# Product Advisory Index This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates. ## Canonical Advisories (Active) These are the authoritative advisories to reference for implementation: ### CVSS v4.0 - **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` - **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md - **Gaps:** `31-Nov-2025 FINDINGS.md` (CV1–CV10 remediation task CVSS-GAPS-190-013) - **Timing/UI:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` (archived) - **Status:** New sprint created ### CVSS v4.0 Momentum Briefing - **Canonical:** `29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` - **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md (context) - **Related Docs:** - `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus) - `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing) - **Gaps:** `31-Nov-2025 FINDINGS.md` (CVM1–CVM10 remediation task CVSS-GAPS-190-014) - **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now. ### SCA Failure Catalogue - **Canonical:** `29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue) - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking sync) - **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014) - **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites. ### Acceptance Tests Pack & Guardrails - **Canonical:** `29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` (this briefing) - `docs/process/acceptance-guardrails-checklist.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) - **Status:** Defines deterministic, signed acceptance packs with replay parity checks and CI gating thresholds for admission/VEX/auth flows. ### Mid-Level .NET Onboarding (Quick Start) - **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/onboarding/dev-quickstart.md` (to be updated) - `docs/modules/platform/architecture-overview.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (OB1–OB10 remediation task ONBOARD-GAPS-300-015) - **Status:** Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links. ### Implementor Guidelines - **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing) - `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements) - **Gaps:** `31-Nov-2025 FINDINGS.md` (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018) - **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices. ### Rekor Receipt Checklist - **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` - **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md - **Related Docs:** Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published) - **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) - **Status:** Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation. ### Standup Sprint Kickstarters - **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** `docs/implplan/README.md` (sprint template) - **Gaps:** `31-Nov-2025 FINDINGS.md` (SK1–SK10 remediation task STANDUP-GAPS-300-019) - **Status:** Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules. ### UI Micro-Interactions - **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` - **Sprint:** SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed) - **Related Docs:** `docs/modules/ui/architecture.md`, Storybook token catalog (planned) - **Gaps:** `31-Nov-2025 FINDINGS.md` (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011) - **Status:** Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance. ### Proof-Linked VEX UI (Not-Affected Proof Drawer) - **Canonical:** Proof-linked VEX UI spec (chat-provided; to land as `docs/ui/proof-linked-vex.md`) - **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md - **Related Docs:** `docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`, `docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`, VexLens/Policy module docs - **Gaps:** `31-Nov-2025 FINDINGS.md` (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010) - **Status:** Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests. ### Time-to-Evidence (TTE) Metric - **Canonical:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` - **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md - **Related Docs:** UI sprints 0209/0215, telemetry architecture docs - **Gaps:** `31-Nov-2025 FINDINGS.md` (TTE1–TTE10 remediation task TTE-GAPS-0215-011) - **Status:** Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests. ### Archived Advisories (15–23 Nov 2025) - **Canonical:** `docs/product-advisories/archived/*.md` (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.) - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (triage/decision) - **Related Docs:** None current (need revival + canonicalization) - **Gaps:** `31-Nov-2025 FINDINGS.md` (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020) - **Status:** Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories. ### SBOM → VEX Proof Blueprint - **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself) - `docs/modules/platform/architecture-overview.md` (platform dossier link) - **Gaps:** `31-Nov-2025 FINDINGS.md` (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013) - **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs. ### UI Micro-Interactions - **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `apps/console/src/app/shared/micro/` - `docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md` - **Status:** Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX. ### Rekor Receipt Checklist - **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` - **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` - `docs/modules/platform/architecture-overview.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) - **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs. ### Air-Gap Deployment Playbook - **Canonical:** `25-Nov-2025 - Air-gap deployment playbook for StellaOps.md` - **Sprint:** SPRINT_0510_0001_0001_airgap.md (Ops & Offline) - **Gaps:** `31-Nov-2025 FINDINGS.md` (AG1–AG12 remediation task AIRGAP-GAPS-510-009) - **Status:** Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability. ### Ecosystem Reality Tests - **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` - **Status:** Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability. ### Unknowns Decay & Triage Heuristics - **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007) - **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns. ### Standup Sprint Kickstarters - **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md` - **Status:** Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments. ### Evidence + Suppression Patterns - **Canonical:** `30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016) - **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives. ### Ecosystem Reality Test Cases - **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017) - **Status:** Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs. ### Reachability Benchmark Fixtures - **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` - **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY) - **Related Docs:** - `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020) - **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora. ### SBOM/VEX Pipeline - **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` - **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f) - **Supersedes:** - `24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md` → archive - `25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md` → archive - `26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md` → archive ### Rekor/DSSE Batch Sizing - **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks) - **Supersedes:** - `27-Nov-2025 - Rekor Envelope Size Heuristic.md` → archive (duplicate) - `27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md` → archive (duplicate) - `27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md` → archive (duplicate) ### Graph Revision IDs - **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks) - **Gaps:** `31-Nov-2025 FINDINGS.md` (GR1–GR10 remediation task GRAPHREV-GAPS-401-063) - **Supersedes:** - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version) ### Reachability Benchmark (Public) - **Canonical:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` - **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md - **Related:** - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus) - `31-Nov-2025 FINDINGS.md` → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018 - **Gaps (dataset):** `31-Nov-2025 FINDINGS.md` (RD1–RD10 remediation task DATASET-GAPS-513-019) ### Unknowns Registry - **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md` - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation) - **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md` - **Gaps:** `31-Nov-2025 FINDINGS.md` (UN1–UN10 remediation task UNKNOWN-GAPS-140-006) - **Status:** Already implemented in Signals module; advisory validates design ### Confidence Decay for Prioritization - **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point) - **Gaps:** `31-Nov-2025 FINDINGS.md` (U1–U10 remediation task DECAY-GAPS-140-005) - **Related:** Unknowns Registry (time-based decay complements ambiguity tracking) - **Status:** Design advisory - provides exponential decay formula for priority freshness ### Explainability - **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md` - **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks) - **Gaps:** `31-Nov-2025 FINDINGS.md` (EX1–EX10 remediation task EXPLAIN-GAPS-401-064) - **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails ### VEX Proofs - **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks) - **Gaps:** `31-Nov-2025 FINDINGS.md` (VEX1–VEX10 remediation task VEX-GAPS-401-062) ### Binary Reachability - **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks) - **Gaps:** `31-Nov-2025 FINDINGS.md` (BR1–BR10 remediation task BINARY-GAPS-401-066) ### Scanner Roadmap - **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` - **Sprint:** Multiple sprints (0186, 0401, 0512) - **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SCANNER-GAPS-186-018) - **Status:** High-level roadmap document ### SBOM-First, VEX-Ready Spine - **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md` - **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001 - **Gaps:** `31-Nov-2025 FINDINGS.md` (SP1–SP10 remediation task SPINE-GAPS-186-019) - **Status:** Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement. ### SBOM & VEX Competitor Snapshot - **Canonical:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md` - **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization) - **Gaps:** `31-Nov-2025 FINDINGS.md` (CM1–CM10 remediation task COMPETITOR-GAPS-186-020) - **Status:** Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity. ### Vulnerability Triage UX & VEX-First Decisioning - **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` - **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW) - **Related Sprints:** - SPRINT_0210_0001_0002_ui_ii.md (UI-LNM-22-003 VEX tab) - SPRINT_0334_docs_modules_vuln_explorer.md (docs) - **Related Advisories:** - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain) - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX) - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs) - **Gaps:** `31-Nov-2025 FINDINGS.md` (VT1–VT10 remediation task TRIAGE-GAPS-215-042) - **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns - **Schemas:** - `docs/schemas/vex-decision.schema.json` - `docs/schemas/attestation-vuln-scan.schema.json` - `docs/schemas/audit-bundle-index.schema.json` ### Sovereign Crypto for Regional Compliance - **Canonical:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` - **Sprint:** SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING) - **Related Docs:** - `docs/security/rootpack_ru_*.md` - RootPack RU documentation - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design - `docs/security/pq-provider-options.md` - Post-quantum options - **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SC-GAPS-514-010) - **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support - **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4) ### Plugin Architecture & Extensibility - **Canonical:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` - **Sprint:** Foundational - appears in module-specific sprints - **Related Docs:** - `docs/dev/plugins/README.md` - General plugin guide - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility - **Gaps:** `31-Nov-2025 FINDINGS.md` (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300) - **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules ### Evidence Bundle & Replay Contracts - **Canonical:** `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` - **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY) - **Related Sprints:** - SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI) - SPRINT_0160_0001_0001_export_evidence.md (Coordination) - **Related Docs:** - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema - **Gaps:** `31-Nov-2025 FINDINGS.md` (EB1–EB10 remediation task EVID-GAPS-161-007) - **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode ### Export Center & Reporting - **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` - **Sprint:** SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I) - **Related Sprints:** SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md - **Gaps:** `31-Nov-2025 FINDINGS.md` (EC1–EC10 remediation task EXPORT-GAPS-162-013) - **Status:** Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation. ### Acceptance Tests Pack for Guardrails - **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) - **Related Docs:** - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself) - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking the sync) - **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) - **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests. ### Mirror & Offline Kit Strategy - **Canonical:** `28-Nov-2025 - Mirror and Offline Kit Strategy.md` - **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles) - **Related Sprints:** - SPRINT_0150_0001_0001 (DSSE/Time Anchors) - SPRINT_0150_0001_0002 (Time Anchors) - SPRINT_0150_0001_0003 (Orchestrator Hooks) - **Related Docs:** - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec - `docs/airgap/time-anchor-schema.json` - Time anchor schema - **Gaps:** `31-Nov-2025 FINDINGS.md` (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013) - **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring ### Rekor v2 / DSSE Limits - **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md` - **Sprint:** SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used. - **Gaps:** `31-Nov-2025 FINDINGS.md` (RK1–RK10 remediation task REKOR-GAPS-125-012) - **Status:** Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints. ### Task Pack Orchestration & Automation - **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md` - **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY) - **Related Sprints:** - SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II) - SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers) - **Related Docs:** - `docs/task-packs/spec.md` - Pack manifest specification - `docs/task-packs/authoring-guide.md` - Authoring workflow - `docs/task-packs/registry.md` - Registry architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (TP1–TP10 remediation task TASKRUN-GAPS-157-014) - **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture ### Authentication & Authorization Architecture - **Canonical:** `28-Nov-2025 - Authentication and Authorization Architecture.md` - **Sprint:** Multiple (see below) - **Related Sprints:** - SPRINT_100_identity_signing.md (CLOSED - historical) - SPRINT_0314_0001_0001_docs_modules_authority.md (Docs) - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto) - **Gaps:** `31-Nov-2025 FINDINGS.md` (AU1–AU10 remediation task AUTH-GAPS-314-004) - **Related Docs:** - `docs/modules/authority/architecture.md` - Module architecture - `docs/11_AUTHORITY.md` - Overview - `docs/security/authority-scopes.md` - Scope reference - `docs/security/dpop-mtls-rollout.md` - Sender constraints - **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation ### CLI Developer Experience & Command UX - **Canonical:** `28-Nov-2025 - CLI Developer Experience and Command UX.md` - **Sprint:** SPRINT_0201_0001_0001_cli_i.md (PRIMARY) - **Related Sprints:** - SPRINT_203_cli_iii.md - SPRINT_205_cli_v.md - **Related Docs:** - `docs/modules/cli/architecture.md` - Module architecture - `docs/09_API_CLI_REFERENCE.md` - Command reference - **Gaps:** `31-Nov-2025 FINDINGS.md` (CL1–CL10 remediation task CLI-GAPS-201-003) - **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration ### Orchestrator Event Model & Job Lifecycle - **Canonical:** `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` - **Sprint:** SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY) - **Related Sprints:** - SPRINT_152_orchestrator_ii.md - SPRINT_0152_0001_0002_orchestrator_ii.md - **Related Docs:** - `docs/modules/orchestrator/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (OR1–OR10 remediation task ORCH-GAPS-151-016) - **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics ### Export Center & Reporting Strategy - **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` - **Sprint:** SPRINT_0160_0001_0001_export_evidence.md (PRIMARY) - **Related Sprints:** - SPRINT_0161_0001_0001_evidencelocker.md - **Related Docs:** - `docs/modules/export-center/architecture.md` - Module architecture - **Status:** Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels ### Runtime Posture & Observation (Zastava) - **Canonical:** `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` - **Sprint:** SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY) - **Related Sprints:** - SPRINT_0140_0001_0001_runtime_signals.md - SPRINT_0143_0001_0001_signals.md - **Related Docs:** - `docs/modules/zastava/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007) - **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection ### Notification Rules & Alerting Engine - **Canonical:** `28-Nov-2025 - Notification Rules and Alerting Engine.md` - **Sprint:** SPRINT_0170_0001_0001_notify_engine.md (NEW) - **Related Sprints:** - SPRINT_0171_0001_0002_notify_connectors.md - SPRINT_0172_0001_0003_notify_ack_tokens.md - **Related Docs:** - `docs/modules/notify/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (NR1–NR10 remediation task NOTIFY-GAPS-171-014; blueprint `docs/notifications/gaps-nr1-nr10.md`) - **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens ### Graph Analytics & Dependency Insights - **Canonical:** `28-Nov-2025 - Graph Analytics and Dependency Insights.md` - **Sprint:** SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY) - **Related Sprints:** - SPRINT_0401_0001_0001_reachability_evidence_chain.md - SPRINT_0140_0001_0001_runtime_signals.md - **Related Docs:** - `docs/modules/graph/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013) - **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization ### Telemetry & Observability Patterns - **Canonical:** `28-Nov-2025 - Telemetry and Observability Patterns.md` - **Sprint:** SPRINT_0180_0001_0001_telemetry_core.md (NEW) - **Related Sprints:** - SPRINT_0181_0001_0002_telemetry_forensic.md - SPRINT_0182_0001_0003_telemetry_offline.md - **Related Docs:** - `docs/modules/telemetry/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (TO1–TO10 remediation task TELEM-GAPS-180-001) - **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles ### Policy Simulation & Shadow Gates - **Canonical:** `28-Nov-2025 - Policy Simulation and Shadow Gates.md` - **Sprint:** SPRINT_0185_0001_0001_policy_simulation.md (NEW) - **Related Sprints:** - SPRINT_0120_0001_0001_policy_reasoning.md - SPRINT_0121_0001_0001_policy_reasoning.md - **Related Docs:** - `docs/modules/policy/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (PS1–PS10 remediation task POLICY-GAPS-185-006) - **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates ### Findings Ledger & Immutable Audit Trail - **Canonical:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` - **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY) - **Related Sprints:** - SPRINT_0120_0001_0001_policy_reasoning.md - SPRINT_0311_0001_0001_docs_tasks_md_xi.md - **Related Docs:** - `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml` - OpenAPI spec - **Gaps:** `31-Nov-2025 FINDINGS.md` (FL1–FL10 remediation task LEDGER-GAPS-121-009) - **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections ### Concelier Advisory Ingestion Model - **Canonical:** `28-Nov-2025 - Concelier Advisory Ingestion Model.md` - **Sprint:** SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY) - **Related Sprints:** - SPRINT_0113_0001_0002_concelier_ii.md - SPRINT_0114_0001_0003_concelier_iii.md - **Related Docs:** - `docs/modules/concelier/architecture.md` - Module architecture - **Gaps:** `31-Nov-2025 FINDINGS.md` (CI1–CI10 remediation task CONCELIER-GAPS-115-014) - `docs/modules/concelier/link-not-merge-schema.md` - LNM schema - **Status:** Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports ## Files Archived The following files have been moved to `archived/27-Nov-2025-superseded/`: ``` # Superseded by canonical advisories 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md 25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md 27-Nov-2025 - Rekor Envelope Size Heuristic.md 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md ``` ## Cleanup Completed (2025-11-28) The following issues were fixed: - Deleted junk file: `24-Nov-2025 - 1 copy 2.md` - Deleted malformed duplicate: `24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd` - Fixed filename: `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` (was missing .md extension) ## Sprint Cross-Reference | Advisory Topic | Sprint ID | Status | |---------------|-----------|--------| | CVSS v4.0 | SPRINT_0190_0001_0001 | NEW | | SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED | | Reachability Benchmark | SPRINT_0513_0001_0001 | NEW | | Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING | | Unknowns Registry | SPRINT_0140_0001_0001 | IMPLEMENTED | | Confidence Decay | SPRINT_0140_0001_0001 | DESIGN | | Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING | | DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING | | Vuln Triage UX / VEX | SPRINT_0215_0001_0001 | NEW | | Sovereign Crypto | SPRINT_0514_0001_0001 | EXISTING | | Plugin Architecture | Multiple (module-specific) | FOUNDATIONAL | | Evidence Bundle & Replay | SPRINT_0161_0001_0001 | EXISTING | | Mirror & Offline Kit | SPRINT_0125_0001_0001 | EXISTING | | Task Pack Orchestration | SPRINT_0157_0001_0001 | EXISTING | | Auth/AuthZ Architecture | Multiple (100, 314, 0514) | EXISTING | | CLI Developer Experience | SPRINT_0201_0001_0001 | NEW | | Orchestrator Event Model | SPRINT_0151_0001_0001 | NEW | | Export Center Strategy | SPRINT_0160_0001_0001 | NEW | | Zastava Runtime Posture | SPRINT_0144_0001_0001 | NEW | | Notification Rules Engine | SPRINT_0170_0001_0001 | NEW | | Graph Analytics | SPRINT_0141_0001_0001 | NEW | | Telemetry & Observability | SPRINT_0180_0001_0001 | NEW | | Policy Simulation | SPRINT_0185_0001_0001 | NEW | | Findings Ledger | SPRINT_0186_0001_0001 | NEW | | Concelier Ingestion | SPRINT_0115_0001_0004 | NEW | ## Implementation Priority Based on gap analysis: 1. **P0 - CVSS v4.0** (Sprint 0190) - Industry moving to v4.0, genuine gap 2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance 3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value 4. **P1 - Vuln Triage UX** (Sprint 0215) - Industry-aligned UX for competitive parity 5. **P1 - Sovereign Crypto** (Sprint 0514) - Regional compliance enablement 6. **P1 - Evidence Bundle & Replay** (Sprint 0161, 0187) - Audit/compliance critical 7. **P1 - Mirror & Offline Kit** (Sprint 0125, 0150) - Air-gap deployment critical 8. **P1 - CLI Developer Experience** (Sprint 0201) - Developer UX critical 9. **P1 - Orchestrator Event Model** (Sprint 0151) - Job lifecycle foundation 10. **P2 - Task Pack Orchestration** (Sprint 0157, 0158) - Automation foundation 11. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks 12. **P2 - Plugin Architecture** (Multiple) - Foundational extensibility patterns 13. **P2 - Auth/AuthZ Architecture** (Multiple) - Security consolidation 14. **P2 - Export Center** (Sprint 0160) - Reporting flexibility 15. **P2 - Zastava Runtime** (Sprint 0144) - Runtime observability 16. **P2 - Notification Rules** (Sprint 0170) - Alert management 17. **P2 - Graph Analytics** (Sprint 0141) - Dependency insights 18. **P2 - Telemetry** (Sprint 0180) - Observability infrastructure 19. **P2 - Policy Simulation** (Sprint 0185) - Safe policy testing 20. **P2 - Findings Ledger** (Sprint 0186) - Audit immutability 21. **P2 - Concelier Ingestion** (Sprint 0115) - Advisory pipeline 22. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching ## Implementer Quick Reference For each topic, the implementer should read: 1. **Sprint file** - Contains task definitions, dependencies, working directories 2. **Documentation Prerequisites** - Listed in each sprint file 3. **Canonical advisory** - Full product context and rationale 4. **Module AGENTS.md** - If exists, contains module-specific coding guidance ### Key Module Docs to Read Before Implementation | Module | Architecture Doc | AGENTS.md | |--------|-----------------|-----------| | Policy | `docs/modules/policy/architecture.md` | `src/Policy/*/AGENTS.md` | | Scanner | `docs/modules/scanner/architecture.md` | `src/Scanner/*/AGENTS.md` | | Sbomer | `docs/modules/sbomer/architecture.md` | `src/Sbomer/*/AGENTS.md` | | Signals | `docs/modules/signals/architecture.md` | `src/Signals/*/AGENTS.md` | | Attestor | `docs/modules/attestor/architecture.md` | `src/Attestor/*/AGENTS.md` | | Vuln Explorer | `docs/modules/vuln-explorer/architecture.md` | `src/VulnExplorer/*/AGENTS.md` | | VEX-Lens | `docs/modules/vex-lens/architecture.md` | `src/Excititor/*/AGENTS.md` | | UI | `docs/modules/ui/architecture.md` | `src/UI/*/AGENTS.md` | | Authority | `docs/modules/authority/architecture.md` | `src/Authority/*/AGENTS.md` | | Evidence Locker | `docs/modules/evidence-locker/*.md` | `src/EvidenceLocker/*/AGENTS.md` | | Mirror | `docs/modules/mirror/*.md` | `src/Mirror/*/AGENTS.md` | | TaskRunner | `docs/modules/taskrunner/*.md` | `src/TaskRunner/*/AGENTS.md` | | CLI | `docs/modules/cli/architecture.md` | `src/Cli/*/AGENTS.md` | | Orchestrator | `docs/modules/orchestrator/architecture.md` | `src/Orchestrator/*/AGENTS.md` | | Export Center | `docs/modules/export-center/architecture.md` | `src/ExportCenter/*/AGENTS.md` | | Zastava | `docs/modules/zastava/architecture.md` | `src/Zastava/*/AGENTS.md` | | Notify | `docs/modules/notify/architecture.md` | `src/Notify/*/AGENTS.md` | | Graph | `docs/modules/graph/architecture.md` | `src/Graph/*/AGENTS.md` | | Telemetry | `docs/modules/telemetry/architecture.md` | `src/Telemetry/*/AGENTS.md` | | Findings Ledger | `docs/modules/findings-ledger/openapi/` | `src/Findings/*/AGENTS.md` | | Concelier | `docs/modules/concelier/architecture.md` | `src/Concelier/*/AGENTS.md` | ### Developer Onboarding Quick Start - **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) - **Related Docs:** - `docs/onboarding/dev-quickstart.md` (derived from this advisory) - `docs/README.md` (new quickstart reference) - `docs/modules/platform/architecture-overview.md` (platform dossier mention) - **Status:** Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues. ## Topical Gaps (Advisory Needed) The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories: | Gap | Severity | Status | Notes | |-----|----------|--------|-------| | ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` | | ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` | | ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` | | ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `28-Nov-2025 - Mirror and Offline Kit Strategy.md` | | ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `28-Nov-2025 - Task Pack Orchestration and Automation.md` | | ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `28-Nov-2025 - Authentication and Authorization Architecture.md` | | ~~CLI Developer Experience~~ | HIGH | **FILLED** | `28-Nov-2025 - CLI Developer Experience and Command UX.md` | | ~~Orchestrator Event Model~~ | HIGH | **FILLED** | `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` | | ~~Export Center Strategy~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Export Center and Reporting Strategy.md` | | ~~Runtime Posture & Observation~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` | | ~~Notification Rules Engine~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Notification Rules and Alerting Engine.md` | | ~~Graph Analytics & Clustering~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Graph Analytics and Dependency Insights.md` | | ~~Telemetry & Observability~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Telemetry and Observability Patterns.md` | | ~~Policy Simulation & Shadow Gates~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Policy Simulation and Shadow Gates.md` | | ~~Findings Ledger & Audit Trail~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` | | ~~Concelier Advisory Ingestion~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Concelier Advisory Ingestion Model.md` | | **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance | ## Known Issues (Non-Blocking) **Unicode Encoding Inconsistency:** Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected: - `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` - `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` - `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` **Archived Duplicate:** `archived/17-Nov-2025 - SBOM-Provenance-Spine.md` and `archived/18-Nov-2025 - SBOM-Provenance-Spine.md` are potential duplicates. The 18-Nov version is likely canonical. --- *Index created: 2025-11-27* *Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)*