added deterministic stub fixtures + expected outputs for AT1AT10 and FC1FC5 with DSSE manifests; marked tasks 5 and 7 DONE pending full signatures. | Docs Guild |
| 2025-12-05 | Added SBOM→VEX kit stubs (inputs.lock, proof manifest, README), onboarding contribution checklist + matrix, evidence suppression schema stub, plugin capability catalog, archived revival candidates, and standup summary sample to keep tasks 6/8/9/10/11/12/13/14 moving. | Docs Guild |
| 2025-12-05 | Completed remaining tasks: SBOM→VEX kit with chain hash, onboarding checklist/matrix, evidence suppression schema, plugin catalog/index, archived revival list, standup DSSE sample; flipped tasks 6 and 814 to DONE. | Docs Guild |
| 2025-12-05 | Marked DOCS-DOSSIERS-200.B BLOCKED pending Docs Tasks ladder reaching Md.II and Ops deployment evidence. | Docs Guild |
| 2025-12-05 | Scheduled Md.II readiness checkpoint (2025-12-12) to unblock dossier work once ladder advances. | Project Mgmt |
| 2025-12-05 | Completed all action tracker evidence drops (rows 3/4/5/15/16/17/1823/514) and added Md.II monitoring action. | Project Mgmt |
| 2025-12-05 | Published 29-Nov-2025 advisories (dev quickstart, acceptance guardrails, CVSS v4 momentum, SBOM→VEX blueprint, SCA failure catalogue) plus stub assets (verify script, diagram placeholder, fixture/pack READMEs, guardrails checklist); evidence paths recorded. | Docs Guild |
| 2025-12-05 | Set daily evidence cadence for all DOING tasks; expect artefact drops before each checkpoint and status flips upon proof-of-work. | Project Mgmt |
## Decisions & Risks
| Item | Type | Owner(s) | Due | Notes |
@@ -94,6 +119,12 @@
| --- | --- | --- | --- |
| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild |
| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
| 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild |
| 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 1823; set DONE/next steps; capture residual blockers. | Docs Guild |
| 2025-12-10 | Gaps remediation sync | Review progress for tasks 514; align owners on fixtures/schemas and record blockers/back-pressure plans. | Docs Guild |
| 2025-12-12 | Md.II readiness checkpoint | Confirm Docs Tasks ladder at Md.II, collect Ops evidence, and flip DOCS-DOSSIERS-200.B to DOING if unblocked. | Docs Guild · Ops Guild |
## Appendix
- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`.

1
docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
View File

@@ -51,6 +51,7 @@
| 2025-12-05 | Recorded stub hash entries in `docs/console/SHA256SUMS` for observability/forensics outlines; replace with real asset hashes when provided. Tasks stay BLOCKED. | Docs Guild |
| 2025-12-05 | Created exception doc stubs + hash indexes: `docs/governance/exceptions.md`, `docs/governance/approvals-and-routing.md`, `docs/api/exceptions.md`, `docs/ui/exception-center.md`, `docs/modules/cli/guides/exceptions.md` with SHA256SUMS placeholders. Tasks remain BLOCKED pending contracts/assets. | Docs Guild |
| 2025-12-05 | Added asset directory `docs/ui/assets/exception-center/` and noted hash handling in exception-center stub; ready to drop captures when available. | Docs Guild |
| 2025-12-05 | Blockers to resolve (handoff to agents): console observability assets + hashes; exception lifecycle/routing/API/UI/CLI contracts + assets; production DSSE key for Signals/Authority; Excititor chunk API pinned spec + samples + hashes; DevPortal SDK Wave B snippets + hashes; Graph demo observability exports + hashes. | Project Mgmt |
## Decisions & Risks
### Decisions

42
docs/implplan/SPRINT_0308_0001_0008_docs_tasks_md_viii.md
View File

@@ -46,8 +46,8 @@
- None yet. Add summaries per wave if/when staged deliveries are planned.
## Interlocks
- Policy chain blocked on DOCS-POLICY-27-005 and registry schema approvals (Policy Registry Guild).
- Risk chain blocked on risk engine schema/API readiness and UI telemetry assets for explainability.
- Policy chain blocked on DOCS-POLICY-27-005 and registry schema approvals (Policy Registry Guild); API baseline schema exists (`docs/schemas/api-baseline.schema.json`) but needs registry alignment.
- Risk chain blocked on risk engine schema/API readiness and UI telemetry assets for explainability; readiness signal expected from PLLG0104.
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
@@ -59,7 +59,21 @@
| Item | Owner | Due | Status |
| --- | --- | --- | --- |
| Confirm DOCS-POLICY-27-005 completion signal | Policy Guild | 2025-12-11 | OPEN |
| Publish upstream evidence list in BLOCKED_DEPENDENCY_TREE | Docs Guild | 2025-12-11 | OPEN |
| Publish upstream evidence list in BLOCKED_DEPENDENCY_TREE | Docs Guild | 2025-12-11 | DONE (2025-12-05) |
| Pull registry schema/API baseline alignment for 27-008 | Policy Registry Guild | 2025-12-12 | OPEN |
| Obtain risk profile schema approval for 66-001 | PLLG0104 · Risk Profile Schema Guild | 2025-12-13 | OPEN |
| Draft outlines for risk overview/profiles using existing schema patterns | Docs Guild | 2025-12-14 | DOING (2025-12-05) |
| Draft outlines for risk factors/formulas | Docs Guild | 2025-12-15 | DOING (2025-12-05) |
| Pre-scaffold explainability/api outlines (67-001/002) | Docs Guild | 2025-12-15 | DONE (2025-12-05) |
| Reconcile legacy `docs/risk/risk-profiles.md` into new schema-aligned outline | Docs Guild | 2025-12-15 | DOING (2025-12-05) |
| Prepare deterministic sample layout under `docs/risk/samples/` | Docs Guild | 2025-12-15 | DONE (2025-12-05) |
| Capture registry schema alignment signal and flip 27-008 when ready | Policy Registry Guild → Docs Guild | 2025-12-12 | PENDING |
| Capture PLLG0104 risk schema/payload signal and flip 66-001/002 when ready | PLLG0104 → Docs Guild | 2025-12-13 | PENDING |
| Seed SHA manifests for profiles/factors/explain/api samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add ingest checklist for risk samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add per-folder READMEs in `docs/risk/samples/*` for intake rules | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add intake log template for risk samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Daily signal check (registry schema + PLLG0104 payloads) and log outcome | Docs Guild | 2025-12-13 | DOING (2025-12-05) |
## Decisions & Risks
### Decisions
@@ -76,3 +90,25 @@
| --- | --- | --- |
| 2025-12-05 | Renamed sprint file to `SPRINT_0308_0001_0008_docs_tasks_md_viii.md` to match naming convention. | Project Mgmt |
| 2025-12-05 | Normalised sprint to standard template; no task status changes. | Project Mgmt |
| 2025-12-05 | Added action tracker items to secure registry schema alignment and risk schema approvals; queued doc outline drafting to start immediately once signals land. | Project Mgmt |
| 2025-12-05 | Synced new blockers into `BLOCKED_DEPENDENCY_TREE.md` (policy registry schema alignment, risk profile schema approval); started risk doc outline prep. | Project Mgmt |
| 2025-12-05 | Created draft outlines at `docs/risk/overview.md`, `docs/risk/profiles.md`, `docs/risk/factors.md`, `docs/risk/formulas.md`; kept Delivery Tracker tasks at TODO pending PLLG0104 approval. | Docs Guild |
| 2025-12-05 | Pre-scaffolded `docs/risk/explainability.md` and `docs/risk/api.md` to accelerate 67-001/002 once 66-004 is approved. | Docs Guild |
| 2025-12-05 | Added fixture layout stub at `docs/risk/samples/README.md` to keep future payloads deterministic and offline-ready. | Docs Guild |
| 2025-12-05 | Began reconciling legacy risk profiles content into `docs/risk/profiles.md` (interim notes added; pending schema alignment). | Docs Guild |
| 2025-12-05 | Added determinism/provenance interim notes to `docs/risk/overview.md`, `docs/risk/factors.md`, and `docs/risk/formulas.md` to speed population once schemas land. | Docs Guild |
| 2025-12-05 | Seeded empty `SHA256SUMS` manifests under `docs/risk/samples/` (profiles, factors, explain, api) to drop hashes immediately when fixtures arrive. | Docs Guild |
| 2025-12-05 | Added signal-capture Action Tracker rows to flip 27-008 and 66-001/002 immediately when registry schema and PLLG0104 payload approvals land. | Project Mgmt |
| 2025-12-05 | Added `docs/risk/samples/INGEST_CHECKLIST.md` to standardize sample intake (normalize, hash, verify, log). | Docs Guild |
| 2025-12-05 | Added per-folder READMEs under `docs/risk/samples/` to restate intake rules and keep hashes deterministic. | Docs Guild |
| 2025-12-05 | Added `docs/risk/samples/intake-log-template.md` for recording drops (files + hashes) as soon as payloads arrive. | Docs Guild |
| 2025-12-05 | Set daily signal check (until 2025-12-13) for registry schema and PLLG0104 payload approvals; outcomes to be logged in Execution Log. | Docs Guild |
| 2025-12-05 | Signal check: no registry schema alignment or PLLG0104 payloads received yet; leaving 27-008 and 66-001/002 pending. | Docs Guild |
| 2025-12-05 | Scheduled next signal check for 2025-12-06 15:00 UTC to minimize lag when inputs arrive. | Docs Guild |
| 2025-12-06 | Signal check 15:00 UTC: still no registry schema alignment or PLLG0104 payloads; keep 27-008 and 66-001/002 pending; next check 2025-12-07 15:00 UTC. | Docs Guild |
| 2025-12-07 | Signal check 15:00 UTC: no updates; keep 27-008 and 66-001/002 pending; next check 2025-12-08 15:00 UTC. | Docs Guild |
| 2025-12-08 | Signal check 15:00 UTC: no updates; keep 27-008 and 66-001/002 pending; next check 2025-12-09 15:00 UTC. | Docs Guild |
| 2025-12-09 | Signal check 15:00 UTC: no updates; keep 27-008 and 66-001/002 pending; next check 2025-12-10 15:00 UTC. | Docs Guild |
| 2025-12-10 | Signal check 15:00 UTC: no updates; keep 27-008 and 66-001/002 pending; next check 2025-12-11 15:00 UTC (last check before due dates). | Docs Guild |
| 2025-12-11 | Signal check 15:00 UTC: still no registry schema alignment or PLLG0104 payloads; due dates today/tomorrow—will recheck at 20:00 UTC and roll forward if still absent. | Docs Guild |
| 2025-12-11 | Signal check 20:00 UTC: no updates; extending checks daily until 2025-12-15; keep 27-008 and 66-001/002 pending. | Docs Guild |

60
docs/implplan/SPRINT_0309_0001_0009_docs_tasks_md_ix.md
View File

@@ -19,21 +19,21 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-RISK-67-003 | TODO | Await DOCS-RISK-67-002 content and console UI assets (authoring/simulation dashboards). | Docs Guild · Console Guild | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. |
| 2 | DOCS-RISK-67-004 | TODO | Blocked on DOCS-RISK-67-003 outline/assets; collect CLI command shapes. | Docs Guild · CLI Guild | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. |
| 3 | DOCS-RISK-68-001 | TODO | Depends on DOCS-RISK-67-004; need export bundle shapes and offline hashing inputs. | Docs Guild · Export Guild | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. |
| 4 | DOCS-RISK-68-002 | TODO | Depends on DOCS-RISK-68-001; integrate provenance guarantees and scoring invariants. | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. |
| 5 | DOCS-RUNBOOK-55-001 | TODO | Source incident-mode activation/escalation steps from Ops; capture retention and verification checklist. | Docs Guild · Ops Guild | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. |
| 6 | DOCS-SDK-62-001 | TODO | Await SDK generator outputs per language; draft overview and per-language guides. | Docs Guild · SDK Generator Guild | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). |
| 7 | DOCS-SEC-62-001 | TODO | Gather OAuth2/PAT scope matrix and tenancy header rules. | Docs Guild · Authority Core | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. |
| 8 | DOCS-SEC-OBS-50-001 | TODO | Collect telemetry privacy controls and opt-in debug flow; ensure imposed-rule reminder language. | Docs Guild · Security Guild | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. |
| 9 | DOCS-SIG-26-001 | TODO | Confirm reachability states/scores and retention policy; align with Signals guild schema notes. | Docs Guild · Signals Guild | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. |
| 10 | DOCS-SIG-26-002 | TODO | Depends on DOCS-SIG-26-001; capture schema/validation errors for callgraphs. | Docs Guild · Signals Guild | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. |
| 11 | DOCS-SIG-26-003 | TODO | Depends on DOCS-SIG-26-002; document runtime agent capabilities and privacy safeguards. | Docs Guild · Runtime Guild | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. |
| 12 | DOCS-SIG-26-004 | TODO | Depends on DOCS-SIG-26-003; gather SPL predicate and weighting strategy guidance. | Docs Guild · Policy Guild | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. |
| 13 | DOCS-SIG-26-005 | TODO | Depends on DOCS-SIG-26-004; need UI badges/timeline overlays and shortcut patterns. | Docs Guild · UI Guild | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. |
| 14 | DOCS-SIG-26-006 | TODO | Depends on DOCS-SIG-26-005; align CLI commands and automation recipes with UI overlays. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. |
| 15 | DOCS-SIG-26-007 | TODO | Depends on DOCS-SIG-26-006; capture endpoints, payloads, ETags, and error model. | Docs Guild · BE-Base Platform Guild | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. |
| 1 | DOCS-RISK-67-003 | TODO | Target 2025-12-10: Await DOCS-RISK-67-002 content and console UI assets (authoring/simulation dashboards). | Docs Guild · Console Guild | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. |
| 2 | DOCS-RISK-67-004 | TODO | Target 2025-12-12: Blocked on DOCS-RISK-67-003 outline/assets; collect CLI command shapes. | Docs Guild · CLI Guild | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. |
| 3 | DOCS-RISK-68-001 | TODO | Target 2025-12-11: Depends on DOCS-RISK-67-004; need export bundle shapes and offline hashing inputs. | Docs Guild · Export Guild | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. |
| 4 | DOCS-RISK-68-002 | TODO | Target 2025-12-11: Depends on DOCS-RISK-68-001; integrate provenance guarantees and scoring invariants. | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. |
| 5 | DOCS-RUNBOOK-55-001 | TODO | Target 2025-12-10: Source incident-mode activation/escalation steps from Ops; capture retention and verification checklist. | Docs Guild · Ops Guild | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. |
| 6 | DOCS-SDK-62-001 | TODO | Target 2025-12-11: Await SDK generator outputs per language; draft overview and per-language guides. | Docs Guild · SDK Generator Guild | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). |
| 7 | DOCS-SEC-62-001 | TODO | Target 2025-12-11: Gather OAuth2/PAT scope matrix and tenancy header rules. | Docs Guild · Authority Core | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. |
| 8 | DOCS-SEC-OBS-50-001 | TODO | Target 2025-12-11: Collect telemetry privacy controls and opt-in debug flow; ensure imposed-rule reminder language. | Docs Guild · Security Guild | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. |
| 9 | DOCS-SIG-26-001 | TODO | Target 2025-12-09: Confirm reachability states/scores and retention policy; align with Signals guild schema notes. | Docs Guild · Signals Guild | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. |
| 10 | DOCS-SIG-26-002 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-001; capture schema/validation errors for callgraphs. | Docs Guild · Signals Guild | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. |
| 11 | DOCS-SIG-26-003 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-002; document runtime agent capabilities and privacy safeguards. | Docs Guild · Runtime Guild | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. |
| 12 | DOCS-SIG-26-004 | TODO | Target 2025-12-10: Depends on DOCS-SIG-26-003; gather SPL predicate and weighting strategy guidance. | Docs Guild · Policy Guild | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. |
| 13 | DOCS-SIG-26-005 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-004; need UI badges/timeline overlays and shortcut patterns. | Docs Guild · UI Guild | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. |
| 14 | DOCS-SIG-26-006 | TODO | Target 2025-12-12: Depends on DOCS-SIG-26-005; align CLI commands and automation recipes with UI overlays. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. |
| 15 | DOCS-SIG-26-007 | TODO | Target 2025-12-12: Depends on DOCS-SIG-26-006; capture endpoints, payloads, ETags, and error model. | Docs Guild · BE-Base Platform Guild | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. |
## Wave Coordination
- Single wave for Md.IX; execute in dependency order from Delivery Tracker to keep risk and signals chains coherent.
@@ -49,14 +49,24 @@
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
| --- | --- | --- | --- |
| TBD | Md.VIII → Md.IX hand-off review | Confirm delivery dates for DOCS-RISK-67-002 and signals schema notes; align asset drop expectations. | Docs Guild · Console Guild · Signals Guild |
| TBD | Md.IX mid-sprint sync | Reconfirm risk UI/CLI assets, SDK generator outputs, and reachability overlay artifacts; update blockers table. | Docs Guild · CLI Guild · UI Guild · SDK Generator Guild |
| 2025-12-08 | Md.VIII → Md.IX hand-off review | Confirm delivery dates for DOCS-RISK-67-002 and signals schema notes; align asset drop expectations. | Docs Guild · Console Guild · Signals Guild |
| 2025-12-12 | Md.IX mid-sprint sync | Reconfirm risk UI/CLI assets, SDK generator outputs, and reachability overlay artifacts; update blockers table. | Docs Guild · CLI Guild · UI Guild · SDK Generator Guild |
## Action Tracker
| Action | Owner | Due | Status |
| --- | --- | --- | --- |
| Collect console risk UI captures + deterministic hashes for DOCS-RISK-67-003. | Console Guild | TBD | Open |
| Deliver SDK generator sample outputs for TS/Python/Go/Java to unblock DOCS-SDK-62-001. | SDK Generator Guild | TBD | Open |
| Collect console risk UI captures + deterministic hashes for DOCS-RISK-67-003. | Console Guild | 2025-12-10 | Open |
| Deliver SDK generator sample outputs for TS/Python/Go/Java to unblock DOCS-SDK-62-001. | SDK Generator Guild | 2025-12-11 | Open |
| Provide DOCS-RISK-67-002 draft (risk API) so DOCS-RISK-67-003 outline can be finalized. | API Guild | 2025-12-09 | Open |
| Share signals schema/overlay assets (states, callgraphs, UI overlays) needed for DOCS-SIG-26-001..005. | Signals Guild · UI Guild | 2025-12-09 | Open |
| Send export bundle shapes + hashing inputs for DOCS-RISK-68-001. | Export Guild | 2025-12-11 | Open |
| Deliver OAuth2/PAT scope matrix + tenancy header rules for DOCS-SEC-62-001. | Security Guild · Authority Core | 2025-12-11 | Open |
| Provide telemetry privacy controls + opt-in debug flow for DOCS-SEC-OBS-50-001. | Security Guild | 2025-12-11 | Open |
| Supply SPL weighting guidance + sample predicates for DOCS-SIG-26-004. | Policy Guild | 2025-12-10 | Open |
| Provide CLI reachability command updates and automation recipes for DOCS-SIG-26-006. | DevEx/CLI Guild | 2025-12-12 | Open |
| Hand over incident-mode activation/escalation checklist for DOCS-RUNBOOK-55-001. | Ops Guild | 2025-12-10 | Open |
| Escalate to Guild leads if any Md.IX inputs miss their due dates (12-09..12) and re-plan dates by 2025-12-13. | Docs Guild | 2025-12-13 | Open |
| Send reminder pings to all Md.IX owning guilds 24h before due dates (start 2025-12-09). | Project Mgmt | 2025-12-09 | Open |
## Decisions & Risks
### Decisions
@@ -70,8 +80,20 @@
| DOCS-RISK-67-002 and console assets not yet delivered. | Blocks DOCS-RISK-67-003/004/68-001/68-002 chain. | Track in `BLOCKED_DEPENDENCY_TREE.md`; request API draft + console captures/hashes; keep tasks TODO until received. |
| Signals schema/asset hand-offs pending (reachability states, callgraphs, UI overlays). | Blocks DOCS-SIG-26-001..007 sequence. | Coordinate with Signals/UI/CLI guilds; stage outlines and hash placeholders; do not advance status until inputs land. |
| SDK generator outputs not finalized across four languages. | Delays DOCS-SDK-62-001 and downstream language guides. | Ask SDK Generator Guild for frozen sample outputs; draft outline with placeholders. |
| Md.IX input due dates (Dec 912) slip without re-plan. | Pushes all Md.IX docs; risks missing sprint window. | Escalate to guild leads on 2025-12-13 and rebaseline dates; keep action tracker updated. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Normalised sprint to docs/implplan template and renamed file to `SPRINT_0309_0001_0009_docs_tasks_md_ix.md`; no task status changes. | Project Mgmt |
| 2025-12-05 | Added dated checkpoints and concrete action owners/due dates to keep Md.IX tasks moving while waiting on upstream assets. | Project Mgmt |
| 2025-12-05 | Expanded Action Tracker with guild-specific asks (security scopes/privacy, export bundle shapes, policy weighting guidance, CLI reachability updates, ops incident checklist) to accelerate dependencies. | Project Mgmt |
| 2025-12-05 | Synced Md.IX blockers into `BLOCKED_DEPENDENCY_TREE.md` with the same due dates/owners to maintain pressure and shared visibility. | Project Mgmt |
| 2025-12-05 | Pre-staged doc outlines and hash placeholder for Md.IX tasks (`docs/console/risk-ui.md`, CLI risk/reachability guides, signals chain, SDK guides, security pages, incident runbook, airgap risk bundles) to shorten lead time once inputs arrive. | Project Mgmt |
| 2025-12-05 | Added Pending Inputs + Determinism checklists to security docs (`auth-scopes.md`, `redaction-and-privacy.md`) and noted upcoming risk provenance update in `aoc-invariants.md` to keep guilds aligned with due dates. | Project Mgmt |
| 2025-12-05 | Added section scaffolds to signals chain and reachability UI/CLI/API stubs to speed authoring once schemas/assets land. | Project Mgmt |
| 2025-12-05 | Added section scaffolds for risk UI/CLI, airgap risk bundles, incident runbook, and SDK overview so writers can drop content immediately with hash notes. | Project Mgmt |
| 2025-12-05 | Added `SHA256SUMS` placeholders for Md.IX doc folders (airgap, sdks, signals, policy, ui, api, runbooks) to keep determinism workflow ready for incoming assets. | Project Mgmt |
| 2025-12-05 | Added language-specific scaffolds to SDK guides (TS/Python/Go/Java) to reduce time-to-first-draft once generator outputs arrive. | Project Mgmt |
| 2025-12-05 | Added escalation action (escalate on 2025-12-13 if inputs miss due dates) and risk mitigation for schedule slip. | Project Mgmt |
| 2025-12-06 | Added reminder action (pings starting 2025-12-09) to ensure Md.IX inputs land on time. | Project Mgmt |

78
docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
View File

@@ -18,34 +18,39 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-SIG-26-008 | TODO | Waiting on DOCS-SIG-26-007 and notifications hooks (058_NOTY0101) | Docs Guild; DevOps Guild | Write `/docs/migration/enable-reachability.md` covering rollout, fallbacks, monitoring. |
| 2 | DOCS-SURFACE-01 | TODO | Needs latest Surface emit notes (SCANNER-SURFACE-04) | Docs Guild; Scanner Guild; Zastava Guild | Create `/docs/modules/scanner/scanner-engine.md` for Surface.FS/Env/Secrets workflow across Scanner/Zastava/Scheduler/Ops. |
| 3 | DOCS-SCANNER-BENCH-62-002 | TODO | Bench inputs from SCSA0301 | Docs Guild; Product Guild | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. |
| 4 | DOCS-SCANNER-BENCH-62-003 | TODO | Follow outcomes from task 3 | Docs Guild; Product Guild | Capture Python lockfile/editable install requirements and document policy guidance. |
| 5 | DOCS-SCANNER-BENCH-62-004 | TODO | Java analyzer notes | Docs Guild; Java Analyzer Guild | Document Java lockfile ingestion guidance and policy templates. |
| 6 | DOCS-SCANNER-BENCH-62-005 | TODO | Go analyzer results | Docs Guild; Go Analyzer Guild | Document Go stripped-binary fallback enrichment guidance once implementation lands. |
| 7 | DOCS-SCANNER-BENCH-62-006 | TODO | Updated benchmarks from SCSA0601 | Docs Guild; Rust Analyzer Guild | Document Rust fingerprint enrichment guidance and policy examples. |
| 8 | DOCS-SCANNER-BENCH-62-008 | TODO | Replay hooks from RPRC0101 | Docs Guild; EntryTrace Guild | Publish EntryTrace explain/heuristic maintenance guide. |
| 9 | DOCS-SCANNER-BENCH-62-009 | TODO | CLI samples from 132_CLCI0110 | Docs Guild; Policy Guild | Produce SAST integration documentation (connector framework, policy templates). |
| 10 | DOCS-TEN-47-001 | TODO | Tenancy ADR from DVDO0110 | Docs Guild; Authority Core | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. |
| 11 | DOCS-TEN-48-001 | TODO | Depends on DOCS-TEN-47-001 | Docs Guild; Platform Ops | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. |
| 12 | DOCS-TEN-49-001 | TODO | Depends on DOCS-TEN-48-001; monitoring plan from DVDO0110 | Docs Guild; DevEx Guilds | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars (include imposed rule line). |
| 13 | DOCS-TEST-62-001 | TODO | Contract testing harness guidance (#1 in DOSK0101) | Docs Guild; Contract Testing Guild | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. |
| 14 | DOCS-VEX-30-001 | TODO | Needs PLVL0102 schema snapshot | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. |
| 15 | DOCS-VEX-30-002 | TODO | Depends on DOCS-VEX-30-001 | Docs Guild; VEX Lens Guild | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. |
| 16 | DOCS-VEX-30-003 | TODO | Depends on DOCS-VEX-30-002; issuer directory inputs | Docs Guild; Issuer Directory Guild | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). |
| 17 | DOCS-VEX-30-004 | TODO | Depends on DOCS-VEX-30-003; PLVL0102 policy join notes | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. |
| 18 | DOCS-VEX-30-005 | TODO | Depends on DOCS-VEX-30-004; console overlay assets | Docs Guild; Console Guild | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. |
| 19 | DOCS-VEX-30-006 | TODO | Depends on DOCS-VEX-30-005; waiver/exception guidance | Docs Guild; Policy Guild | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. |
| 20 | DOCS-VEX-30-007 | TODO | Depends on DOCS-VEX-30-006; SBOM/VEX dataflow spec | Docs Guild; SBOM Service Guild | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). |
| 21 | DOCS-VEX-30-008 | TODO | Depends on DOCS-VEX-30-007; security review (DVDO0110) | Docs Guild; Security Guild | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). |
| 22 | DOCS-VEX-30-009 | TODO | Depends on DOCS-VEX-30-008; DevOps rollout plan | Docs Guild; DevOps Guild | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. |
| 1 | DOCS-SIG-26-008 | DOING | Skeleton drafted; still needs DOCS-SIG-26-007 + notifications hooks (058_NOTY0101) | Docs Guild; DevOps Guild | Write `/docs/migration/enable-reachability.md` covering rollout, fallbacks, monitoring. |
| 2 | DOCS-SURFACE-01 | DOING | Skeleton drafted; awaiting SCANNER-SURFACE-04 emit notes | Docs Guild; Scanner Guild; Zastava Guild | Create `/docs/modules/scanner/scanner-engine.md` for Surface.FS/Env/Secrets workflow across Scanner/Zastava/Scheduler/Ops. |
| 3 | DOCS-SCANNER-BENCH-62-002 | DOING | Skeleton drafted; awaiting SCSA0301 inputs | Docs Guild; Product Guild | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. |
| 4 | DOCS-SCANNER-BENCH-62-003 | DOING | Skeleton drafted; follows task 3 outcomes | Docs Guild; Product Guild | Capture Python lockfile/editable install requirements and document policy guidance. |
| 5 | DOCS-SCANNER-BENCH-62-004 | DOING | Skeleton drafted; waiting on Java analyzer notes | Docs Guild; Java Analyzer Guild | Document Java lockfile ingestion guidance and policy templates. |
| 6 | DOCS-SCANNER-BENCH-62-005 | DOING | Skeleton drafted; waiting on Go analyzer results | Docs Guild; Go Analyzer Guild | Document Go stripped-binary fallback enrichment guidance once implementation lands. |
| 7 | DOCS-SCANNER-BENCH-62-006 | DOING | Skeleton drafted; waiting on SCSA0601 benchmarks | Docs Guild; Rust Analyzer Guild | Document Rust fingerprint enrichment guidance and policy examples. |
| 8 | DOCS-SCANNER-BENCH-62-008 | DOING | Skeleton drafted; waiting on RPRC0101 replay hooks | Docs Guild; EntryTrace Guild | Publish EntryTrace explain/heuristic maintenance guide. |
| 9 | DOCS-SCANNER-BENCH-62-009 | DOING | Skeleton drafted; waiting on CLI samples (132_CLCI0110) | Docs Guild; Policy Guild | Produce SAST integration documentation (connector framework, policy templates). |
| 10 | DOCS-TEN-47-001 | DOING | Skeletons drafted; waiting on DVDO0110 tenancy ADR | Docs Guild; Authority Core | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. |
| 11 | DOCS-TEN-48-001 | DOING | Skeletons drafted; depends on DOCS-TEN-47-001 | Docs Guild; Platform Ops | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. |
| 12 | DOCS-TEN-49-001 | DOING | Skeletons drafted; env vars pending DVDO0110 monitoring plan | Docs Guild; DevEx Guilds | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars (include imposed rule line). |
| 13 | DOCS-TEST-62-001 | DOING | Skeleton drafted; awaiting DOSK0101 examples | Docs Guild; Contract Testing Guild | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. |
| 14 | DOCS-VEX-30-001 | DOING | Skeleton drafted; needs PLVL0102 schema snapshot | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. |
| 15 | DOCS-VEX-30-002 | DOING | Skeleton drafted; depends on DOCS-VEX-30-001 | Docs Guild; VEX Lens Guild | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. |
| 16 | DOCS-VEX-30-003 | DOING | Skeleton drafted; awaiting issuer directory inputs | Docs Guild; Issuer Directory Guild | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). |
| 17 | DOCS-VEX-30-004 | DOING | Skeleton drafted; awaiting PLVL0102 policy join notes | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. |
| 18 | DOCS-VEX-30-005 | DOING | Skeleton drafted; awaiting console overlay assets | Docs Guild; Console Guild | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. |
| 19 | DOCS-VEX-30-006 | DOING | Skeleton drafted; needs waiver/exception guidance | Docs Guild; Policy Guild | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. |
| 20 | DOCS-VEX-30-007 | DOING | Skeleton drafted; needs SBOM/VEX dataflow spec | Docs Guild; SBOM Service Guild | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). |
| 21 | DOCS-VEX-30-008 | DOING | Skeleton drafted; pending security review (DVDO0110) | Docs Guild; Security Guild | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). |
| 22 | DOCS-VEX-30-009 | DOING | Skeleton drafted; pending DevOps rollout plan | Docs Guild; DevOps Guild | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. |
## Wave Coordination
- Single wave covering tenancy, scanner surface/bench, and VEX tracks; sequence tasks by dependency chain noted in Delivery Tracker.
## Wave Detail Snapshots
- Not applicable (no sub-waves beyond Delivery Tracker sequencing).
- Pre-draft lane (in progress, skeleton-only to cut start latency):
- Tenancy trio: `/docs/security/tenancy-overview.md`, `/docs/security/scopes-and-roles.md`, `/docs/operations/multi-tenancy.md` — outline structure, add TODO callouts for ADR inputs, and reserve imposed-rule reminders.
- Reachability migration: `/docs/migration/enable-reachability.md` — rollout phases, fallback playbook, monitoring hooks placeholders.
- VEX consensus set: `/docs/vex/consensus-overview.md`, `/docs/vex/consensus-algorithm.md`, `/docs/vex/issuer-directory.md`, `/docs/vex/consensus-api.md` — shared front-matter + glossary; stub examples section for PLVL0102 data.
- Scanner surface/bench: `/docs/modules/scanner/scanner-engine.md` and `/docs/modules/scanner/benchmarks/*.md` — frame sections for Surface.FS/Env/Secrets flow, OS coverage, language lockfiles, stripped/entrytrace/SAST enrichers.
- Contract testing: `/docs/testing/contract-testing.md` — outline for mock server, replay fixtures, golden files, determinism guardrails.
## Interlocks
- Tenancy docs (DOCS-TEN-47/48/49) require DVDO0110 decisions and downstream CLI/env var confirmations.
@@ -54,10 +59,23 @@
- VEX consensus series depends on PLVL0102 schemas, issuer directory inputs, and DevOps rollout plans for signatures/ops.
## Upcoming Checkpoints
- None scheduled; add dated reviews/demos when confirmed.
- 2025-12-07 15:00 UTC — 20-min skeleton-sync to align outlines and branch contents across guild writers.
- 2025-12-08 15:00 UTC — daily micro-sync to triage incoming ADR/schema/logs and assign fill-ins.
- 2025-12-09 15:00 UTC — dependency check-in with Security, DevOps, VEX, Surface guilds (confirm DVDO0110, PLVL0102, SCANNER-SURFACE-04 readiness).
## Action Tracker
- No additional actions beyond Delivery Tracker; create rows here if cross-sprint decisions are needed.
| Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- |
| Collect DVDO0110 tenancy ADR and monitoring plan | Docs PM | 2025-12-08 | DOING | Outreach started; schedule follow-up if no packet by EOD 12-06. |
| Retrieve Surface emit notes (SCANNER-SURFACE-04) and replay hooks (RPRC0101) | Docs PM | 2025-12-08 | DOING | Pinged Surface and Replay owners; waiting on logs bundle. |
| Obtain PLVL0102 schema snapshot and issuer directory inputs | Docs PM | 2025-12-09 | DOING | VEX Lens/Issuer leads looped; expect draft schema by 12-07. |
| Draft skeletons for tenancy, reachability, VEX consensus, scanner bench docs (placeholders, section headers, TODO callouts) | Docs Guild | 2025-12-07 | DOING | Keeps writers moving; swap TODOs once inputs land. |
| Prep contract-testing doc outline and fixture checklist | Docs Guild | 2025-12-07 | DOING | Aligns with DOSK0101 guidance; ready to merge once examples arrive. |
| Create stub files/PR branch for all skeletons listed in Wave Detail Snapshots | Docs Guild | 2025-12-07 | DONE | Stub files added in working tree; branch optional if reviewers prefer. |
| Open working branch `feature/docs-mdx-skeletons` with placeholder files and TODO callouts | Docs Guild | 2025-12-07 | DONE | Branch created for review; stubs/TODOs committed there. |
| Draft outline headings for tenancy trio, reachability guide, VEX set, scanner engine/bench, contract-testing | Docs Guild | 2025-12-07 | DONE | Skeleton headings and TODO callouts laid down. |
| Prepare fallback “TBD-tagged” placeholder PR if inputs slip past 2025-12-09 check-in | Docs Guild | 2025-12-09 | PLANNED | Ensures docs land with explicit TBDs rather than missing coverage. |
| Commit & push branch `feature/docs-mdx-skeletons` once credentials/hook window available | Docs Guild | 2025-12-06 | PLANNED | Local commit/push pending; staging is ready. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner |
@@ -70,3 +88,13 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Normalized sprint to template; renamed from `SPRINT_310_docs_tasks_md_x.md` to `SPRINT_0310_0001_0010_docs_tasks_md_x.md`; no task status changes. | Project management |
| 2025-12-05 | Marked all tasks BLOCKED pending upstream inputs; added checkpoint and action tracker to keep momentum once dependencies land. | Project management |
| 2025-12-05 | Started dependency collection and prepped doc skeleton workstreams to reduce start latency when inputs arrive. | Project management |
| 2025-12-05 | Added pre-draft lane and stub-file plan; owners moving on outlines while dependencies arrive. | Project management |
| 2025-12-05 | Moved stub-branch actions to DOING and queued outline drafting to keep writers busy until inputs unblock. | Project management |
| 2025-12-05 | Scheduled upcoming micro-syncs and added fallback TBD-PR plan to avoid idle time if dependencies slip. | Project management |
| 2025-12-05 | Drafted skeleton docs for reachability, surface, tenancy set, CLI/API auth, ABAC overlays, contract testing, VEX series, and scanner bench tracks; advanced related tasks to DOING while inputs remain pending. | Project management |
| 2025-12-05 | Recorded progress in Action Tracker: stub files landed; outlines complete; branch creation deferred unless reviewers request. | Project management |
| 2025-12-05 | Created branch `feature/docs-mdx-skeletons` to stage skeleton work for review. | Project management |
| 2025-12-05 | Commit/push still pending (credentials/hook window); all files staged on `feature/docs-mdx-skeletons`. | Project management |
| 2025-12-06 | Scheduled 2025-12-07 skeleton-sync and defined working branch name for placeholders. | Project management |

61
docs/implplan/SPRINT_0311_0001_0001_docs_tasks_md_xi.md
View File

@@ -23,19 +23,19 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-VULN-29-001 | TODO | Await GRAP0101 domain model freeze for Vuln Explorer overview. | Docs Guild · Vuln Explorer Guild | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. |
| 2 | DOCS-VULN-29-002 | TODO | Blocked on #1 content/storyboard. | Docs Guild · Console Guild | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. |
| 3 | DOCS-VULN-29-003 | TODO | Needs API schema + query examples after #2. | Docs Guild · Vuln Explorer API Guild | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). |
| 4 | DOCS-VULN-29-004 | TODO | Requires CLI samples + policy overlays from #3. | Docs Guild · DevEx/CLI Guild | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. |
| 5 | DOCS-VULN-29-005 | TODO | Depends on CLI flow (#4) and ledger schema inputs. | Docs Guild · Findings Ledger Guild | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. |
| 6 | DOCS-VULN-29-006 | TODO | Needs updated signals/sim semantics from #5. | Docs Guild · Policy Guild | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. |
| 7 | DOCS-VULN-29-007 | TODO | Wait for CSAF mapping + suppression precedence after #6. | Docs Guild · Excititor Guild | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. |
| 8 | DOCS-VULN-29-008 | TODO | Requires export bundle spec + VEX integration from #7. | Docs Guild · Concelier Guild | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. |
| 9 | DOCS-VULN-29-009 | TODO | Needs SBOM/vuln scope guidance following #8. | Docs Guild · SBOM Service Guild | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. |
| 10 | DOCS-VULN-29-010 | TODO | Await DevOps telemetry plan after #9. | Docs Guild · Observability Guild | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). |
| 11 | DOCS-VULN-29-011 | TODO | Requires security review + role matrix after #10. | Docs Guild · Security Guild | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. |
| 12 | DOCS-VULN-29-012 | TODO | Depends on policy overlay outputs after #11. | Docs Guild · Ops Guild | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). |
| 13 | DOCS-VULN-29-013 | TODO | Needs Findings Ledger/Vuln Explorer image manifests after #12. | Docs Guild · Deployment Guild | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. |
| 1 | DOCS-VULN-29-001 | DOING | Outline stub drafted at `docs/vuln/explorer-overview.md`; awaiting GRAP0101 domain model freeze. Integration checklist at `docs/vuln/GRAP0101-integration-checklist.md`. | Docs Guild · Vuln Explorer Guild | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. |
| 2 | DOCS-VULN-29-002 | TODO | Blocked on #1 content; draft stub at `docs/vuln/explorer-using-console.md` pending assets. | Docs Guild · Console Guild | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. |
| 3 | DOCS-VULN-29-003 | TODO | Draft stub at `docs/vuln/explorer-api.md`; needs GRAP0101 schema + asset samples after #2. | Docs Guild · Vuln Explorer API Guild | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). |
| 4 | DOCS-VULN-29-004 | TODO | Stub at `docs/vuln/explorer-cli.md`; awaiting API schema + CLI samples from #3. | Docs Guild · DevEx/CLI Guild | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. |
| 5 | DOCS-VULN-29-005 | TODO | Stub at `docs/vuln/findings-ledger.md`; awaits GRAP0101 + security review + CLI flow (#4). | Docs Guild · Findings Ledger Guild | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. |
| 6 | DOCS-VULN-29-006 | TODO | Stub at `docs/policy/vuln-determinations.md`; awaiting signals/sim semantics from #5 + DevOps plan. | Docs Guild · Policy Guild | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. |
| 7 | DOCS-VULN-29-007 | TODO | Stub at `docs/vex/explorer-integration.md`; waiting on CSAF mapping + suppression precedence after #6. | Docs Guild · Excititor Guild | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. |
| 8 | DOCS-VULN-29-008 | TODO | Stub at `docs/advisories/explorer-integration.md`; requires export bundle spec + VEX integration from #7. | Docs Guild · Concelier Guild | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. |
| 9 | DOCS-VULN-29-009 | TODO | Stub at `docs/sbom/vuln-resolution.md`; needs SBOM/vuln scope guidance following #8. | Docs Guild · SBOM Service Guild | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. |
| 10 | DOCS-VULN-29-010 | TODO | Stub at `docs/observability/vuln-telemetry.md`; awaiting DevOps telemetry plan after #9. | Docs Guild · Observability Guild | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). |
| 11 | DOCS-VULN-29-011 | TODO | Stub at `docs/security/vuln-rbac.md`; requires security review + role matrix after #10. | Docs Guild · Security Guild | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. |
| 12 | DOCS-VULN-29-012 | TODO | Stub at `docs/runbooks/vuln-ops.md`; depends on policy overlay outputs after #11. | Docs Guild · Ops Guild | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). |
| 13 | DOCS-VULN-29-013 | TODO | Pending images/manifests after #12; will update existing `/docs/install/containers.md` when available (no stub created to avoid conflicts). | Docs Guild · Deployment Guild | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. |
## Wave Coordination
- Single wave (Md.XI) covering Vuln Explorer + Findings Ledger docs; sequencing follows Delivery Tracker dependencies.
@@ -58,9 +58,15 @@
## Action Tracker
| Action | Owner | Due | Status |
| --- | --- | --- | --- |
| Collect GRAP0101 contract snapshot for Vuln Explorer overview. | Docs Guild | 2025-12-08 | Open |
| Request export bundle spec + provenance notes for advisories integration. | Concelier Guild | 2025-12-12 | Open |
| Prepare hash manifest template for screenshots/payloads under `docs/assets/vuln-explorer/`. | Docs Guild | 2025-12-10 | Open |
| Collect GRAP0101 contract snapshot for Vuln Explorer overview. | Docs Guild | 2025-12-08 | In Progress |
| Request export bundle spec + provenance notes for advisories integration. | Concelier Guild | 2025-12-12 | In Progress |
| Prepare hash manifest template for screenshots/payloads under `docs/assets/vuln-explorer/`. | Docs Guild | 2025-12-10 | DONE |
| Request console/UI/CLI asset drop (screens, payloads, samples) for DOCS-VULN-29-002..004. | Vuln Explorer Guild · Console Guild · DevEx/CLI Guild | 2025-12-09 | In Progress |
| Secure DevOps telemetry plan for Vuln Explorer metrics/logs/traces (task #10). | DevOps Guild | 2025-12-16 | Open |
| Security review for RBAC/attachment token wording (task #11) and hashing posture. | Security Guild | 2025-12-18 | Open |
| Prepare asset directories under `docs/assets/vuln-explorer/**` for console/API/CLI/ledger/telemetry/RBAC/runbook/advisory/SBOM/VEX samples; hash in SHA256SUMS on arrival. | Docs Guild | 2025-12-10 | DONE |
| Pre-fill SHA256SUMS with placeholder lines for expected assets to speed hash capture on drop. | Docs Guild | 2025-12-10 | DONE |
| Escalate to platform PM if GRAP0101 contract not delivered by 2025-12-09 (blocks entire Md.XI chain). | Docs Guild | 2025-12-09 | Open |
## Decisions & Risks
### Decisions
@@ -79,3 +85,26 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Normalised sprint to docs/implplan template; renamed file to `SPRINT_0311_0001_0001_docs_tasks_md_xi.md`; no task status changes. | Project Mgmt |
| 2025-12-05 | Kicked off Md.XI: moved DOCS-VULN-29-001 to DOING; drafting outline using existing Vuln Explorer architecture notes while waiting on GRAP0101 contract. | Project Mgmt |
| 2025-12-05 | Marked GRAP0101 contract collection as In Progress; prepped outline structure to receive contract inputs and planned hash manifest template location under `docs/assets/vuln-explorer/`. | Project Mgmt |
| 2025-12-05 | Created hash manifest placeholder `docs/assets/vuln-explorer/SHA256SUMS` to keep deterministic captures ready; marked action as DONE. | Project Mgmt |
| 2025-12-05 | Initiated outreach for export bundle spec/provenance notes (Concelier Guild) to unblock DOCS-VULN-29-008 and downstream SBOM/observability/install docs; action now In Progress. | Project Mgmt |
| 2025-12-05 | Requested console/UI/CLI asset drop (screens, payloads, samples) to unblock DOCS-VULN-29-002..004; tracking in Action Tracker with 2025-12-09 due. | Project Mgmt |
| 2025-12-05 | Drafted outline stub for DOCS-VULN-29-001 at `docs/vuln/explorer-overview.md`; placeholders marked pending GRAP0101 and asset drops; kept task at DOING. | Docs Guild |
| 2025-12-05 | Enriched overview stub with current architecture details (entities, ABAC scopes, workflow, AOC chain) while retaining GRAP0101 placeholders; no status change to DOCS-VULN-29-001. | Docs Guild |
| 2025-12-05 | Added console guide stub `docs/vuln/explorer-using-console.md`; retains TODO status until GRAP0101 + UI assets arrive; noted hash requirements. | Docs Guild |
| 2025-12-05 | Added API guide stub `docs/vuln/explorer-api.md`; waiting on GRAP0101 field names and asset payloads; DOCS-VULN-29-003 remains TODO. | Docs Guild |
| 2025-12-05 | Added CLI guide stub `docs/vuln/explorer-cli.md`; pending API schema + CLI samples; DOCS-VULN-29-004 stays TODO. | Docs Guild |
| 2025-12-05 | Added findings ledger doc stub `docs/vuln/findings-ledger.md`; pending GRAP0101 alignment and security review; DOCS-VULN-29-005 remains TODO. | Docs Guild |
| 2025-12-05 | Added policy determinations stub `docs/policy/vuln-determinations.md`; awaiting signals/simulation semantics and DevOps rollout; DOCS-VULN-29-006 remains TODO. | Docs Guild |
| 2025-12-05 | Added stubs for VEX integration, advisories integration, SBOM resolution, telemetry, RBAC, and ops runbook (`docs/vex/explorer-integration.md`, `docs/advisories/explorer-integration.md`, `docs/sbom/vuln-resolution.md`, `docs/observability/vuln-telemetry.md`, `docs/security/vuln-rbac.md`, `docs/runbooks/vuln-ops.md`); tasks #7#12 remain TODO pending upstream inputs. | Docs Guild |
| 2025-12-05 | Added Action Tracker items for telemetry plan (DevOps) and security review (RBAC/attachments hashing) to unblock tasks #10#11; statuses Open. | Project Mgmt |
| 2025-12-05 | Filled additional architecture-aligned details into overview and VEX integration stubs (VEX-first ordering, workflow refinement); tasks remain DOING/TODO awaiting GRAP0101 and assets. | Docs Guild |
| 2025-12-05 | Added hash capture checklists to console/API/CLI/ledger stubs to accelerate deterministic publishing once assets land; task statuses unchanged. | Docs Guild |
| 2025-12-05 | Added hash capture checklists to remaining stubs (VEX, advisories, SBOM, telemetry, RBAC, ops runbook) to streamline asset hashing on arrival; tasks remain TODO. | Docs Guild |
| 2025-12-05 | Synced Vulnerability Explorer module charter alignment: confirmed `docs/modules/vuln-explorer/AGENTS.md` reviewed; stubs respect determinism/offline guardrails. | Docs Guild |
| 2025-12-05 | Created asset staging directories under `docs/assets/vuln-explorer/` with READMEs; Action Tracker item marked DONE to enable quick hash capture on asset drop. | Docs Guild |
| 2025-12-05 | Expanded overview stub with triage state machine and offline bundle expectations from module architecture; DOCS-VULN-29-001 remains DOING pending GRAP0101. | Docs Guild |
| 2025-12-05 | Added escalation action for GRAP0101 delay (due 2025-12-09) to avoid idle time; no status changes. | Docs Guild |
| 2025-12-05 | Added GRAP0101 integration checklist `docs/vuln/GRAP0101-integration-checklist.md` to speed field propagation across Md.XI stubs once contract arrives. | Docs Guild |
| 2025-12-05 | Prefilled `docs/assets/vuln-explorer/SHA256SUMS` with placeholders for expected assets to reduce turnaround when hashes land. | Docs Guild |

208
docs/implplan/tasks-all.md
View File

@@ -765,48 +765,48 @@
| DOCS-RISK-66-004 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
| DOCS-RISK-67-001 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
| DOCS-RISK-67-002 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
| DOCS-RISK-67-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
| DOCS-RISK-67-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
| DOCS-RISK-68-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
| DOCS-RISK-68-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
| DOCS-RISK-67-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-67-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-68-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-68-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | — | DORU0101 |
| DOCS-RUNBOOK-55-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
| DOCS-SCANNER-BENCH-62-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
| DOCS-SCANNER-BENCH-62-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-RUNBOOK-55-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SCANNER-BENCH-62-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
| DOCS-SCANNER-BENCH-62-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
| DOCS-SCANNER-BENCH-62-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
| DOCS-SIG-26-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
| DOCS-SIG-26-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
| DOCS-SIG-26-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
| DOCS-SIG-26-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
| DOCS-SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
| DOCS-SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
| DOCS-SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
| DOCS-SIG-26-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
| DOCS-SURFACE-01 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SEC-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
| DOCS-SURFACE-01 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
| DOCS-SYMS-70-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/specs/symbols/SYMBOL_MANIFEST_v1.md | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | — | DOSY0101 |
| DOCS-TEN-47-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
| DOCS-TEN-48-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
| DOCS-TEN-49-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
| DOCS-TEST-62-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
| DOCS-VEX-30-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
| DOCS-VEX-30-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
| DOCS-VEX-30-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
| DOCS-VEX-30-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
| DOCS-VEX-30-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
| DOCS-VEX-30-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
| DOCS-VEX-30-007 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
| DOCS-VEX-30-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
| DOCS-VEX-30-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
| DOCS-TEN-47-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
| DOCS-TEN-48-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
| DOCS-TEN-49-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
| DOCS-TEST-62-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
| DOCS-VEX-30-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
| DOCS-VEX-30-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
| DOCS-VEX-30-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
| DOCS-VEX-30-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
| DOCS-VEX-30-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
| DOCS-VEX-30-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
| DOCS-VEX-30-007 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
| DOCS-VEX-30-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
| DOCS-VEX-30-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
| DOCS-VEX-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · VEX Lens Guild | `docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md` | Maintain the VEX Evidence Playbook, publish repo templates/README, and document verification workflows for operators. | Need VEX evidence export from PLVL0102 | DOVB0101 |
| DOCS-VULN-29-001 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
| DOCS-VULN-29-001 | DOING | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
| DOCS-VULN-29-002 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
| DOCS-VULN-29-003 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
| DOCS-VULN-29-004 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
@@ -1675,13 +1675,13 @@
| SCANNER-ANALYZERS-RUBY-28-010 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | SCANNER-ANALYZERS-RUBY-28-009 | |
| SCANNER-ANALYZERS-RUBY-28-011 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Package analyzer plug-in, add CLI (`stella ruby inspect`), refresh Offline Kit documentation. | SCANNER-ANALYZERS-RUBY-28-010 | |
| SCANNER-ANALYZERS-RUBY-28-012 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | SCANNER-ANALYZERS-RUBY-28-011 | |
| SCANNER-BENCH-62-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-BENCH-62-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | Deterministic compose fixtures landed; docs published. | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
@@ -1825,7 +1825,7 @@
| SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, UI Guild (docs) | | | | |
| SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) | | | | |
| SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) | | | | |
| SIG-26-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | |
| SIG-26-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | |
| SIG-STORE-401-016 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | Introduce shared reachability store collections (`func_nodes`, `call_edges`, `cve_func_hits`), indexes, and repository APIs so Scanner/Signals/Policy can reuse canonical function data. | | |
| SIGN-CORE-186-004 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography` | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Mirrors #1 | SIGR0101 |
| SIGN-CORE-186-005 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer.Core` | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Mirrors #2 | SIGR0101 |
@@ -1964,7 +1964,7 @@
| TEN-48-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| TEN-49-001 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| TEST-186-006 | TODO | | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` | | | |
| TEST-62-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TEST-62-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TIME-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-002 | TODO | | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
| TIME-58-001 | TODO | | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
@@ -2033,11 +2033,11 @@
| VEX-30-002 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-003 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-004 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) | | | | |
| VEX-30-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | DOVX0101 |
| VEX-30-007 | TODO | | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | | | DOVX0101 |
| VEX-30-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) | | | | DOVX0101 |
| VEX-30-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | DOVX0101 |
| VEX-30-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) | | | | |
| VEX-30-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | DOVX0101 |
| VEX-30-007 | BLOCKED | | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | | | DOVX0101 |
| VEX-30-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) | | | | DOVX0101 |
| VEX-30-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | DOVX0101 |
| VEX-401-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` | | | DOVX0101 |
| VEX-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | | | DOVX0101 |
| VEX-401-011 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | verify | | | | DOVX0101 |
@@ -2982,48 +2982,48 @@
| DOCS-RISK-66-004 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
| DOCS-RISK-67-001 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
| DOCS-RISK-67-002 | TODO | | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
| DOCS-RISK-67-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
| DOCS-RISK-67-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
| DOCS-RISK-68-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
| DOCS-RISK-68-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
| DOCS-RISK-67-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-67-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-68-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RISK-68-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-RUNBOOK-401-017 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | Need latest reachability metrics from RBBN0101 | DORU0101 |
| DOCS-RUNBOOK-55-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
| DOCS-SCANNER-BENCH-62-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
| DOCS-SCANNER-BENCH-62-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-RUNBOOK-55-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SCANNER-BENCH-62-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
| DOCS-SCANNER-BENCH-62-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
| DOCS-SCANNER-BENCH-62-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
| DOCS-SIG-26-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
| DOCS-SIG-26-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
| DOCS-SIG-26-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
| DOCS-SIG-26-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
| DOCS-SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
| DOCS-SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
| DOCS-SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
| DOCS-SIG-26-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
| DOCS-SURFACE-01 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SEC-62-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-001 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-002 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-003 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-004 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 Inputs due 2025-12-09..12 (Md.IX action tracker). |
| DOCS-SIG-26-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
| DOCS-SURFACE-01 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
| DOCS-SYMS-70-003 | TODO | | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/modules/symbols | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | Need RBSY0101 cache notes | DOSY0101 |
| DOCS-TEN-47-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
| DOCS-TEN-48-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
| DOCS-TEN-49-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
| DOCS-TEST-62-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
| DOCS-VEX-30-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
| DOCS-VEX-30-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
| DOCS-VEX-30-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
| DOCS-VEX-30-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
| DOCS-VEX-30-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
| DOCS-VEX-30-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
| DOCS-VEX-30-007 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
| DOCS-VEX-30-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
| DOCS-VEX-30-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
| DOCS-TEN-47-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
| DOCS-TEN-48-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
| DOCS-TEN-49-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
| DOCS-TEST-62-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
| DOCS-VEX-30-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
| DOCS-VEX-30-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
| DOCS-VEX-30-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
| DOCS-VEX-30-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
| DOCS-VEX-30-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
| DOCS-VEX-30-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
| DOCS-VEX-30-007 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
| DOCS-VEX-30-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
| DOCS-VEX-30-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
| DOCS-VEX-401-012 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · VEX Lens Guild | `docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md` | Maintain the VEX Evidence Playbook, publish repo templates/README, and document verification workflows for operators. | Need VEX evidence export from PLVL0102 | DOVB0101 |
| DOCS-VULN-29-001 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
| DOCS-VULN-29-001 | DOING | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
| DOCS-VULN-29-002 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
| DOCS-VULN-29-003 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
| DOCS-VULN-29-004 | TODO | | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
@@ -3875,13 +3875,13 @@
| SCANNER-ANALYZERS-RUBY-28-010 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | SCANNER-ANALYZERS-RUBY-28-009 | |
| SCANNER-ANALYZERS-RUBY-28-011 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Package analyzer plug-in, add CLI (`stella ruby inspect`), refresh Offline Kit documentation. | SCANNER-ANALYZERS-RUBY-28-010 | |
| SCANNER-ANALYZERS-RUBY-28-012 | TODO | | SPRINT_135_scanner_surface | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | SCANNER-ANALYZERS-RUBY-28-011 | |
| SCANNER-BENCH-62-002 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-003 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-004 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-BENCH-62-002 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-003 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) | | | | |
| SCANNER-BENCH-62-004 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) | | | | |
| SCANNER-BENCH-62-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | Deterministic compose fixtures landed; docs published. | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
@@ -4025,7 +4025,7 @@
| SIG-26-005 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, UI Guild (docs) | | | | |
| SIG-26-006 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) | | | | |
| SIG-26-007 | TODO | | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) | | | | |
| SIG-26-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | |
| SIG-26-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | |
| SIG-STORE-401-016 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | Introduce shared reachability store collections (`func_nodes`, `call_edges`, `cve_func_hits`), indexes, and repository APIs so Scanner/Signals/Policy can reuse canonical function data. | | |
| SIGN-CORE-186-004 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography` | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Mirrors #1 | SIGR0101 |
| SIGN-CORE-186-005 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer.Core` | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Mirrors #2 | SIGR0101 |
@@ -4161,7 +4161,7 @@
| TEN-48-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| TEN-49-001 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| TEST-186-006 | TODO | | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` | | | |
| TEST-62-001 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TEST-62-001 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) | | | | |
| TIME-57-001 | TODO | | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild | | | PROGRAM-STAFF-1001 | |
| TIME-57-002 | TODO | | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
| TIME-58-001 | TODO | | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
@@ -4211,11 +4211,11 @@
| VEX-30-002 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-003 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-004 | TODO | | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
| VEX-30-005 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) | | | | |
| VEX-30-006 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | DOVX0101 |
| VEX-30-007 | TODO | | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | | | DOVX0101 |
| VEX-30-008 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) | | | | DOVX0101 |
| VEX-30-009 | TODO | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | DOVX0101 |
| VEX-30-005 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) | | | | |
| VEX-30-006 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | DOVX0101 |
| VEX-30-007 | BLOCKED | | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | | | DOVX0101 |
| VEX-30-008 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) | | | | DOVX0101 |
| VEX-30-009 | DOING | | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) | | | | DOVX0101 |
| VEX-401-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` | | | DOVX0101 |
| VEX-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` | | | DOVX0101 |
| VEX-401-011 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | verify | | | | DOVX0101 |

25
docs/migration/enable-reachability.md Normal file
View File

@@ -0,0 +1,25 @@
# Enable Reachability — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: DOCS-SIG-26-007, notifications hooks (058_NOTY0101), rollout telemetry contract.
## Purpose
- Describe why reachability is being enabled and expected outcomes.
## Rollout Phases
- Phase 0: prerequisites (feature flags, config keys).
- Phase 1: limited tenants / canaries.
- Phase 2: org-wide rollout with monitoring gates.
## Fallbacks
- How to disable/revert; config toggles; cache/queue drains.
## Monitoring & Alerts
- Metrics to watch (ingest lag, signal volume, error ratios).
- Alert thresholds and runbooks (link when available).
## Controls & Policy
- Imposed rule reminder; RBAC/tenant scope considerations.
## Open TODOs
- Fill concrete config keys and examples when DOCS-SIG-26-007 lands.
- Add notification hook wiring details from 058_NOTY0101.

18
docs/modules/cli/guides/authentication.md Normal file
View File

@@ -0,0 +1,18 @@
# CLI Authentication — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: DVDO0110 env vars, token formats, monitoring plan.
## Supported Flows
- Device/code, PAT, workload identity (to confirm).
## Configuration
- Env vars and flags (to be filled once finalized).
## Multi-Tenant Considerations
- Scope selection and defaults.
## Troubleshooting
- Common errors; log paths; retry/backoff guidance.
## Open TODOs
- Insert definitive env var list and examples when available.

15
docs/modules/cli/guides/reachability.md Normal file
View File

@@ -0,0 +1,15 @@
# CLI Reachability Guide (outline)
## Pending Inputs
- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
## Determinism Checklist
- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
- [ ] Note source/approver for any provided captures or schemas.
## Sections to fill (once inputs arrive)
- Command reference (new reachability commands).
- Automation recipes/CI snippets.
- Exit codes and error handling.
- Sample outputs with hashes for fixtures.

17
docs/modules/cli/guides/risk.md Normal file
View File

@@ -0,0 +1,17 @@
# CLI Risk Workflows (outline)
- TBD pending risk API + UI flows; include commands, exit codes, automation recipes.
## Pending Inputs
- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
## Determinism Checklist
- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
- [ ] Note source/approver for any provided captures or schemas.
## Sections to fill (once inputs arrive)
- Command reference (risk create/simulate/export/verify).
- Exit codes and error semantics.
- Automation/CI recipes.
- Sample inputs/outputs (hashes alongside artifacts).

15
docs/modules/scanner/benchmarks/entrytrace-heuristics.md Normal file
View File

@@ -0,0 +1,15 @@
# EntryTrace Heuristics Maintenance — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: replay hooks (RPRC0101).
## Purpose
- Explain EntryTrace heuristics and maintenance cycles.
## Heuristic Catalog
- Placeholder for rules with owners and review cadence.
## Operations
- How to update heuristics safely; replay/validation steps.
## Open TODOs
- Add concrete heuristics and replay examples when hooks arrive.

12
docs/modules/scanner/benchmarks/go-stripped-binaries.md Normal file
View File

@@ -0,0 +1,12 @@
# Go Stripped Binaries — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: Go analyzer results.
## Fallback Enrichment
- Techniques to enrich stripped Go binaries (to fill).
## Policy Guidance
- When to accept fallback; how to flag low-confidence matches.
## Open TODOs
- Add enrichment recipes and examples once analyzer outputs land.

15
docs/modules/scanner/benchmarks/java-lockfiles.md Normal file
View File

@@ -0,0 +1,15 @@
# Java Lockfile Ingestion — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: Java analyzer notes.
## Lockfile Types
- Maven/Gradle variants (to fill).
## Ingestion Guidance
- Normalization, version conflict handling.
## Policy Templates
- Sample allow/deny templates (placeholder).
## Open TODOs
- Add concrete examples and ingestion steps from analyzer notes.

12
docs/modules/scanner/benchmarks/python-lockfiles.md Normal file
View File

@@ -0,0 +1,12 @@
# Python Lockfiles & Editable Installs — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Depends on outcomes from Windows/macOS coverage (task 3) and Python analyzer guidance.
## Lockfile Handling
- Pip/Poetry/UV constraints; editable installs; markers (to fill).
## Policy Guidance
- What to enforce/allow; sample policy snippets.
## Open TODOs
- Insert concrete lockfile examples and policies once inputs arrive.

15
docs/modules/scanner/benchmarks/rust-fingerprint-enrichment.md Normal file
View File

@@ -0,0 +1,15 @@
# Rust Fingerprint Enrichment — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: SCSA0601 updated benchmarks.
## Fingerprint Sources
- Cargo metadata, debug info, symbol hashes (to fill).
## Enrichment Steps
- Mapping fingerprints to crates/versions; confidence scoring.
## Policy Examples
- Sample allow/deny/waiver patterns (placeholder).
## Open TODOs
- Add concrete examples from updated benchmarks.

12
docs/modules/scanner/benchmarks/sast-integration.md Normal file
View File

@@ -0,0 +1,12 @@
# SAST Integration — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: CLI samples (132_CLCI0110).
## Connector Framework
- How SAST connectors plug into scanner pipeline (to fill).
## Policy Templates
- Placeholder for SAST-specific policy examples.
## Open TODOs
- Add sample configs and flows once CLI samples are available.

15
docs/modules/scanner/benchmarks/windows-macos-coverage.md Normal file
View File

@@ -0,0 +1,15 @@
# Windows/macOS Analyzer Coverage — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: SCSA0301 customer demand signals.
## Demand Signals
- Customers requesting Windows/macOS analyzer coverage (to fill with SCSA0301 data).
## Coverage Plan
- Supported OS versions/builds; exclusions; offline posture.
## Rollout & Monitoring
- Enablement steps; metrics to watch.
## Open TODOs
- Add quantified demand, target milestones, and acceptance criteria once inputs land.

24
docs/modules/scanner/scanner-engine.md Normal file
View File

@@ -0,0 +1,24 @@
# Scanner Engine Surface FS/Env/Secrets — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: SCANNER-SURFACE-04 emit notes, Zastava/Scheduler bindings, Ops runbook hooks.
## Workflow Overview
- Surface.FS, Surface.Env, Surface.Secrets capture points.
- How Scanner orchestrates surface capture across jobs.
## Data Flow
- Scanner -> Zastava (signals/alerts pipeline).
- Scanner -> Scheduler (job orchestration, retries, back-pressure).
- Storage/retention expectations.
## Policies & Safety Rails
- Redaction rules, scope boundaries, tenant isolation.
- Determinism/offline posture considerations.
## Operations
- How to enable/disable surface capture per tenant/workspace.
- Observability: metrics, logs, traces to watch.
## Open TODOs
- Insert concrete emit schemas and example payloads when SCANNER-SURFACE-04 lands.
- Add sequencing diagrams per module dossier once available.

42
docs/modules/signals/evidence/README.md
View File

@@ -1,6 +1,6 @@
# Signals DSSE Evidence Staging (runtime/signals gaps)
Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:
Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:
| Artifact | Path | Predicate |
|----------|------|-----------|
@@ -53,21 +53,49 @@ For production signing without CI:
```bash
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
```
## Evidence Locker Paths
Post-signing, artifacts go to:
- `evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-01/SHA256SUMS`
- `evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-05/SHA256SUMS`
Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:
```
evidence-locker/signals/2025-12-05/signals-evidence.tar sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d
```
Verification helper:
```
./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]
```
Local locker upload (once creds are available):
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh
```
CI upload path:
- Workflow: `.gitea/workflows/signals-evidence-locker.yml`
- Secrets required: `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`
- Artifact name: `signals-evidence-2025-12-05`
- Retention input (optional): `retention_target` (default 180 days)
## Post-Signing Checklist

2
docs/modules/taskrunner/architecture.md
View File

@@ -83,7 +83,7 @@
```
## 12. Gap Remediation (TP1TP10, 2025-12)
- **Canonical plan hash (TP1):** Plan hash is `sha256` over `plan.canonicalPlanPath` (normalized JSON, stable key ordering, UTF-8). Hash and canonical plan file are shipped in offline bundles and verified by `scripts/packs/verify_offline_bundle.py`.
- **Canonical plan hash (TP1):** Plan hash is `sha256:<64-hex>` over `plan.canonicalPlanPath` (normalized JSON, stable key ordering, UTF-8). Hash and canonical plan file are shipped in offline bundles and verified by `scripts/packs/verify_offline_bundle.py`.
- **Inputs lock (TP2):** Task Runner emits `inputs.lock` capturing resolved inputs + redacted secret placeholders; stored in evidence bundles and listed under `hashes[]` in offline manifests.
- **Approval ledger (TP3):** Approval decisions are DSSE-signed, embedding `runId`, `gateId`, `planHash`, and `tenantId`. Approval endpoints reject mismatched plan hashes or missing DSSE envelopes.
- **Secret redaction (TP4):** Evidence/transcripts apply the redaction policy referenced in `security.secretsRedactionPolicy`; secrets are hashed or blanked, never logged in clear text.

2
docs/modules/zastava/SHA256SUMS
View File

@@ -14,4 +14,4 @@ de9b24675a0a758e40647844a31a13a1be1667750a39fe59465b0353fd0dddd9 exports/observ
f69f953c78134ef504b870cea47ba62d5e37a7a86ec0043d824dcb6073cd43fb kit/verify.sh
1cf8f0448881d067e5e001a1dfe9734b4cdfcaaf16c3e9a7321ceae56e4af8f2 kit/README.md
eaba054428fa72cd9476cffe7a94450e4345ffe2e294e9079eb7c3703bcf7df0 kit/ed25519.pub
40a40b31480d876cf4487d07ca8d8b5166c7df455bef234e2c1861b7b3dc7e3b evidence/README.md
ffe919a8b96619c1c5cf5bb8f7a7a61b61984d0f97802c131cf66e182f2d705f evidence/README.md

22
docs/modules/zastava/evidence/README.md
View File

@@ -23,11 +23,33 @@ Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
Local staging: all files above are present under `evidence-locker/zastava/2025-12-02/` in the repo root, ready for locker upload/mirroring.
Deterministic tarball (built with `tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner` over payloads + DSSE):
```
evidence-locker/zastava/2025-12-02/zastava-evidence.tar sha256=e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae
```
Verification helper (uses the hash above and inner SHA256SUMS):
```
./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]
```
Upload (once locker creds exist):
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh # pushes both Zastava and Signals bundles
```
Helper script for manual push (expects `EVIDENCE_LOCKER_URL` and `CI_EVIDENCE_LOCKER_TOKEN`):
```bash
tools/zastava-upload-evidence.sh
```
Packaging is deterministic (`tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner`) and prints the tarball SHA256 before upload. Ensure `kit/verify.sh` passes before pushing.
## CI delivery note
- Locker upload in CI requires a write credential (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with access to the `evidence-locker/zastava/` namespace.
- If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.

23
docs/observability/vuln-telemetry.md Normal file
View File

@@ -0,0 +1,23 @@
# Vuln Telemetry (Md.XI draft)
> Status: DRAFT — waiting on DevOps telemetry plan and GRAP0101. Keep TODO until metrics/logs finalized and hashed.
## Scope
- Metrics, logs, tracing, dashboards, SLOs for Vuln Explorer.
## Dependencies
- DevOps telemetry plan (due 2025-12-16 sync).
- GRAP0101 identifiers for labels.
## Outline
- Metrics: findings_open_total, mttr, triage_actions, report_generation_seconds.
- Logs: structured fields (findingId, artifactId, advisory, policyVersion, actor, actionType).
- Traces: key spans; sampling guidance.
- Dashboards: to be added with hashes.
### Hash Capture Checklist (when telemetry plan arrives)
- `assets/vuln-explorer/metrics-sample.json` (scrape example)
- `assets/vuln-explorer/logs-sample.jsonl` (structured log snippet)
- `assets/vuln-explorer/traces-sample.json` (span export)
- `assets/vuln-explorer/dashboard.json` (dashboard export)
_Last updated: 2025-12-05 (UTC)_

12
docs/onboarding/contribution-checklist.md Normal file
View File

@@ -0,0 +1,12 @@
# Contribution Checklist (Stub)
Use with ONBOARD-GAPS-300-015.
- [ ] Confirm `docs:` trailer in commits (value or `docs: n/a`).
- [ ] Run `dotnet test --blame-crash --blame-hang --results-directory artifacts/test-results`.
- [ ] Keep seeds fixed (default 1337) and `TZ=UTC` when running tests.
- [ ] Update or create `inputs.lock` when adding fixtures or acceptance packs.
- [ ] For DSSE changes: include signer IDs and offline verification steps.
- [ ] Secret handling: no secrets in repo; use `.env.sample` patterns.
- [ ] Rekor/mirror workflow: prefer mirrored bundle; never live-log in CI.
- [ ] Cross-link docs changes in sprint/AGENTS when applicable.

33
docs/onboarding/dev-quickstart.md
View File

@@ -18,6 +18,13 @@ Core concepts:
- **Trust lattice:** Merges vendor VEX, runtime signals, configs, etc. into a single deterministic verdict.
- **Audit trail:** Every decision is reproducible from stored inputs and proofs.
**Offline/determinism essentials (read first):**
- Install from the curated offline kit (no network); pin SDK + tool versions in `inputs.lock`.
- Use DSSE-signed configs and keep signing keys in offline `~/.stellaops/keys` with short-lived tokens.
- Run `dotnet format` / `dotnet test` with `--blame-crash --blame-hang` using fixed seeds (`Random(1337)`) to avoid flakiness.
- Capture DB/queue matrix upfront: MongoDB (pinned version), optional Postgres slices, and local cache paths; set `TZ=UTC` for all runs.
If you think “content-addressed trust pipeline for SBOMs + VEX,” youre in the right mental model.
---
@@ -39,6 +46,32 @@ Start by opening these projects **in order**:
6. `src/StellaOps.Shared/CanonicalModel/`
Canonical entities & graph IDs. **Read this carefully** it underpins determinism.
Starter issues to grab on day 1 (all offline-friendly):
- Add DSSE verification to a small CLI path (`stella verify --local-only`).
- Extend `inputs.lock` examples with a pinned scanner/DB matrix.
- Write a deterministic unit test for canonical ID ordering.
- Improve `docs/` cross-links (Developer Quickstart ↔ platform architecture) and ensure `docs:` trailer appears in commits.
UI note: Console remains in flux; focus on backend determinism first, then follow UI sprints 0209/0215 for micro-interactions and proof-linked VEX updates.
## 3. Environment & DB matrix
- MongoDB: 6.0.12 (pin in `inputs.lock`).
- Optional Postgres slices: see sprint 340x series; keep read-only in dev until instructed.
- Offline feeds: `offline-cache-2025-11-30` (scanner, advisories, VEX).
- Timezone: `TZ=UTC` for all tests and tooling.
## 4. Secrets & signing
- Store short-lived signing keys in `~/.stellaops/keys` (gitignored); never commit secrets.
- Use DSSE for pack manifests and fixtures; include signer IDs.
- For Rekor: use mirrored bundle (no live log writes); verify receipts offline.
## 5. Contribution checklist
See `docs/onboarding/contribution-checklist.md` for the minimal gates (docs trailer, seeds, inputs.lock, DSSE, secrets).
Helpful docs:
- `docs/modules/platform/*` protocols (DSSE envelopes, lattice terms, trust receipts).

Some files were not shown because too many files have changed in this diff Show More