# SPRINT_3500 Summary — All Sprints Quick Reference **Epic**: Deeper Moat Beyond Reachability **Total Duration**: 20 weeks (10 sprints) **Status**: PLANNING --- ## Sprint Overview | Sprint ID | Topic | Duration | Status | Key Deliverables | |-----------|-------|----------|--------|------------------| | **3500.0001.0001** | **Master Plan** | — | TODO | Overall planning, prerequisites, risk assessment | | **3500.0002.0001** | Score Proofs Foundations | 2 weeks | TODO | Canonical JSON, DSSE, ProofLedger, DB schema | | **3500.0002.0002** | Unknowns Registry v1 | 2 weeks | TODO | 2-factor ranking, band assignment, escalation API | | **3500.0002.0003** | Proof Replay + API | 2 weeks | TODO | POST /scans, GET /manifest, POST /score/replay | | **3500.0003.0001** | Reachability .NET Foundations | 2 weeks | TODO | Roslyn call-graph, BFS algorithm, entrypoint discovery | | **3500.0003.0002** | Reachability Java Integration | 2 weeks | TODO | Soot/WALA call-graph, Spring Boot entrypoints | | **3500.0003.0003** | Graph Attestations + Rekor | 2 weeks | TODO | DSSE graph signing, Rekor integration, budget policy | | **3500.0004.0001** | CLI Verbs + Offline Bundles | 2 weeks | TODO | `stella score`, `stella graph`, offline kit extensions | | **3500.0004.0002** | UI Components + Visualization | 2 weeks | TODO | Proof ledger view, unknowns queue, explain widgets | | **3500.0004.0003** | Integration Tests + Corpus | 2 weeks | TODO | Golden corpus, end-to-end tests, CI gates | | **3500.0004.0004** | Documentation + Handoff | 2 weeks | TODO | Runbooks, API docs, training materials | --- ## Epic A: Score Proofs (Sprints 3500.0002.0001–0003) ### Sprint 3500.0002.0001: Foundations **Owner**: Scanner Team + Policy Team **Deliverables**: - [ ] Canonical JSON library (`StellaOps.Canonical.Json`) - [ ] Scan Manifest model (`ScanManifest.cs`) - [ ] DSSE envelope implementation (`StellaOps.Attestor.Dsse`) - [ ] ProofLedger with node hashing (`StellaOps.Policy.Scoring`) - [ ] Database schema: `scanner.scan_manifest`, `scanner.proof_bundle` - [ ] Proof Bundle Writer **Tests**: Unit tests ≥85% coverage, integration test for full pipeline **Documentation**: See `SPRINT_3500_0002_0001_score_proofs_foundations.md` (DETAILED) --- ### Sprint 3500.0002.0002: Unknowns Registry **Owner**: Policy Team **Deliverables**: - [ ] `policy.unknowns` table (2-factor ranking model) - [ ] `UnknownRanker.Rank(...)` — Deterministic ranking function - [ ] Band assignment (HOT/WARM/COLD) - [ ] API: `GET /unknowns`, `POST /unknowns/{id}/escalate` - [ ] Scheduler integration: rescan on escalation **Tests**: Ranking determinism tests, band threshold tests **Documentation**: - `docs/db/schemas/policy_schema_specification.md` - `docs/api/scanner-score-proofs-api.md` (Unknowns endpoints) --- ### Sprint 3500.0002.0003: Replay + API **Owner**: Scanner Team **Deliverables**: - [ ] API: `POST /api/v1/scanner/scans` - [ ] API: `GET /api/v1/scanner/scans/{id}/manifest` - [ ] API: `POST /api/v1/scanner/scans/{id}/score/replay` - [ ] API: `GET /api/v1/scanner/scans/{id}/proofs/{rootHash}` - [ ] Idempotency via `Content-Digest` headers - [ ] Rate limiting (100 req/hr per tenant for POST endpoints) **Tests**: API integration tests, idempotency tests, error handling tests **Documentation**: - `docs/api/scanner-score-proofs-api.md` (COMPREHENSIVE) - OpenAPI spec update: `src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml` --- ## Epic B: Reachability (Sprints 3500.0003.0001–0003) ### Sprint 3500.0003.0001: .NET Reachability **Owner**: Scanner Team **Deliverables**: - [ ] Roslyn-based call-graph extractor (`DotNetCallGraphExtractor.cs`) - [ ] IL-based node ID computation - [ ] ASP.NET Core entrypoint discovery (controllers, minimal APIs, hosted services) - [ ] `CallGraph.v1.json` schema implementation - [ ] BFS reachability algorithm (`ReachabilityAnalyzer.cs`) - [ ] Database schema: `scanner.cg_node`, `scanner.cg_edge`, `scanner.entrypoint` **Tests**: Call-graph extraction tests, BFS tests, entrypoint detection tests **Documentation**: - `src/Scanner/AGENTS_SCORE_PROOFS.md` (Task 3.1, 3.2) (DETAILED) - `docs/db/schemas/scanner_schema_specification.md` - `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md` --- ### Sprint 3500.0003.0002: Java Reachability **Owner**: Scanner Team **Deliverables**: - [ ] Soot/WALA-based call-graph extractor (`JavaCallGraphExtractor.cs`) - [ ] Spring Boot entrypoint discovery (`@RestController`, `@RequestMapping`) - [ ] JAR node ID computation (class file hash + method signature) - [ ] Integration with `CallGraph.v1.json` schema - [ ] Reachability analysis for Java artifacts **Tests**: Java call-graph extraction tests, Spring Boot entrypoint tests **Prerequisite**: Java worker POC with Soot/WALA (must complete before sprint starts) **Documentation**: - `docs/dev/java-call-graph-extractor-spec.md` (to be created) - `src/Scanner/AGENTS_JAVA_REACHABILITY.md` (to be created) --- ### Sprint 3500.0003.0003: Graph Attestations **Owner**: Attestor Team + Scanner Team **Deliverables**: - [ ] Graph-level DSSE attestation (one per scan) - [ ] Rekor integration: `POST /rekor/entries` - [ ] Rekor budget policy: graph-only by default, edge bundles on escalation - [ ] API: `POST /api/v1/scanner/scans/{id}/callgraphs` (upload) - [ ] API: `POST /api/v1/scanner/scans/{id}/reachability/compute` - [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/findings` - [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/explain` **Tests**: DSSE signing tests, Rekor integration tests, API tests **Documentation**: - `docs/operations/rekor-policy.md` (budget policy) - `docs/api/scanner-score-proofs-api.md` (reachability endpoints) --- ## CLI & UI (Sprints 3500.0004.0001–0002) ### Sprint 3500.0004.0001: CLI Verbs **Owner**: CLI Team **Deliverables**: - [ ] `stella score replay --scan ` - [ ] `stella proof verify --bundle ` - [ ] `stella scan graph --lang dotnet|java --sln ` - [ ] `stella reachability explain --scan --cve ` - [ ] `stella unknowns list --band HOT` - [ ] Offline bundle extensions: `/offline/reachability/`, `/offline/corpus/` **Tests**: CLI E2E tests, offline bundle verification tests **Documentation**: - `docs/09_API_CLI_REFERENCE.md` (update with new verbs) - `docs/24_OFFLINE_KIT.md` (reachability bundle format) --- ### Sprint 3500.0004.0002: UI Components **Owner**: UI Team **Deliverables**: - [ ] Proof ledger view (timeline visualization) - [ ] Unknowns queue (filterable, sortable) - [ ] Reachability explain widget (call-path visualization) - [ ] Score delta badges - [ ] "View Proof" button on finding cards **Tests**: UI component tests (Jest/Cypress) **Prerequisite**: UX wireframes delivered by Product team **Documentation**: - `docs/dev/ui-proof-visualization-spec.md` (to be created) --- ## Testing & Handoff (Sprints 3500.0004.0003–0004) ### Sprint 3500.0004.0003: Integration Tests + Corpus **Owner**: QA + Scanner Team **Deliverables**: - [ ] Golden corpus: 10 .NET + 10 Java test cases - [ ] End-to-end tests: SBOM → scan → proof → replay → verify - [ ] CI gates: precision/recall ≥80%, deterministic replay 100% - [ ] Load tests: 10k scans/day without degradation - [ ] Air-gap verification tests **Tests**: All integration tests passing, corpus CI green **Documentation**: - `docs/testing/golden-corpus-spec.md` (to be created) - `docs/testing/integration-test-plan.md` --- ### Sprint 3500.0004.0004: Documentation + Handoff **Owner**: Docs Guild + All Teams **Deliverables**: - [ ] Runbooks: `docs/operations/score-proofs-runbook.md` - [ ] Runbooks: `docs/operations/reachability-troubleshooting.md` - [ ] API documentation published - [ ] Training materials for support team - [ ] Competitive battlecard updated - [ ] Claims index updated: DET-004, REACH-003, PROOF-001, UNKNOWNS-001 **Tests**: Documentation review by 3+ stakeholders **Documentation**: - All docs in `docs/` reviewed and published --- ## Dependencies ```mermaid graph TD A[3500.0001.0001 Master Plan] --> B[3500.0002.0001 Foundations] B --> C[3500.0002.0002 Unknowns] C --> D[3500.0002.0003 Replay API] D --> E[3500.0003.0001 .NET Reachability] E --> F[3500.0003.0002 Java Reachability] F --> G[3500.0003.0003 Attestations] G --> H[3500.0004.0001 CLI] G --> I[3500.0004.0002 UI] H --> J[3500.0004.0003 Tests] I --> J J --> K[3500.0004.0004 Docs] ``` --- ## Success Metrics ### Technical Metrics - **Determinism**: 100% bit-identical replay on golden corpus ✅ - **Performance**: TTFRP <30s for 100k LOC (p95) ✅ - **Accuracy**: Precision/recall ≥80% on ground-truth corpus ✅ - **Scalability**: 10k scans/day without Postgres degradation ✅ - **Air-gap**: 100% offline bundle verification success ✅ ### Business Metrics - **Competitive wins**: ≥3 deals citing deterministic replay (6 months) 🎯 - **Customer adoption**: ≥20% of enterprise customers enable score proofs (12 months) 🎯 - **Support escalations**: <5 Rekor/attestation issues per month 🎯 --- ## Quick Links **Sprint Files**: - [SPRINT_3500_0001_0001 - Master Plan](SPRINT_3500_0001_0001_deeper_moat_master.md) ⭐ START HERE - [SPRINT_3500_0002_0001 - Score Proofs Foundations](SPRINT_3500_0002_0001_score_proofs_foundations.md) ⭐ DETAILED **Documentation**: - [Scanner Schema Specification](../db/schemas/scanner_schema_specification.md) - [Scanner API Specification](../api/scanner-score-proofs-api.md) - [Scanner AGENTS Guide](../../src/Scanner/AGENTS_SCORE_PROOFS.md) ⭐ FOR AGENTS **Source Advisory**: - [16-Dec-2025 - Building a Deeper Moat Beyond Reachability](../product-advisories/unprocessed/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md) --- **Last Updated**: 2025-12-17 **Next Review**: Weekly during sprint execution