# Stella Ops - Feature Catalog > Unified feature inventory for marketing, stabilization, and E2E verification. > Generated: 2026-02-08 > Total unique features: 1185 ## Summary | Status | Count | |--------|-------| | Implemented | 1057 | | Partially Implemented | 99 | | Not Found in Source | 29 | | **Total** | **1185** | --- ### AdvisoryAI (17 features) - [x] **AdvisoryAI Orchestrator (Chat + Workbench + Runs)** - Status: IMPLEMENTED - The AdvisoryAI module provides a chat orchestrator with session management, run tracking (with artifacts and events), and tool routing. Backend web service with chat and run endpoints is operational. - Modules: `src/AdvisoryAI` - [x] **AdvisoryAI Pipeline with Guardrails** - Status: IMPLEMENTED - Full advisory AI pipeline with guardrails, chat interface, action execution, and idempotency handling. Includes retrieval, structured/vector retrievers, and SBOM context retrieval. - Modules: `src/AdvisoryAI` - [ ] **AI Codex / Zastava Companion** - Status: NOT_FOUND - The advisory AI module exists with policy studio and LatticeRuleGenerator, but the specific "AI Codex" or "Zastava Companion" branding/feature set described in the advisory is not found. - Modules: `src/AdvisoryAI` - [x] **Chat Gateway with Quotas and Scrubbing** - Status: IMPLEMENTED - Chat gateway with configurable options (quotas, budgets) and service-layer chat orchestration is implemented. - Modules: `src/AdvisoryAI` - [x] **Deterministic AI Artifact Replay** - Status: IMPLEMENTED - Deterministic replay infrastructure for AI artifacts including replay manifests, prompt template versioning, and input artifact hashing for reproducible AI outputs. - Modules: `src/AdvisoryAI, src/Attestor` - [x] **Evidence-First AI Outputs (Citations, Evidence Packs)** - Status: IMPLEMENTED - Evidence bundle assembly with schema-validated JSON, data providers for citations, and evidence pack integration in chat responses is implemented. - Modules: `src/AdvisoryAI` - [x] **Evidence-First Citations in Chat Responses** - Status: IMPLEMENTED - Evidence bundle assembly with citations in chat responses and UI evidence drilldown is implemented. - Modules: `src/AdvisoryAI, src/Web` - [x] **Immutable Audit Log for AI Interactions** - Status: IMPLEMENTED - DSSE-signed audit envelope builder for chat interactions with prompts, tool calls, and model fingerprints is implemented. - Modules: `src/AdvisoryAI` - [-] **Playbook Learning (Run-to-Patch Pipeline)** - Status: PARTIALLY_IMPLEMENTED - Run artifacts and evidence bundles support playbook-related data, but dedicated playbook learning, patch proposal generation, and versioned playbook management are not fully distinct modules yet. - Modules: `src/AdvisoryAI` - [x] **Sanctioned Tool Registry (Policy-Gated Tool Execution)** - Status: IMPLEMENTED - Tool policy system with sanctioned tool registry controlling which AI tools can be invoked, with read-only defaults and confirmation-gated action tools. - Modules: `src/AdvisoryAI` - [x] **AI Action Policy Gate (K4 Lattice Governance for AI-Proposed Actions)** - Status: IMPLEMENTED - Connects AI-proposed actions to the Policy Engine's K4 lattice for governance-aware automation. Moves beyond simple role checks to VEX-aware policy gates with approval workflows, idempotency tracking, and action audit ledger. Enables "AI that acts" with governance guardrails. - Modules: `src/AdvisoryAI/StellaOps.AdvisoryAI/Actions/` - Sprint: SPRINT_20260109_011_004_BE_policy_action_integration.md - [x] **AI Remedy Autopilot with Multi-SCM Pull Request Generation** - Status: IMPLEMENTED - AI-powered remediation service that generates fix plans (dependency bumps, base image upgrades, config changes, backport guidance), then creates PRs automatically across GitHub, GitLab, Azure DevOps, and Gitea via a unified SCM connector plugin architecture. Includes build verification, SBOM delta computation, signed delta verdicts, and fallback to "suggestion-only" when build/tests fail. - Modules: `src/AdvisoryAI/`, `src/Policy/`, `src/Attestor/` - Sprint: SPRINT_20251226_016_AI_remedy_autopilot.md - [x] **LLM Inference Response Caching** - Status: IMPLEMENTED - In-memory LLM inference cache that deduplicates identical prompt+model combinations. Reduces API costs and latency by caching deterministic responses keyed by content hash. - Modules: `src/AdvisoryAI/` - Sprint: SPRINT_20251226_019_AI_offline_inference.md - [x] **LLM Provider Plugin Architecture (Multi-Provider Inference)** - Status: IMPLEMENTED - Pluggable LLM provider architecture with ILlmProvider interface supporting OpenAI, Claude, Gemini, llama.cpp (LlamaServer), and Ollama backends. Includes LlmProviderFactory for runtime selection and configuration validation. Enables sovereign/offline inference by switching to local providers. - Modules: `src/AdvisoryAI/` - Sprint: SPRINT_20251226_019_AI_offline_inference.md - [x] **Natural Language to Policy Rule Compiler (Policy Studio Copilot)** - Status: IMPLEMENTED - AI-powered natural language to lattice rule translation engine including PolicyIntentType parsing, LatticeRuleGenerator, property-based test synthesizer for generated rules, and PolicyBundleCompiler. Transforms plain-English policy descriptions into formal stella-dsl@1 rules with live preview and conflict visualization. - Modules: `src/AdvisoryAI/`, `src/Policy/` - Sprint: SPRINT_20251226_017_AI_policy_copilot.md - [x] **OpsMemory-Chat Integration (Decision Memory in AI Conversations)** - Status: IMPLEMENTED - Connects OpsMemory institutional decision memory to AdvisoryAI Chat, enabling the AI to surface relevant past decisions during conversations and automatically record new decisions with outcomes for feedback loop learning. - Modules: `src/AdvisoryAI/StellaOps.AdvisoryAI/Chat/` - Sprint: SPRINT_20260109_011_002_BE_opsmemory_chat_integration.md - [x] **Sovereign/Offline AI Inference with Signed Model Bundles** - Status: IMPLEMENTED - Local LLM inference for air-gapped environments via a pluggable provider architecture supporting llama.cpp server, Ollama, OpenAI, Claude, and Gemini. DSSE-signed model bundle management with regional crypto support (eIDAS/FIPS/GOST/SM), digest verification at load time, deterministic output config (temperature=0, fixed seed), inference caching, benchmarking harness, and offline replay verification. - Modules: `src/AdvisoryAI/`, `src/Cryptography/` - Sprint: SPRINT_20251226_019_AI_offline_inference.md ### AirGap (12 features) - [x] **Air-Gap Bundle System (DSSE-Signed Bundle Format with Import/Export)** - Status: IMPLEMENTED - Comprehensive air-gap bundle system with DSSE signing and verification, bundle format with schemas/validation/trust snapshots, controller for state management, importer with quarantine-on-failure, atomic feed activation with rollback, file-based and router-based delivery transport, and offline kit validation (monotonicity checking, telemetry metrics). Covers offline update kits (OUK), replay packs, and audit pack export/import. - Modules: `src/AirGap, src/Attestor, src/ExportCenter, src/__Libraries/StellaOps.AuditPack` - [x] **Air-Gap Epistemic Mode with Sealed Startup and Feed Snapshots** - Status: IMPLEMENTED - Full epistemic completeness for air-gapped environments: sealed startup validation, feed snapshot repositories, signed mirror connectors, cryptographic binding of knowledge state to scan results, snapshot management, and sealed install enforcement. - Modules: `src/AirGap, src/Concelier, src/TaskRunner` - [x] **Deterministic Rekor Receipts with Offline Verification** - Status: IMPLEMENTED - Offline Rekor receipt verifier validates checkpoint signatures (ECDSA/Ed25519), Merkle inclusion proofs per RFC 6962, and root hash consistency without live transparency log access. Includes TileProxy for local tile-based transparency log proxy, and mirror snapshot resolution for air-gapped deployments. - Modules: `src/AirGap, src/Attestor, src/Cli, src/Signer` - [x] **Deterministic Replay and Verification in Air-Gap Mode** - Status: IMPLEMENTED - Replay manifests capturing input artifacts, verification results, and media types for deterministic reproducibility. Replay verification service for air-gapped environments. Covers offline cryptography plugins and importer validation. - Modules: `src/AirGap, src/Attestor, src/ReachGraph, src/Cryptography` - [x] **Deterministic Test Harness (Frozen Time, Seeded RNG, Network Isolation)** - Status: IMPLEMENTED - Deterministic testing infrastructure with frozen time providers, deterministic fixtures, and Testcontainers for PostgreSQL isolation across backend and frontend. - Modules: `src/AirGap, src/Scanner, src/Web` - [x] **Offline Kit Metrics and Diagnostics** - Status: IMPLEMENTED - Offline kit metrics, telemetry, and startup diagnostics for monitoring air-gap bundle health. - Modules: `src/AirGap` - [x] **Time Anchoring for Offline Environments** - Status: IMPLEMENTED - Time anchoring module with anchor loader, token parser, staleness calculator, and sealed startup validation for air-gapped environments. Includes HLC (Hybrid Logical Clock) merge services for multi-node sync. - Modules: `src/AirGap, src/Attestor` - [x] **DSSE/Receipt Schema for Authority/Sbomer/Vexer Flows** - Status: IMPLEMENTED - DSSE envelope signing/verification across multiple modules with schema types, SPDX3 integration, and air-gap bundle signing. The receipt schema supports Authority, Sbomer, and Vexer flows. - Modules: `src/AirGap, src/Attestor, src/Cli, src/ExportCenter, src/Provenance` - [x] **Trust Profile Management (CLI and Bundle)** - Status: IMPLEMENTED - Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles. - Modules: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/`, `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20260120_029_AirGap_offline_bundle_contract.md - [-] **Mirror DSSE Revision Contract** - Status: PARTIALLY_IMPLEMENTED - Defines the DSSE signing contract revision for mirror bundles, specifying envelope format, digest algorithm choices, and manifest inclusion rules for air-gapped import verification. Implementation is coordination-level (docs + scripts). - Sprint: SPRINT_0150_0001_0001_mirror_dsse.md - [-] **Mirror Orchestrator Hook Event (mirror.ready)** - Status: PARTIALLY_IMPLEMENTED - Defines the mirror.ready event payload {bundleId, generation, generatedAt, dsseDigest, manifestDigest, location} with optional rekorUUID, enabling CLI and export automation to consume mirror bundle readiness notifications. - Sprint: SPRINT_0150_0001_0003_mirror_orch.md - [-] **Mirror Time Anchor Contract** - Status: PARTIALLY_IMPLEMENTED - Defines canonical time-anchor fields (generatedAt UTC ISO-8601, optional sourceClock hint) and staleness computation (now - generatedAt with +/-5s tolerance) for mirror bundles in air-gapped environments. - Sprint: SPRINT_0150_0001_0002_mirror_time.md ### Aoc (1 features) - [x] **AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)** - Status: IMPLEMENTED - Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostic rules (AOC0001, AOC0002, AOC0003), preventing forbidden field access patterns in AOC-related code. - Modules: `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/` - Sprint: SPRINT_0503_0001_0001_ops_devops_i.md ### Api (2 features) - [x] **Policy trace panel ("why blocked" / "what would make it pass")** - Status: IMPLEMENTED - Block explanation API controller, CLI explain commands, and verdict rationale renderer provide policy trace functionality explaining why artifacts are blocked and what would unblock them. - Modules: `src/Api, src/Cli, src/Policy` - [x] **Score API Endpoints (/api/v1/score/evaluate, /score/weights)** - Status: IMPLEMENTED - The advisory proposed dedicated REST endpoints for score evaluation, weight management, and replay. These were marked TODO (TSF-005, TSF-011) and have not been implemented. - Modules: `src/Api, src/Policy` ### Attestor (182 features) - [x] **AI Authority Classification Engine** - Status: IMPLEMENTED - Authority classification engine that determines whether AI outputs are evidence-backed (authoritative) or suggestion-only, with configurable thresholds and scoring across multiple artifact types. - Modules: `src/Attestor` - [x] **AI Explanation Attestation Types (Zastava Companion Predicates)** - Status: IMPLEMENTED - AI explanation attestation predicates with model identifiers, decoding parameters, and citation support for evidence-grounded AI explanations. Supports deterministic replay. - Modules: `src/Attestor` - [x] **AI Remediation Plan Attestation** - Status: IMPLEMENTED - Predicate types for AI-generated remediation plans including steps, risk assessments, and action types as signed attestation artifacts. - Modules: `src/Attestor` - [x] **AI-Assisted Explanation and Classification** - Status: IMPLEMENTED - AI authority classifier with explanation scoring, citation references, explanation types, and model identifiers. AI artifact verification step integrates into the verification pipeline. - Modules: `src/Attestor` - [x] **Attestable Exception Objects with Expiries and Audit Trails** - Status: IMPLEMENTED - Exceptions are modeled as auditable objects with IDs, owners, expiry dates, and audit trails. The exception ledger UI shows active/pending/expiring counts. Signed override badges indicate cryptographic attestation of exceptions. - Modules: `src/Attestor, src/Web` - [x] **Attestable reachability slices (DSSE/in-toto signed evidence)** - Status: IMPLEMENTED - Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions. - Modules: `src/Attestor, src/Cli` - [x] **Attestation Bundle Verification** - Status: IMPLEMENTED - Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity. - Modules: `src/Attestor` - [x] **Attestation Determinism Testing** - Status: IMPLEMENTED - Golden test vectors and determinism verification tests ensuring byte-for-byte reproducibility of attestations, DSSE envelopes, and policy engine evaluations. - Modules: `src/Attestor, src/Policy` - [x] **Auditor Evidence Extraction (Audit Pack / Evidence Pack)** - Status: IMPLEMENTED - Exportable evidence packs (audit bundles) containing RVA attestation, policy bundle, knowledge snapshot manifest, referenced evidence artifacts, and verification replay logs for auditor consumption. - Modules: `src/Attestor` - [x] **Auditor-Ready Evidence Export Packs (SBOM + VEX + Attestation + Provenance)** - Status: IMPLEMENTED - Full audit pack export system with verdict replay attestation, evidence bundling, and export center with timeline integration and scheduling. - Modules: `src/Attestor, src/ExportCenter, src/__Libraries/StellaOps.AuditPack` - [x] **Auto-VEX Drafting Attestation** - Status: IMPLEMENTED - VEX draft generation attestation types for AI-generated VEX statements with justifications, enabling lattice-aware merge preview. - Modules: `src/Attestor` - [x] **Backport Proof Service** - Status: IMPLEMENTED - BackportProof library in Concelier and multi-tier BackportProofGenerator in Attestor with confidence scoring, evidence combining, and tier-based proof generation (Tier 1 through 4 plus signature variants). - Modules: `src/Attestor, src/Concelier` - [x] **Binary Diff Predicate / DSSE Attestation for Patch Detection** - Status: IMPLEMENTED - Complete BinaryDiff predicate implementation with DSSE signing/verification, schema validation, normalization, and serialization for patch detection attestations. - Modules: `src/Attestor` - [x] **Binary Diff with Deterministic Signatures** - Status: IMPLEMENTED - Binary diff analysis with DSSE-signed evidence output is implemented. The system compares binaries, produces deterministic diff signatures, serializes predicates, and integrates with VEX evidence linking. While the advisory specifically mentions B2R2 IR lifting, the implemented approach uses binary section-level diffing with DSSE attestation. - Modules: `src/Attestor, src/Cli, src/Excititor, src/Scanner` - [x] **Binary Fingerprint Evidence for Reachability Proofs** - Status: IMPLEMENTED - Binary fingerprint evidence generation with identity info, vulnerability match info, and micro-witness binary references provides cryptographic evidence for binary reachability claims. - Modules: `src/Attestor` - [x] **Binary Fingerprint Evidence Generation** - Status: IMPLEMENTED - Extensive binary fingerprinting with disassembly, delta signatures, fingerprint indexing, and attestable proof generation covering ELF/PE analysis. - Modules: `src/Attestor, src/BinaryIndex` - [-] **Binary Fingerprint Store and Trust Scoring** - Status: PARTIALLY_IMPLEMENTED - Binary analysis commands exist in the CLI with score gating, confidence calculation is implemented in the Policy engine, and a Doctor plugin for binary analysis health checks exists. A full binary fingerprint database with ELF/PE section hashing, trust scores, and golden set as described is partially implemented through the existing binary analysis infrastructure. - Modules: `src/Attestor, src/Cli, src/Doctor, src/Policy` - [x] **Binary Fingerprinting (TLSH + Instruction Hashing)** - Status: IMPLEMENTED - Binary fingerprinting infrastructure with two methods: Simplified TLSH (locality-sensitive hashing) and Instruction Hash (normalized instruction sequence hashing). Both are proof-of-concept implementations noted as needing production-grade library integration. BinaryFingerprintEvidenceGenerator creates attestable proof segments from binary vulnerability findings. - Modules: `src/Attestor, src/BinaryIndex, src/Feedser` - [x] **Binary Reachability Proofs / Binary Diff Analysis** - Status: IMPLEMENTED - Full binary diff analysis pipeline with schema validation, DSSE-verified predicates, normalization, and fingerprint evidence generation. - Modules: `src/Attestor` - [x] **Binary-Level SCA and Provenance** - Status: IMPLEMENTED - Binary fingerprint evidence generation, binary identity and vulnerability matching info, and native binary hardening analysis for PE, ELF, and Mach-O formats. - Modules: `src/Attestor, src/Scanner` - [x] **BinaryDiff/Binary SCA Attestation** - Status: IMPLEMENTED - Binary diff predicate builder with DSSE signing/verification, section-level diff models, schema validation, and integration with evidence bundle exporter. - Modules: `src/Attestor, src/Scanner` - [x] **Build Attestation Mapping (SPDX 3.0.1 Build Profile)** - Status: IMPLEMENTED - Build attestation mapping to/from SPDX 3.0.1 is implemented with bidirectional mappers, build material, metadata, and invocation models. - Modules: `src/Attestor` - [x] **Call-Stack Reachability Analysis** - Status: IMPLEMENTED - Multi-language call-stack reachability analysis with symbol matching and canonicalization supporting .NET, Java, native (ELF), and scripting languages, plus benchmarking infrastructure with ground-truth validation. - Modules: `src/Attestor, src/Cartographer, src/ReachGraph, src/Scanner, src/Web` - [x] **Canonical Graph Signature (CGS) / Deterministic Verdicts** - Status: IMPLEMENTED - Deterministic Merkle tree builder, content-addressed IDs, and canonical JSON serialization produce same-inputs-same-output verdicts with verifiable digests. - Modules: `src/Attestor, src/__Libraries/StellaOps.Canonical.Json, src/__Libraries/StellaOps.Resolver` - [x] **Canonicalization and Content Addressing** - Status: IMPLEMENTED - RFC 8785 JSON canonicalization, deterministic Merkle tree building, and content-addressed ID generation for all proof chain artifacts ensuring stable hashing. - Modules: `src/Attestor` - [-] **CAS for SBOM/VEX/Attestation Artifacts** - Status: PARTIALLY_IMPLEMENTED - Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible. - Modules: `src/Attestor, src/EvidenceLocker` - [x] **Checkpoint Signature Verification** - Status: IMPLEMENTED - Checkpoint divergence detection and alert publishing for Rekor transparency log verification. - Modules: `src/Attestor` - [-] **Comparative Evidence/Suppression Pattern Analysis** - Status: PARTIALLY_IMPLEMENTED - Evidence and suppression patterns are implemented in the scanning and VEX override subsystems. The advisory was primarily a research/comparison document; its findings appear to have influenced the VEX override and evidence panel designs rather than producing a standalone feature. - Modules: `src/Attestor, src/Scanner` - [x] **Confidence Scoring for Backport Detection** - Status: IMPLEMENTED - Quantifiable confidence scoring (0.0-0.98) for backport detection. Uses highest individual tier confidence as base, adds multi-source bonus (0.05 for 2 sources, 0.08 for 3, 0.10 for 4+), capped at 0.98. Per-tier confidence values: DistroAdvisory=0.98, VersionComparison=0.95, BuildCatalog=0.90, PatchHeader=0.85, ChangelogMention=0.80, BinaryFingerprint=0.70. - Modules: `src/Attestor` - [x] **Content-Addressed Identifiers (ArtifactId, EvidenceId, ProofBundleId)** - Status: IMPLEMENTED - Full content-addressed ID system with types for ArtifactId, EvidenceId, ReasoningId, VexVerdictId, ProofBundleId, plus a content-addressed ID generator and SHA256 parser. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [x] **Content-Addressed IDs for SBOM Components (bom-ref)** - Status: IMPLEMENTED - Content-addressed ID generator with SBOM entry IDs and CycloneDX subject extraction for deterministic component referencing. - Modules: `src/Attestor` - [x] **Content-Addressed Node and Edge Identifiers** - Status: IMPLEMENTED - Content-addressed NodeId and EdgeId records with graph-aware ID generation, addressing the advisory's EdgeId gap. - Modules: `src/Attestor, src/__Libraries/StellaOps.Resolver` - [-] **Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)** - Status: PARTIALLY_IMPLEMENTED - SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented. - Modules: `src/Attestor` - [x] **Cryptographic Proof Generation (SHA-256 hashing)** - Status: IMPLEMENTED - Cryptographic proof generation using canonical JSON serialization and SHA-256 hashing. ProofBlobs are tamper-evident with computed hashes that can be verified. Note: The codebase uses SHA-256 through CanonJson utilities. The advisory mentioned BLAKE3-256 as well; the DB schema references BLAKE3-256 in comments but actual code uses SHA-256 via CanonJson. - Modules: `src/Attestor` - [x] **CVSS v4.0 + CycloneDX 1.7 + SLSA v1.2 Scanner Convergence** - Status: IMPLEMENTED - Scanner stack supports CVSS v4.0 scoring, CycloneDX output (with crypto metadata), and SLSA provenance predicate types. The Signer module includes statement builder for SLSA provenance and integration tests. - Modules: `src/Attestor, src/Policy, src/Signer` - [x] **CycloneDX 1.6 and SPDX 3.0.1 Full SBOM Support (Parsers, Writers, Attestation)** - Status: IMPLEMENTED - Comprehensive CycloneDX 1.6 and SPDX 3.0.1 parsers and writers supporting all major SBOM elements: components, services, vulnerabilities, crypto, attestation maps, declarations, evidence, formulation, and more. Includes predicate parsers with metadata extraction and validation, SPDX 3.0 build attestation mappers, and CycloneDX VEX normalizer. 40+ partial class files for CycloneDX alone. - Modules: `src/Attestor, src/__Libraries/StellaOps.Spdx3, src/VexLens` - [x] **Delta Verdict and Change Trace System** - Status: IMPLEMENTED - Full delta computation engine with verdict predicates, change trace entries, budget tracking, VEX delta computation, attestation service, and smart diff with trust indicators. Frontend delta-verdict service and models consume the API. Delta-first comparison shows what changed since last trusted point. - Modules: `src/Attestor, src/Policy, src/Scanner, src/VexLens, src/Web` - [x] **Deterministic Evidence Graph with Hash-Addressed Nodes** - Status: IMPLEMENTED - Content-addressed proof graph with typed nodes/edges, subgraph extraction, mutation operations, and content-addressed ID generation for all identifiers (ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, etc.). - Modules: `src/Attestor` - [x] **Deterministic SBOM Canonicalization (RFC 8785 JCS)** - Status: IMPLEMENTED - Deterministic SBOM canonicalization using full RFC 8785 JSON Canonicalization Scheme with decimal point handling, number serialization, string normalization, and reproducible transforms between SPDX and CycloneDX. Verified by property-based determinism tests. - Modules: `src/Attestor, src/__Tests/__Libraries/StellaOps.Testing.Determinism.Properties` - [-] **Deterministic Score from Reachability + Evidence + Provenance** - Status: PARTIALLY_IMPLEMENTED - Scoring exists in TrustVerdict service and SmartDiff scoring config with gate multiplier calculations. The specific basis-point fixed-point arithmetic and Score.v1 format described in the advisory are not found as distinct implementations. - Modules: `src/Attestor, src/Scanner` - [x] **Deterministic verdict serialization (canonical JSON / JCS)** - Status: IMPLEMENTED - RFC 8785 (JCS) canonical JSON serializer ensures deterministic, byte-stable verdict serialization for reproducible signing. - Modules: `src/Attestor` - [-] **Deterministic Vulnerability Scoring (Score-as-Evidence)** - Status: PARTIALLY_IMPLEMENTED - Trust verdict scoring service exists with scoring logic. Policy determinism tests validate deterministic outputs. However, the specific "ScoreGraph" concept with basis-point fixed-point arithmetic and Score.v1 policy format described in the advisory is not found as a standalone module. Scoring is integrated into the TrustVerdict service. - Modules: `src/Attestor, src/Policy, src/Scanner` - [x] **DSSE (Dead Simple Signing Envelope) for Every Artifact** - Status: IMPLEMENTED - Comprehensive DSSE signing implementation across ProofChain, Envelope, and Spdx3 libraries with verification, pre-authentication encoding, and determinism tests. - Modules: `src/Attestor` - [x] **DSSE + in-toto Event Spine (Attestation Pipeline)** - Status: IMPLEMENTED - DSSE envelope signing and verification across the pipeline. Scanner emits policy decision and human approval attestations; Attestor ProofChain provides DSSE envelope/signature models and verification. - Modules: `src/Attestor, src/Scanner` - [x] **DSSE Attestation Bundling and Batch Publishing to Rekor** - Status: IMPLEMENTED - Attestation bundling with configurable options, aggregation abstraction, and Rekor submission queue with retry worker and sync background service. - Modules: `src/Attestor` - [x] **DSSE Envelope Signing for Attestations** - Status: IMPLEMENTED - DSSE envelope creation, signing, verification, and serialization are fully implemented across multiple Attestor libraries. The advisory proposed DSSE signing as part of a batch sweep experiment; the signing infrastructure is production-ready. - Modules: `src/Attestor` - [-] **DSSE Envelope Size Awareness (70-80KB Heuristic)** - Status: PARTIALLY_IMPLEMENTED - The Rekor proof builder handles envelope construction and validation, but no explicit 70-80KB size heuristic check or automatic payload splitting logic was found. The architecture relies on storing full attestations internally and using Rekor for hash-based inclusion proofs only. - Modules: `src/Attestor` - [-] **DSSE-Signed Exception Objects with Recheck Policy** - Status: PARTIALLY_IMPLEMENTED - Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete. - Modules: `src/Attestor, src/Policy` - [x] **DSSE-Signed Path Witnesses** - Status: IMPLEMENTED - Reachability witness payloads with path information and witness statements, plus path witness predicate type definitions. - Modules: `src/Attestor` - [-] **DSSE-Wrapped Reach-Maps** - Status: PARTIALLY_IMPLEMENTED - Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described. - Modules: `src/Attestor, src/Scanner` - [x] **DSSE/In-Toto Attestation Signing and Verification** - Status: IMPLEMENTED - Full DSSE envelope signing service supporting ECDSA P-256, Ed25519, and RSA-PSS. Includes in-toto predicate types for proof chains, SPDX3 build attestations, and verification workflows. - Modules: `src/Attestor` - [x] **Durable Submission Queue** - Status: IMPLEMENTED - Durable Rekor submission queue with backend support, submission responses, and entry event tracking. - Modules: `src/Attestor` - [x] **Edge-Level Attestations (DSSE-signed per dependency edge)** - Status: IMPLEMENTED - Proof graph edge models with typed edges and a rich graph attestation service in Scanner for emitting per-edge attestation data. - Modules: `src/Attestor, src/Scanner` - [x] **Enhanced Rekor Proof Building with Inclusion Proofs** - Status: IMPLEMENTED - Full Rekor proof builder with build, validate, and inclusion proof types for transparency log verification. - Modules: `src/Attestor` - [x] **Evidence Chain / Proof Trail for Scores** - Status: IMPLEMENTED - Score receipts and determinization system provide evidence trails with canonical input hashes, transform IDs, and policy digests. The ProofChain library supports full evidence chain construction. - Modules: `src/Attestor, src/Policy` - [-] **Evidence Coverage Score for AI Gating** - Status: PARTIALLY_IMPLEMENTED - The concept of gating AI output behind evidence quality exists via the AIAuthorityClassifier which scores explanation, remediation, VEX draft, and policy draft quality. The specific UX badge component and coverage scoring service described in the advisory are not implemented as standalone features. - Modules: `src/Attestor` - [x] **Evidence Provenance Chip (DSSE/Receipt with Export)** - Status: IMPLEMENTED - The advisory proposed a ProvenanceChipComponent showing Signed/Verified/Logged states with DSSE envelope viewing and export. The LineageProvenanceChipsComponent implements this concept as a standalone Angular component displaying attestation status, signature verification status, and Rekor transparency log links with expandable details. The backend DSSE and Rekor infrastructure is fully built in the Attestor module. - Modules: `src/Attestor, src/Web` - [-] **Evidence Subgraph UI Visualization** - Status: PARTIALLY_IMPLEMENTED - Backend proof graph model is implemented (nodes, edges, subgraphs, paths). Evidence panel e2e tests exist. Full frontend visualization component status unclear from source search alone. - Modules: `src/Attestor, src/Web (implied)` - [x] **Evidence types (SBOM_SLICE, VEX_DOC, CALLSTACK_SLICE, REACHABILITY_PROOF, etc.)** - Status: IMPLEMENTED - Comprehensive evidence type system in ProofChain library and UI evidence panel components covering all listed evidence types. - Modules: `src/Attestor, src/Web` - [x] **Evidence-First Security with DSSE Envelopes** - Status: IMPLEMENTED - All security findings are wrapped in DSSE envelopes; SmartDiff results are attested as delta verdicts and published to OCI registries. - Modules: `src/Attestor, src/Scanner` - [-] **Field-Level Ownership Map for Receipts and Bundles** - Status: PARTIALLY_IMPLEMENTED - Rekor entry and receipt models exist with structured fields, but a formal field-level ownership map document (checklist page) linking fields to specific module responsibilities was not found as a standalone artifact. - Modules: `src/Attestor, src/Cli, src/Platform` - [x] **FixChain Attestation (Backport Proof)** - Status: IMPLEMENTED - FixChain provides attestation-based proof that a backport or fix has been applied, with validation and policy gate integration. - Modules: `src/Attestor, src/Policy` - [x] **Four-Layer Architecture (Edge, Control Plane, Evidence Plane, Data Plane)** - Status: IMPLEMENTED - The described four-layer architecture is realized with distinct modules for edge routing, control plane (policy/authority/attestor/scheduler), evidence plane (scanner/excititor/concelier), and data plane (workers/task runners). - Modules: `src/Attestor, src/Authority, src/Concelier, src/Excititor, src/Policy, src/Router, src/Scanner, src/Scheduler, src/TaskRunner` - [x] **Four-Tier Backport Detection System** - Status: IMPLEMENTED - A four-tier evidence collection system for backport detection: Tier 1 (Distro Advisories, 0.98 confidence), Tier 2 (Changelog Mentions, 0.80), Tier 3 (Patch Headers + HunkSig, 0.85-0.90), Tier 4 (Binary Fingerprints, 0.55-0.85). BackportProofService orchestrates queries across all tiers and combines evidence into cryptographic ProofBlobs. - Modules: `src/Attestor, src/Concelier` - [x] **Function-Level Reachability for VEX Decisions** - Status: IMPLEMENTED - Multi-language call graph extraction (binary, Java, Python, Node, PHP, Ruby, JavaScript) is implemented with function-level evidence models (MicroWitness predicates, call path nodes, reachability witness payloads). - Modules: `src/Attestor, src/Scanner` - [x] **Graph Node/Edge Model with Overlays** - Status: IMPLEMENTED - Graph module has core node/edge model with overlay services, query APIs, and analytics. ProofChain library in Attestor also maintains its own graph node/edge/subgraph types. - Modules: `src/Attestor, src/Graph` - [x] **Graph Revision ID (Merkle root over SBOM + edges + policies + tool versions)** - Status: IMPLEMENTED - Content-addressed graph revision IDs and Merkle root computation are implemented via the GraphRoot library with dedicated attestor, models, and SHA-256-based Merkle root computation. - Modules: `src/Attestor` - [x] **Hash-stable proofs (deterministic attestation outputs)** - Status: IMPLEMENTED - Determinism is enforced and tested at multiple levels: attestation type determinism, DSSE envelope determinism, canonical payload determinism, with dedicated benchmark harness. - Modules: `src/Attestor, src/Bench, src/Signer` - [x] **High-Fidelity SBOM Support (CycloneDX/SPDX)** - Status: IMPLEMENTED - Comprehensive SBOM support with dedicated service, full CycloneDX and SPDX 2.x/3.x parsers and writers, plus UI for SBOM browsing. Extensive coverage of components, vulnerabilities, licensing, relationships, and more. - Modules: `src/Attestor, src/SbomService, src/Web` - [-] **Idempotent SBOM/Attestation APIs** - Status: PARTIALLY_IMPLEMENTED - Content-addressed identification for artifacts is implemented. Full idempotent REST API endpoints (POST /sbom/ingest, POST /attest/verify) are not clearly visible as standalone web service endpoints. - Modules: `src/Attestor` - [-] **Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)** - Status: PARTIALLY_IMPLEMENTED - The underlying evidence storage and proof chain infrastructure exists. Specific regulatory compliance mapping (NIS2, DORA, ISO-27001 report templates) not found as distinct modules. - Modules: `src/Attestor, src/__Libraries/StellaOps.AuditPack` - [x] **In-toto DSSE Attestations with Multiple Predicate Types** - Status: IMPLEMENTED - Complete DSSE/in-toto attestation framework with build provenance, SBOM, scan results, policy evaluation, VEX, risk profile, AI predicates, and more. - Modules: `src/Attestor` - [-] **In-toto Link Attestation Capture** - Status: PARTIALLY_IMPLEMENTED - The attestation pipeline supports DSSE-wrapped statements and proof chains, which follow in-toto patterns. However, the specific per-step in-toto link capture with `in-toto-run` wrappers as described is not directly implemented. - Modules: `src/Attestor` - [x] **In-toto Statement and Provenance System (SBOM, Evidence, Reasoning, VEX, SLSA)** - Status: IMPLEMENTED - Full in-toto statement builder framework generating Evidence, Reasoning, VexVerdict, ProofSpine, and SbomLinkage statements with snapshot-based golden testing. In-toto/DSSE provenance attestation with SLSA provenance parsing, schema validation, layout verification, and SPDX3 build attestation mapping. - Modules: `src/Attestor, src/Provenance` - [x] **Knowledge Snapshots with Merkle-Root Sealing** - Status: IMPLEMENTED - Replay manifests with feed snapshots, Merkle tree sealing, and policy snapshot storage provide sealed knowledge snapshots. - Modules: `src/Attestor, src/Policy, src/__Libraries/StellaOps.Replay.Core` - [x] **Local Rekor-style Merkle Transparency Log** - Status: IMPLEMENTED - Merkle tree construction with inclusion and consistency proofs is implemented, along with Rekor integration and local transparency log support for offline verification. - Modules: `src/Attestor, src/Provenance, src/Signer` - [x] **Machine-Verifiable DSSE Verdict Receipts** - Status: IMPLEMENTED - Verification receipts with checks, context, and verdict receipt payloads are fully modeled and implemented. - Modules: `src/Attestor` - [x] **Merkle Tree Proof System (Root Aggregation, ProofSpine Bundles, Evidence Chain Verification)** - Status: IMPLEMENTED - Deterministic Merkle tree builder with proof generation, step-by-step inclusion proofs, tree-with-proofs assembly, and attestation Merkle root aggregation. ProofSpine bundles aggregate multiple proofs into a single verifiable root. Both generic ProofChain and TrustVerdict-specific Merkle builders exist. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [x] **Micro-Witness Evidence (Function-Level)** - Status: IMPLEMENTED - Complete micro-witness system with binary refs, CVE refs, function-level evidence, verdict models, and tooling metadata for fine-grained reachability proof. - Modules: `src/Attestor` - [x] **Minimal Reachability Subgraph Attestation** - Status: IMPLEMENTED - Stores minimal call/data/control edge subgraphs connecting entrypoints to vulnerable sinks as attested evidence. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [-] **Monthly Bundle Rotation and Re-Signing** - Status: PARTIALLY_IMPLEMENTED - The attestation and signing infrastructure exists but the specific monthly bundle re-signing workflow is a planned sprint task. - Modules: `src/Attestor` - [x] **Multi-tenant PostgreSQL with RLS and Schema Isolation** - Status: IMPLEMENTED - Module-scoped PostgreSQL schemas with RLS policies, tenant-scoped tables with required columns (id, tenant_id, created_at, updated_at), JSONB-first patterns, and queue patterns (SKIP LOCKED). - Modules: `src/Attestor, src/Excititor, src/Policy, src/Scanner` - [x] **Native VEX Ingestion and Decisioning** - Status: IMPLEMENTED - Full VEX pipeline with ingestion (Excititor), hub for VEX document management, lens for analysis, override system with DSSE-signed decisions, merge trace for conflict resolution, and multiple UI views (studio, hub, timeline). - Modules: `src/Attestor, src/Excititor, src/VexHub, src/VexLens, src/Web` - [-] **Noise Ledger (Audit Log of Suppressions)** - Status: PARTIALLY_IMPLEMENTED - Suppression witnesses and audit hash logging exist in the backend. CLI audit commands exist. A dedicated "Noise Ledger" UX component is not present, though the underlying audit/suppression infrastructure is in place. - Modules: `src/Attestor, src/Cli, src/Scanner` - [x] **OCI Attestation Attachment (Referrers API, ORAS, Cosign Compatible)** - Status: IMPLEMENTED - OCI Distribution Spec 1.1 compliant attestation attacher using ORAS with referrers API support. Attaches verdict attestations, delta verdicts, evidence bundles, and SBOMs to container image digests. Supports cosign compatibility, attach/fetch/list operations, and OCI registry client for discovery. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.Oci, src/Cli, src/__Libraries/StellaOps.DeltaVerdict` - [x] **Offline Verification System (Rekor Mirror, Local Log, Sigstore Bundle)** - Status: IMPLEMENTED - Offline Rekor receipt verification using local Merkle proof verification without network dependency. TileProxy provides local tile-based transparency log proxy with content-addressed storage. Sigstore bundle offline verifier with integration tests for air-gapped scenarios. - Modules: `src/Attestor` - [x] **Patch Oracle (Binary Diff for CVE Function Identification)** - Status: IMPLEMENTED - Patch verification orchestration with patch signature storage and binary diff predicate building is implemented, enabling CVE function identification through patch comparison. - Modules: `src/Attestor, src/Scanner` - [x] **Patch-Aware Backport Detection with Proof-Carrying VEX (Tier1-4)** - Status: IMPLEMENTED - Full backport proof pipeline from extractors through tiered proof generation (Tier1: advisory match, Tier2: source proof, Tier3: binary proof, Tier4: signature match) with VEX integration. Patch verification orchestrator handles distro backports correctly. - Modules: `src/Attestor, src/BinaryIndex, src/Concelier, src/Findings, src/Scanner` - [x] **Per-Finding Explainability (SBOM Node, Match Rule, VEX Gate, Reachability Trace)** - Status: IMPLEMENTED - Finding summaries, verdict decisions with inputs/outputs, and policy decisions are modeled for per-finding explainability. - Modules: `src/Attestor` - [x] **Policy Studio Copilot Attestation** - Status: IMPLEMENTED - Policy draft attestation types for AI-generated lattice rules with test case generation and signed snapshots. - Modules: `src/Attestor` - [-] **PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)** - Status: PARTIALLY_IMPLEMENTED - PostgreSQL persistence is implemented for Attestor, Scanner, Policy, and TrustVerdict modules with Npgsql, migrations, and repository patterns. Full blueprint (RLS scaffolds, temporal tables for Unknowns, materialized views for triage) is partially realized; not all modules have dedicated schemas. - Modules: `src/Attestor, src/Policy, src/Scanner` - [x] **Predicate Schema Validation (including Delta Validators)** - Status: IMPLEMENTED - Schema validation for all predicate types including SBOM deltas, VEX deltas, reachability witnesses, and delta verdicts. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [x] **Private/Self-Hosted Rekor Support** - Status: IMPLEMENTED - Enhanced Rekor proof builder supports configurable endpoints, enabling private/self-hosted Rekor instances for air-gap deployments. - Modules: `src/Attestor` - [x] **Proof Audit Trail / Transparency Log** - Status: IMPLEMENTED - Generated proofs are stored in attestor.proof_blobs with tamper-evident hashing (proof_hash UNIQUE constraint). Each proof includes snapshot_id, evidence_count, confidence, and full payload JSONB. The ProofHashing.VerifyHash method allows verification that proof content has not been tampered with. - Modules: `src/Attestor, src/Concelier` - [x] **Proof Chain REST API (Backend Services)** - Status: IMPLEMENTED - REST API endpoints for querying proof chains by subject digest, retrieving evidence chain graphs, and verifying proof integrity with DSSE signature and Rekor inclusion checks. - Modules: `src/Attestor` - [x] **Proof Graph (Node/Edge Types for Evidence Lineage and Integrity)** - Status: IMPLEMENTED - In-memory proof graph service with typed nodes (Artifact, SbomDocument, DsseEnvelope, RekorEntry, VexStatement, Subject) and edges (DESCRIBED_BY, ATTESTED_BY, WRAPPED_BY, etc.) supporting mutation, queries, paths, and subgraph extraction. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [x] **Proof Spine System (Assembly, Segment Construction, Explainable Quiet Alerts)** - Status: IMPLEMENTED - Proof spine builder producing chained segments (SBOM_SLICE, MATCH, REACHABILITY, GUARD_ANALYSIS, RUNTIME_OBSERVATION, POLICY_EVAL), each DSSE-signed with hash-linked predecessors. Chains evidence IDs, reasoning IDs, VEX verdict IDs into signed proof bundles with Merkle root computation. VexProofSpineService in Policy engine enables explainable quiet alerts. - Modules: `src/Attestor, src/Policy, src/Scanner` - [x] **Proof-Carrying Reachability Evidence** - Status: IMPLEMENTED - Reachability evidence as portable, signed attestation bundles containing witness paths (call-path subgraphs from entrypoint to vulnerable node), gate conditions, and assumptions. - Modules: `src/Attestor` - [x] **Proof-Carrying Security Decisions (Proof Chain)** - Status: IMPLEMENTED - The ProofChain library is the core of the system with graph, signing, verification, merkle proofs, content-addressed IDs, DSSE, Rekor integration, predicates, statements, and a web service for querying. Every security decision carries linked proof. - Modules: `src/Attestor` - [x] **Provenance/Attestation Pipelines (End-to-End)** - Status: IMPLEMENTED - End-to-end attestation pipeline covering build provenance (SLSA), SBOM attestation, VEX attestation, verdict attestation, OCI referrer attachment, and sealed audit pack export/import. - Modules: `src/Attestor, src/ExportCenter, src/Provenance, src/Signer` - [x] **Reachability Drift Detection and Delta Evidence** - Status: IMPLEMENTED - Reachability drift predicates tracking new/removed call paths to vulnerable functions with drift analysis metadata, delta summaries between baselines, and reachability status flip tracking between scans. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain, src/Scanner` - [x] **Reachability Graph Service (Slice and Replay)** - Status: IMPLEMENTED - Full reachability graph service with slice extraction, deterministic replay, storage, and REST API. - Modules: `src/Attestor, src/Cartographer, src/ReachGraph` - [x] **Reachability Witness Proofs (Attestation Predicates, Call-Graph Evidence, UI Panels)** - Status: IMPLEMENTED - Full attestation predicates for reachability witness payloads including call paths, drift detection, and gate metadata. Entrypoint-to-vulnerable-symbol evidence trails as proof chain statements. UI evidence panels with E2E tests showing visual proof of reachability. - Modules: `src/Attestor, src/Web` - [x] **Reachability-Aware Vulnerability Prioritization (Competitive Differentiator)** - Status: IMPLEMENTED - Reachability witness payload with path information, micro-witness function evidence and verdicts, DSSE-signed reachability witnesses, and ground-truth reachability datasets for validation. - Modules: `src/Attestor, src/Scanner, src/__Tests` - [x] **Rekor Integration System (Client, Persistence, Retry, Sync, v2 Tiles, Checkpoint Store)** - Status: IMPLEMENTED - Comprehensive Rekor integration: IRekorClient with production/resilient/stub implementations for DSSE submission and inclusion proof verification. Checkpoint persistence with Postgres storage and divergence detection. DB schema with entity mapping, structured entry model (UUID, log index, integrated time, inclusion proof). Background retry worker for failed submissions, sync background service for continuous verification, and v2 tile-backed architecture with HTTP client and tile cache interface. - Modules: `src/Attestor` - [-] **Rekor Envelope Size Guardrails (100KB limit)** - Status: PARTIALLY_IMPLEMENTED - Bundling and queue options exist with configurable size limits, and TileProxy has size-related options. However, no explicit 100KB size heuristic guard was found. - Modules: `src/Attestor` - [x] **Release Evidence Pack (Audit Pack)** - Status: IMPLEMENTED - Portable, verifiable audit bundles with manifest (digests of every included file), SBOM inputs, VEX docs, policy bundles, exceptions, findings, verdict, and explanation. Supports offline verification and tamper detection. - Modules: `src/Attestor` - [x] **Remediation Planner** - Status: IMPLEMENTED - Frontend has remediation plan preview, remediation panel, and AI-assisted remediation. Backend has structured remediation step models with risk assessment and verification status. - Modules: `src/Attestor, src/Web` - [x] **Replay Fidelity Verification** - Status: IMPLEMENTED - Replay result and verification models, AI artifact replayer interface, SBOM replay verification service, and CLI replay commands for deterministic replay verification. - Modules: `src/Attestor, src/Cli, src/SbomService` - [x] **RFC 8785 Canonical JSON Serialization** - Status: IMPLEMENTED - Full RFC 8785 JSON canonicalizer with decimal point, number serialization, string normalization, and write method implementations. Verified by determinism property-based tests and canonical JSON test suite. - Modules: `src/Attestor, src/Provenance, src/__Tests` - [x] **Risk Budget / Unknowns Gate** - Status: IMPLEMENTED - Risk budget enforcement with unknowns gate checker, budget violation predicates, and unknowns aggregation across evidence chains. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain, src/Policy, src/__Libraries/StellaOps.DeltaVerdict` - [ ] **S3/MinIO/GCS Object Storage for Tiles** - Status: NOT_FOUND - Advisory proposed object storage (S3/MinIO/GCS) for large tile blobs as an alternative to filesystem cache. This was explicitly deferred as a low-priority future enhancement. - Modules: `src/Attestor` - [x] **SBOM Delta System (Component Diffing, Predicates, Signed Evidence)** - Status: IMPLEMENTED - Complete SBOM delta system: component-level diff tracking (added/removed/version changes), formal JSON schema for delta predicates, structured taxonomy, DSSE-signed delta evidence objects, and dedicated UI visualization. SBOM diffs are first-class signed evidence objects with attestation service producing DSSE-signed delta predicates. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain, src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates, src/Web` - [x] **SBOM Interop Round-Trip Testing** - Status: IMPLEMENTED - SBOM round-trip testing with canonical verification ensuring CycloneDX and SPDX outputs can be parsed, re-serialized, and verified for format compliance. - Modules: `src/Attestor, src/Cli, src/__Tests` - [x] **SBOM Ledger + Lineage (Moat Score 3)** - Status: IMPLEMENTED - Versioned SBOM storage with advisory and feed snapshot repositories, plus comprehensive SBOM parsing and writing for multiple formats. - Modules: `src/Attestor, src/Concelier` - [x] **SBOM Linkage Statement (in-toto predicate)** - Status: IMPLEMENTED - SBOM linkage statement model with SBOM descriptor (format, spec version, digest), generator info, incomplete subjects tracking, and tags for tenant/project/pipeline. - Modules: `src/Attestor` - [x] **SBOM Linkage to VEX** - Status: IMPLEMENTED - SBOM-to-VEX linkage with component reference extraction from both CycloneDX and SPDX SBOMs. - Modules: `src/Attestor` - [x] **SBOM Schema Validation/Gating** - Status: IMPLEMENTED - Schema validation for SBOM predicates (both CycloneDX and SPDX) with structured validation results for gating decisions. - Modules: `src/Attestor` - [x] **SBOM Spine (Image to SBOM to DSSE to Transparency Log)** - Status: IMPLEMENTED - The full SBOM spine (SBOM generation in CycloneDX/SPDX, DSSE signing, Rekor transparency log integration) is implemented. - Modules: `src/Attestor` - [x] **SBOM-First Pipeline (Scanner -> Sbomer -> Authority -> Graphs)** - Status: IMPLEMENTED - End-to-end SBOM-first pipeline with scanner producing SBOMs, Attestor parsing CycloneDX/SPDX predicates, and Graph module ingesting SBOMs for indexing. - Modules: `src/Attestor, src/Graph, src/Scanner` - [x] **SBOM-to-VEX Proof Pipeline** - Status: IMPLEMENTED - Full SBOM-to-VEX proof pipeline with pipeline request/result models, SBOM component extraction, VEX proof integration, and Rekor transparency log entries. - Modules: `src/Attestor` - [x] **Score Proofs (Deterministic Scoring with Cryptographic Proofs)** - Status: IMPLEMENTED - Deterministic scoring with cryptographic proofs using content-addressed IDs, Merkle trees, DSSE-signed attestations, and a ProofLedger. The Attestor.ProofChain library contains extensive implementation for proof bundles, spine assembly, and verification pipelines. - Modules: `src/Attestor, src/Policy` - [-] **Score Replay and Verification** - Status: PARTIALLY_IMPLEMENTED - Replay subsystem exists with a dedicated module, ProofChain replay models, and CLI commands. However, the specific `/score/{id}/replay` REST endpoint and DSSE-signed replay attestation with payload type `application/vnd.stella.score+json` are likely not yet wired up (sprint tasks TSF-011, TSF-007). - Modules: `src/Attestor, src/Cli, src/Replay` - [x] **Security State Snapshot (Content-Addressed Release Bundle)** - Status: IMPLEMENTED - Versioned, content-addressed snapshot bundles that capture SBOM graph, reachability graph, VEX claim set, policies, data-feed identifiers, and toolchain versions as digests for a release evaluation. - Modules: `src/Attestor, src/Policy` - [x] **Signal Normalization Pipeline** - Status: IMPLEMENTED - Signal normalization exists through the existing scoring engine and determinization evidence system, handling CVSS, KEV, EPSS, and other signal providers. - Modules: `src/Attestor, src/Policy` - [x] **Signed delta-verdicts (cryptographically bound verdicts per policy evaluation)** - Status: IMPLEMENTED - Delta verdict model and predicate types implement signed, cryptographically bound verdicts tracking changes between policy evaluations. - Modules: `src/Attestor, src/Policy, src/__Libraries/StellaOps.DeltaVerdict, src/__Libraries/StellaOps.Verdict` - [x] **Signed Risk Verdicts (DSSE/in-toto Envelope)** - Status: IMPLEMENTED - Verdicts signed as DSSE/in-toto attestations bound to immutable artifact digests, containing policy binding, knowledge snapshot binding, evaluator version, rationale, findings references, and unknowns state. - Modules: `src/Attestor, src/Policy` - [x] **Sigstore Bundle Support** - Status: IMPLEMENTED - Full Sigstore bundle support with builder, verifier, serializer, and models for Sigstore-compatible attestation bundles. - Modules: `src/Attestor` - [x] **Single Canonical Verdict Attestation per Subject** - Status: IMPLEMENTED - VerdictBuilder service produces signed verdict attestations with DSSE envelopes, enabling single canonical verdict per artifact. - Modules: `src/Attestor, src/__Libraries/StellaOps.Verdict` - [x] **SLSA v1 Provenance Predicate with Validation and Build Material Tracking** - Status: IMPLEMENTED - Full SLSA v1 provenance predicates with parsing, schema validation (build definition, run details, level checks), and build material/metadata/invocation models. - Modules: `src/Attestor` - [x] **Smart-Diff System (Semantic Security Delta, Binary Diff Predicates)** - Status: IMPLEMENTED - Smart-diff computing semantic security deltas between SBOM versions with material risk change detection, reachability-aware gating, delta verdict generation, SARIF output, and CLI commands. Binary diff as signed predicates with schema validation, DSSE verification, normalization, and finding extraction. - Modules: `src/Attestor, src/Cli, src/Policy, src/Scanner, src/Web` - [-] **Snapshot Export/Import for Air-Gap** - Status: PARTIALLY_IMPLEMENTED - Offline verification and evidence pack serialization exists. Full standalone snapshot export/import bundle format (Level B/C portable snapshots) may still be evolving based on evidence pack infrastructure. - Modules: `src/Attestor, src/Policy` - [x] **SPDX 3.0.1 Writer with Build Attestation and Canonical Persistence** - Status: IMPLEMENTED - SPDX 3.0 writer with build profile support, dedicated SPDX3 library for bidirectional build attestation mapping, combined document building with attestation/profile support, and canonical persistence. - Modules: `src/Attestor, src/__Libraries/StellaOps.Spdx3` - [x] **Tile Caching (Filesystem)** - Status: IMPLEMENTED - Filesystem-based immutable tile cache for Rekor v2 tiles, SHA-256 indexed, suitable for offline/air-gap scenarios. - Modules: `src/Attestor` - [x] **Trust Anchor Management** - Status: IMPLEMENTED - Trust anchor system with per-dependency anchors (public key + policy), PURL pattern matching, allowed key IDs, revoked keys tracking, and verification step integration. - Modules: `src/Attestor` - [x] **Trust Verdict Evidence Chain (Merkle Proof)** - Status: IMPLEMENTED - Trust verdict evidence chain built as a Merkle tree for tamper-evident evidence binding, with proofs and evidence ordering for verifiable trust scoring. - Modules: `src/Attestor` - [x] **Uncertainty Budget System (Schema, Predicates, Violation Tracking)** - Status: IMPLEMENTED - Full backend schema for uncertainty budgets: budget payloads, violation predicates, check results, exception references, and JSON schema validation with test coverage. - Modules: `src/Attestor` - [x] **Unknowns System (First-Class State, Budget Enforcement, Registry, Attestation Binding)** - Status: IMPLEMENTED - Full unknowns tracking as first-class state: dedicated module with budget enforcement, ranking, taxonomy, budget-exceeded event publishing, IUnknownsAggregator interface, and UnknownItem records. Registry with trust-decay scoring, repository persistence, and ProofChain aggregation. Unknowns cryptographically bound to attestations via uncertainty statements, budget predicates, and JSON schemas. UI components for unknowns queue and budget widgets. - Modules: `src/Attestor, src/Policy, src/Unknowns, src/Web` - [-] **Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)** - Status: PARTIALLY_IMPLEMENTED - Unknowns aggregation with item model and aggregator service exist. The full five-dimensional weighted scoring formula (P/E/U/C/S) with Hot/Warm/Cold banding and Scheduler-driven triage automation is partially implemented. - Modules: `src/Attestor, src/Scanner` - [x] **Verdic Replay (Deterministic Replay)** - Status: IMPLEMENTED - Verdict replay service for deterministic re-execution of security decisions with input manifest resolution and verification. - Modules: `src/Attestor, src/Replay` - [x] **Verdict Delta Taxonomy** - Status: IMPLEMENTED - Decision delta taxonomy tracking policy outcome changes (PASS to FAIL) and explanation drivers between baselines. - Modules: `src/Attestor` - [x] **Verdict Ledger (Append-Only Store)** - Status: IMPLEMENTED - Append-only verdict ledger for tamper-evident storage of all verdict decisions with hash chain integrity. - Modules: `src/Attestor` - [x] **Verdict Rekor Publisher (Transparency Log Publishing)** - Status: IMPLEMENTED - Publishes verdict attestations to Rekor transparency log, linking verdict decisions to tamper-evident public record. - Modules: `src/Attestor` - [x] **Verifiable SBOM-to-VEX Chain** - Status: IMPLEMENTED - VEX proof integrator links VEX statements to SBOM components with component ref extraction, SBOM linkage statements, and VEX attestation predicates for chain verification. - Modules: `src/Attestor` - [x] **Verification Pipeline (Multi-step Proof Verification)** - Status: IMPLEMENTED - Multi-step verification pipeline with pluggable steps: DSSE signature check, ID recomputation, Rekor inclusion proof, trust anchor verification. Each step produces structured results. - Modules: `src/Attestor` - [x] **VEX Attestation Predicate Pipeline** - Status: IMPLEMENTED - Complete VEX attestation pipeline from predicate creation through proof integration to verdict statements. - Modules: `src/Attestor` - [x] **VEX Decisioning as First-Class Policy Objects** - Status: IMPLEMENTED - VEX decisions are modeled as first-class policy objects with dedicated UI modal, decision service, history tracking, merge explanations, and backend attestable VEX override predicates with builder/parser infrastructure. - Modules: `src/Attestor, src/Web` - [x] **VEX Delta Evidence and Tracking (Claim Transitions)** - Status: IMPLEMENTED - VEX delta predicates capturing per-CVE claim transitions (affected/not_affected/fixed) with merge traces and reason codes. Tracks changes in VEX statements between scans. - Modules: `src/Attestor, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain` - [-] **VEX Findings API with Proof Artifacts** - Status: PARTIALLY_IMPLEMENTED - VEX verdict models, VEX delta predicates, and a VexProofSpineService exist in the backend, but the full API contract (GET /vex/findings/:id with proof artifacts) is not visible as a standalone endpoint. - Modules: `src/Attestor, src/Policy` - [x] **VEX Integration with Proof-Carrying Verdicts** - Status: IMPLEMENTED - VEX verdicts carry cryptographic proof references (proof_ref, proof_method, proof_confidence, evidence_summary). ProofAwareVexGenerator in Scanner orchestrates end-to-end flow: scanner detects CVE, BackportProofService generates proof, VexProofIntegrator embeds proof metadata in VEX verdict. - Modules: `src/Attestor, src/Scanner` - [x] **VEX Integration with Reachability** - Status: IMPLEMENTED - VEX candidates emitted from SmartDiff are bridged to reachability gates, VEX proof gate in policy engine, and VEX proof integrator in attestation for evidence-backed VEX statements. - Modules: `src/Attestor, src/Policy, src/Scanner` - [x] **VEX Override Predicate System (Signed Justifications with Proofs)** - Status: IMPLEMENTED - Full VEX override predicate system with builder, parser, serialization, validation, decision models, evidence references, and tool info. Supports "not_affected" claims with structured proof bundles and signed justifications. - Modules: `src/Attestor` - [-] **VEX Receipt Sidebar** - Status: PARTIALLY_IMPLEMENTED - Backend VEX receipt model and verdict receipt statement exist. VEX hub feature exists in frontend but a dedicated "sidebar" UX for individual VEX receipts is not a standalone component. - Modules: `src/Attestor, src/Web` - [x] **VEX Trust Scoring (Source Trust + Statement Quality)** - Status: IMPLEMENTED - Comprehensive trust verdict service with scoring that combines origin verification, freshness evaluation, reputation scores, and trust composites into a deterministic trust verdict predicate. - Modules: `src/Attestor, src/Policy, src/VexLens` - [x] **VEX-First Decisioning Pipeline** - Status: IMPLEMENTED - VEX-first decision pipeline with override predicates, proof integration, and attestation-backed VEX statements. - Modules: `src/Attestor` - [x] **Enhanced Rekor Proof Persistence** - Status: IMPLEMENTED - Enhanced Rekor proof persistence storing checkpoint signatures, checkpoint notes, entry body hashes, and verification timestamps for complete offline verification without Rekor connectivity. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/` - Sprint: SPRINT_20260118_016_Attestor_dsse_rekor_completion.md - [x] **Graph Root DSSE Attestation Service** - Status: IMPLEMENTED - Service for creating and verifying DSSE-wrapped in-toto attestations of Merkle graph roots. Supports multiple graph types (ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph) with optional Rekor publication. Enables offline verification by comparing recomputed roots against attested values. Distinct from "Merkle Root Aggregation" and "Graph Revision IDs" which compute roots; this attests them as first-class DSSE-signed entities. - Modules: `src/Attestor/` - Sprint: SPRINT_8100_0012_0003_graph_root_attestation.md - [x] **Periodic Rekor Verification Job** - Status: IMPLEMENTED - Scheduled background job that periodically re-verifies Rekor transparency log entries to detect post-compromise tampering, with metrics emission, health check integration, and a dedicated Doctor plugin for verification status monitoring. - Modules: `src/Attestor/`, `src/Doctor/` - Sprint: SPRINT_20260117_001_ATTESTOR - [x] **Proof Chain CLI Commands with Structured Exit Codes** - Status: IMPLEMENTED - CLI commands for proof chain operations (`stellaops proof verify`, `stellaops proof spine`, `stellaops anchor`, `stellaops receipt`) with structured exit codes (0=success, 1=policy violation, 2=system error) enabling CI/CD integration. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/` - Sprint: SPRINT_0501_0007_0001_proof_chain_cli_integration.md - [x] **Proof Chain Database Schema (PostgreSQL Persistence)** - Status: IMPLEMENTED - PostgreSQL-backed persistence layer for proof chain data with 5 core tables (sbom_entries, dsse_envelopes, spines, trust_anchors, rekor_entries), EF Core entity mappings, and IProofChainRepository abstraction. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/` - Sprint: SPRINT_0501_0006_0001_proof_chain_database_schema.md - [x] **RichGraph Attestation Service (stella.ops/richgraph@v1 predicate)** - Status: IMPLEMENTED - Generates DSSE-signed attestations capturing the full evidence graph (nodes, edges, paths) for a scan result. Uses the stella.ops/richgraph@v1 in-toto predicate type to attest the complete dependency and evidence graph topology. - Modules: `src/Attestor/` - Sprint: batch_01/file_15.md - [x] **SBOM-VEX bom-ref Cross-Linking (ComponentRefExtractor)** - Status: IMPLEMENTED - Bidirectional linking between VEX statements and SBOM components via CycloneDX bom-ref and SPDX SPDXID extraction, with PURL-to-bom-ref resolution service. - Modules: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/` - Sprint: SPRINT_20260118_016_Attestor_dsse_rekor_completion.md - [-] **DSSE Envelope Size Management and Gateway Traversal** - Status: PARTIALLY_IMPLEMENTED - Envelope size awareness exists in EPSS fetcher and delta-sig CLI commands. Bundling and queue options exist with configurable size limits. HMAC-based DSSE envelope signing exists in the scanner worker. No explicit size heuristic check (70-80KB) or automatic payload splitting/chunking logic found. NGINX/WAF gateway configuration is infrastructure-level. - Modules: `src/Attestor, src/Cli, src/RiskEngine, src/Scanner` - [-] **Deterministic Trust Score and Vulnerability Scoring** - Status: PARTIALLY_IMPLEMENTED - EWS engine, Determinization system, UnifiedScoreService, and 6-dimension normalizers (RCH/RTS/BKP/XPL/SRC/MIT) provide the scoring foundation. TrustVerdict service and SmartDiff scoring exist. The unified facade combining EWS + Determinization exists as UnifiedScoreService. Specific basis-point fixed-point arithmetic and Score.v1 format are not built as distinct implementations. - Modules: `src/Attestor, src/Policy, src/RiskEngine, src/Scanner, src/Signals` - [-] **Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles** - Status: PARTIALLY_IMPLEMENTED - Backend triage service with DB context, reachability subgraph extraction, and proof generation exist. UI triage inbox and queue components are partially complete. Exploit path grouping tests exist. - Modules: `src/Attestor, src/Scanner, src/Web` - [x] **Explanation Graph (Verdict -> Reasoning -> Evidence)** - Status: IMPLEMENTED - Proof graph provides the structural backbone linking verdicts to reasoning paths to evidence nodes. Edge explanations in ReachGraph and explainability KPIs in Metrics provide additional layers. - Modules: `src/Attestor, src/__Libraries/StellaOps.ReachGraph` - [ ] **DSSE+Rekor Batch Size Benchmarking Tool (stella-attest-bench)** - Status: NOT_FOUND - The advisory proposed a dedicated CLI benchmarking tool (stella-attest-bench) to sweep DSSE envelope batch sizes against Rekor and determine optimal defaults. While the underlying DSSE and Rekor infrastructure exists, no dedicated benchmarking/experiment tool was implemented. - [x] **Scoring Rules Snapshot with Digest** - Status: IMPLEMENTED - Captures scoring rules at evaluation time as a content-addressed snapshot with digest, enabling deterministic replay of scoring decisions and audit of which rules were in effect. - Modules: `src/` - Sprint: SPRINT_3850_0001_0001_competitive_gap_closure.md - [x] **Adaptive Noise Gating for Vulnerability Graphs** - Status: IMPLEMENTED - Four-part noise reduction system: (1) Semantic edge deduplication collapsing redundant edges with provenance sets, (2) Proof Strength hierarchy (Authoritative=100 > BinaryProof=80 > StaticAnalysis=60 > Heuristic=40), (3) Stability damping gate preventing flip-flopping verdicts with hysteresis thresholds, (4) Delta sections categorizing changes as New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact. - Sprint: SPRINT_20260104_001_BE_adaptive_noise_gating.md - [x] **ASN.1-Native RFC 3161 Timestamp Token Parsing** - Status: IMPLEMENTED - Native ASN.1 parsing of RFC 3161 timestamp tokens using System.Formats.Asn1 (no BouncyCastle dependency). Includes request encoding, response decoding, TstInfo extraction, certificate chain parsing, and signature verification. This is the low-level implementation detail behind the known "RFC-3161 TSA Client" entry. - Sprint: batch_37/file_18.md - [x] **Attestation Timestamp Pipeline with Time Correlation Validation** - Status: IMPLEMENTED - Integration of RFC 3161 timestamps into the attestation pipeline with TST-Rekor time correlation validation that detects anti-backdating attempts by cross-referencing TST genTime against Rekor integratedTime. Includes CycloneDx/SPDX timestamp extensions and policy-gated timestamping. No direct match in known features list. - Sprint: batch_37/file_21.md - [x] **Attestor Conformance Test Suite** - Status: IMPLEMENTED - Conformance test suite verifying Sigstore/Rekor verification parity against reference implementations. Tests inclusion proof verification, checkpoint parsing, and signature validation against known-good test vectors. - Sprint: batch_38/file_14.md - [x] **Cross-Attestation Chain Linking (SBOM->VEX->Policy)** - Status: IMPLEMENTED - Cross-attestation linking via in-toto layout references with link types (DependsOn/Supersedes/Aggregates), DAG validation with cycle detection, chain query API (GET /attestations?chain=true, upstream/downstream traversal with depth limit), and chain visualization endpoint supporting Mermaid/DOT/JSON formats. - Sprint: SPRINT_20260106_003_004_ATTESTOR_chain_linking.md - [x] **OCI Delta Attestation Service** - Status: IMPLEMENTED - OCI-native delta attestation pipeline that computes security state deltas between image versions and attaches signed delta attestations as OCI referrers. Enables incremental security validation without full re-scan. - Sprint: batch_38/file_05.md - [x] **Per-Layer DSSE Attestations** - Status: IMPLEMENTED - Layer-specific DSSE attestations with batch signing for efficiency, generating individual attestations per container image layer linked to layer-specific SBOM subjects. - Sprint: SPRINT_20260106_003_004_ATTESTOR_chain_linking.md - [x] **Rekor Entry Events with Reanalysis Hints** - Status: IMPLEMENTED - Deterministic Rekor entry events (EntryLogged, EntryQueued, InclusionVerified, EntryFailed) with reanalysis hints (CVE IDs, product keys, artifact digests, scope) for policy reanalysis triggers. - Sprint: SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md - [x] **SBOM OCI Deterministic Publisher** - Status: IMPLEMENTED - Deterministic SBOM publication to OCI registries with volatile field stripping (timestamps, tool versions, UUIDs) to ensure content-addressable reproducibility. Attaches SBOMs as OCI referrers with deterministic digests. - Sprint: batch_38/file_07.md - [x] **Scoring Manifest DSSE Signing and Rekor Anchoring** - Status: IMPLEMENTED - DSSE signing of scoring weight manifests with JCS canonicalization and Rekor transparency log anchoring, plus automatic version bump workflow with semantic versioning for weight changes. Distinct from "Versioned Weight Manifests" in known list by adding cryptographic signing and transparency log integration. - Sprint: batch_37/file_03.md - [x] **Scoring Manifest Semantic Version Bump Workflow** - Status: IMPLEMENTED - Automatic semantic versioning for scoring manifest changes (major for formula changes, minor for weight adjustments, patch for metadata) with comparison logic and integration tests. - Sprint: batch_37/file_03.md - [x] **Tile Proxy Service for Sigstore Caching** - Status: IMPLEMENTED - Centralized Sigstore tile proxy that caches and serves Rekor v2 transparency log tiles locally, enabling air-gapped verification and reducing external dependencies. Includes content-addressed tile store, sync job, and HTTP endpoints. Distinct from known "Tile Caching (Filesystem)" which is just the storage layer. - Sprint: batch_38/file_12.md - [x] **TSA Multi-Provider Fallback Chain with CLI** - Status: IMPLEMENTED - Multi-provider TSA configuration with automatic fallback chain (primary/secondary/tertiary), retry policies with jitter, and CLI commands (`stella timestamp request/verify/providers`). Extends beyond the known "RFC-3161 TSA Client for CI/CD Timestamping" with multi-provider orchestration and CLI surface. - Sprint: batch_37/file_02.md - [x] **Timestamp Evidence Storage with Re-Timestamping Service** - Status: IMPLEMENTED - PostgreSQL-backed storage for timestamp evidence (TSTs, OCSP responses, CRLs) with a re-timestamping service for algorithm migration. Includes air-gap bundle export/import for offline timestamp evidence. No direct match in known features list. - Sprint: batch_37/file_20.md ### Authority (13 features) - [x] **Authority Module with OIDC/OAuth2, DPoP, mTLS** - Status: IMPLEMENTED - Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture. - Modules: `src/Authority` - [x] **Authority Plugin System (LDAP, SAML, Custom Providers)** - Status: IMPLEMENTED - Extensible authentication with pluggable identity providers loaded at startup, supporting multiple authentication methods. - Modules: `src/Authority` - [x] **CLI DPoP-Bound Authentication** - Status: IMPLEMENTED - CLI supports DPoP-bound token authentication for secure API communication. - Modules: `src/Authority, src/Cli` - [x] **Multi-Tenant Scope-Based Authorization** - Status: IMPLEMENTED - Multi-tenant authorization with scope-based access control integrated across modules. - Modules: `src/Authority, src/Concelier` - [x] **Plugin SDK / Plugin architecture (CLI, Authority, Crypto)** - Status: IMPLEMENTED - Plugin architecture is implemented across CLI (manifest loader, module loader), Authority (identity provider plugins with OIDC/SAML/Standard), and Cryptography (HSM, SM crypto plugins). - Modules: `src/Authority, src/Cli, src/Cryptography` - [x] **Postgres Backend Store Prototype for Authority.Tokens** - Status: IMPLEMENTED - A PostgresTokenStore implementing IAuthorityTokenStore and IAuthorityRefreshTokenStore exists, is registered in DI, and has tests. The Authority module also has InMemory store implementations behind interfaces (IAuthorityStores). This matches the advisory's proposal for a Postgres-friendly facade behind a store interface. - Modules: `src/Authority` - [-] **RFC-3161 TSA Client for CI/CD Timestamping** - Status: PARTIALLY_IMPLEMENTED - eIDAS plugin with TSP client exists. Full RFC-3161 TSA client infrastructure was planned in Sprint 007 but evidence shows partial implementation via the eIDAS plugin. - Modules: `src/Authority, src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS` - [x] **Trust Root and Certificate Chain Verification** - Status: IMPLEMENTED - Certificate chain validation checks, TSA certificate expiry monitoring, and timestamp token verification with configurable trust anchors and verification options. - Modules: `src/Authority, src/Doctor` - [x] **Authority Sealed-Mode Evidence Validator** - Status: IMPLEMENTED - Evidence validator for Authority module in sealed/air-gap mode that verifies DSSE attestations without external connectivity, enabling offline identity verification for CI gating scenarios. Not in the known list as a distinct feature. - Modules: `src/Authority/StellaOps.Authority/StellaOps.Authority/Airgap/` - Sprint: Sprint 100 (batch_14/file_09.md) - [x] **LDAP Plugin with Claims Enrichment and Client Provisioning** - Status: IMPLEMENTED - Full LDAP identity provider plugin with claims enrichment (mapping LDAP attributes to OAuth claims), client provisioning (auto-creating OAuth clients from LDAP entries), capability probing, credential store, and messaging-backed claims cache. The known list has "Authority Plugin System (LDAP, SAML, Custom Providers)" as a general entry but not the specific LDAP claims enrichment, client provisioning, and capability probing features. - Modules: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/` - Sprint: Sprint 100 (batch_14/file_09.md) - [x] **Authority Identity Provider Registry (Plugin Resolution)** - Status: IMPLEMENTED - Runtime metadata/handle pattern for resolving identity providers through a registry. Handlers use `IAuthorityIdentityProviderRegistry.AcquireAsync` with metadata (`AuthorityIdentityProviderMetadata`) for capability checks, enabling deterministic and capability-gated provider resolution. - Sprint: 2025-10-20-authority-identity-registry.md - [x] **Local RBAC Policy Fallback with Break-Glass Access** - Status: IMPLEMENTED - File-based RBAC policy store providing authorization fallback when the database is unavailable, with break-glass session management enabling emergency admin access with auditable time-limited sessions. - Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback.md - [x] **Pack RBAC Roles and CLI Profiles** - Status: IMPLEMENTED - Five Task Pack RBAC roles (pack-viewer, pack-operator, pack-publisher, pack-approver, pack-admin) with deterministic scope bundles, authorization policy helper (`AddPacksResourcePolicies`), and CLI profiles for role-based token acquisition. - Sprint: 2025-11-02-pack-scope-profiles.md ### Bench (4 features) - [x] **Benchmark harness (reachability, scanner analyzers, policy engine, determinism)** - Status: IMPLEMENTED - Comprehensive benchmark harness exists covering reachability, scanner analyzers, policy engine, determinism, graph, and link-not-merge benchmarks with Prometheus metric export. - Modules: `src/Bench` - [x] **Reachability benchmarks with ground-truth datasets** - Status: IMPLEMENTED - Reachability benchmark suite with ground-truth datasets (Java Log4j, C# reachable/dead-code, native ELF), schema validation, and signal-level ground-truth validators. - Modules: `src/Bench, src/Signals, src/__Tests/__Datasets` - [-] **Vendor comparison / scanner parity tracking** - Status: PARTIALLY_IMPLEMENTED - Scanner analyzer benchmarks and golden-set diff comparisons exist, but a dedicated vendor-comparison dashboard or automated parity scoring system as described in the advisory is not visible. - Modules: `src/Bench, src/__Tests/__Benchmarks` - [ ] **Multi-scanner Comparative Benchmarking** - Status: NOT_FOUND - Advisory describes a benchmarking protocol comparing StellaOps scan results against Trivy/Grype/Snyk with precision/recall metrics. No CLI comparison tool or benchmark harness found. ### BinaryIndex (43 features) - [-] **ELF Normalization and Delta Hashing** - Status: PARTIALLY_IMPLEMENTED - Low-entropy delta signatures over ELF segments with normalization (relocation zeroing, NOP canonicalization, jump table rewriting). Not yet implemented. - Modules: `(proposed for src/Scanner or src/BinaryIndex)` - [x] **Binary Call-Graph Extraction and Reachability Analysis** - Status: IMPLEMENTED - Binary call-graph extraction with BinaryCallGraphExtractor, reachability lifting via BinaryReachabilityLifter, dedicated BinaryIndex analysis module, and CLI binary commands. - Modules: `src/BinaryIndex, src/Cli, src/Scanner` - [x] **Binary Identity Extraction (Build-ID Based)** - Status: IMPLEMENTED - Binary identity extraction using Build-IDs and symbol observations for ELF binary identification, with ground-truth validation and SBOM stability verification. - Modules: `src/BinaryIndex, src/Scanner` - [x] **Binary Intelligence Graph / Binary Identity Indexing** - Status: IMPLEMENTED - Complete BinaryIndex module with binary identity indexing, ELF feature extraction, vulnerability fingerprint matching, and reachability status tracking. Advisory marked as SUPERSEDED by this implementation. - Modules: `src/BinaryIndex` - [x] **Binary Proof Verification Pipeline** - Status: IMPLEMENTED - Full binary proof verification with ground truth sources (buildinfo, debuginfod, reproducible builds), validation, and golden set testing. - Modules: `src/BinaryIndex` - [x] **Binary Reachability Analysis** - Status: IMPLEMENTED - Binary-level reachability analysis integrating with the ReachGraph and taint gate extraction for function-level exploitability assessment. - Modules: `src/BinaryIndex` - [x] **Corpus Ingestion and Query Services** - Status: IMPLEMENTED - Corpus ingestion and query services with distro-specific connectors for Alpine, Debian, and RPM package ecosystems. - Modules: `src/BinaryIndex` - [-] **Cross-Distro Golden Set for Backport Validation** - Status: PARTIALLY_IMPLEMENTED - Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet. - Modules: `src/BinaryIndex` - [x] **Delta signature matching and patch coverage analysis** - Status: IMPLEMENTED - Delta signature matching traces symbol-level changes between vulnerable and fixed builds. PatchCoverageController exposes an API for patch coverage assessment. - Modules: `src/BinaryIndex` - [x] **Delta-Signature Predicates (Function-Level Binary Diffs)** - Status: IMPLEMENTED - Function-level delta signature predicates (v1 and v2) with signature generation, matching, and symbol change tracing. V2 adds symbol provenance and IR diffs, which is architecturally superior to the byte-level hunks proposed in the advisory. - Modules: `src/BinaryIndex` - [x] **Disassembly and binary analysis pipeline** - Status: IMPLEMENTED - Pluggable disassembly framework with Ghidra integration (BSim + version tracking) for binary analysis capabilities. - Modules: `src/BinaryIndex` - [x] **Ensemble decision engine for multi-tier matching** - Status: IMPLEMENTED - Ensemble decision engine combines multiple matching tiers (range match, Build-ID, fingerprint) with configurable weight tuning for vulnerability classification. - Modules: `src/BinaryIndex` - [x] **Function-Range Hashing and Symbol Mapping** - Status: IMPLEMENTED - Multi-backend disassembly (Iced, B2R2) with function-range normalization for symbol-level binary proof. - Modules: `src/BinaryIndex` - [x] **Golden Set for Patch Validation (in BinaryIndex)** - Status: IMPLEMENTED - Golden set analysis pipeline and API controller for curated binary patch validation test cases. - Modules: `src/BinaryIndex` - [x] **Golden Set Schema and Management** - Status: IMPLEMENTED - Full golden set management library with authoring, configuration, serialization, storage, validation, and migration support. - Modules: `src/BinaryIndex` - [x] **Ground-Truth Corpus Infrastructure (Symbol Source Abstractions)** - Status: IMPLEMENTED - Abstraction layer for symbol source connectors, validation harness, KPI computation, and security pair tracking for the ground-truth corpus infrastructure. - Modules: `src/BinaryIndex` - [x] **Known-build binary catalog (Build-ID + hash-based binary identity)** - Status: IMPLEMENTED - BinaryIdentity model and vulnerability assertion repository implement the binary-key-based catalog using Build-ID and file SHA256 as primary keys. - Modules: `src/BinaryIndex` - [x] **Local Mirror Layer for Corpus Sources** - Status: IMPLEMENTED - Local mirror service for caching and serving corpus data from remote sources, supporting offline operation. - Modules: `src/BinaryIndex` - [x] **Patch Coverage Tracking** - Status: IMPLEMENTED - Dedicated patch coverage API endpoint for tracking which CVE patches are covered in binary analysis. - Modules: `src/BinaryIndex` - [x] **Reproducible build verification** - Status: IMPLEMENTED - Reproducible build backend supports local rebuilds with air-gap bundle support for verifying binary provenance. - Modules: `src/BinaryIndex` - [x] **Scanner Integration for Binary Analysis** - Status: IMPLEMENTED - Binary vulnerability analysis integrated into the scanner worker pipeline with patch verification and build provenance reproducibility verification. - Modules: `src/BinaryIndex, src/Scanner` - [x] **Semantic Analysis Library (IR Lifting and Function Fingerprinting)** - Status: IMPLEMENTED - Semantic binary analysis with IR lifting, function fingerprint generation, semantic matching, graph extraction, and call n-gram generation for function-level binary comparison. - Modules: `src/BinaryIndex` - [x] **Static-to-Binary Braid (Build-Time Function Proof)** - Status: IMPLEMENTED - Full binary analysis pipeline with function fingerprinting, delta signatures, multi-backend disassembly (Iced, B2R2), normalization, and semantic analysis for build-time function proof. - Modules: `src/BinaryIndex` - [x] **Symbol Source Connectors (Debuginfod, Buildinfo, Ddeb, SecDb)** - Status: IMPLEMENTED - Four symbol source connector implementations (Debuginfod, Debian Buildinfo, Ubuntu Ddeb, Alpine SecDb), each with plugin registration and configuration support. - Modules: `src/BinaryIndex` - [x] **Validation Harness and Reproducibility Verification** - Status: IMPLEMENTED - Validation harness with determinism validation, SBOM stability checking, and reproducible build verification. Includes local rebuild backend and bundle export/import. - Modules: `src/BinaryIndex` - [x] **Vulnerable Binaries Database (BinaryIndex Module)** - Status: IMPLEMENTED - Dedicated BinaryIndex module with web service, worker, and library structure for binary vulnerability detection independent of package metadata. - Modules: `src/BinaryIndex, src/Scanner` - [x] **Binary Resolution API with Cache Layer** - Status: IMPLEMENTED - REST API endpoints (`POST /api/v1/resolve/vuln` and `/vuln/batch`) for querying whether a CVE is resolved through binary-level backport detection. Includes Valkey-backed response caching, rate limiting middleware, and telemetry instrumentation. - Modules: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/` - Sprint: SPRINT_1227_0001_0002_BE_resolution_api.md - [x] **Binary-to-VEX Claim Auto-Generation (VexBridge Library)** - Status: IMPLEMENTED - Automated generation of VEX claims from binary fingerprint match results. The VexBridge library translates binary match evidence into DSSE-signed VEX statements with confidence scores, enabling automated VEX claim production from binary analysis without manual triage. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/` - Sprint: SPRINT_1227_0001_0001_LB_binary_vex_generator.md - [x] **Call-Ngram Fingerprinting for Binary Similarity Analysis** - Status: IMPLEMENTED - Call-sequence n-gram extraction from lifted IR for improved cross-compiler binary similarity matching. Generates n-grams (n=2,3,4) from function call sequences and integrates into the semantic fingerprint pipeline with configurable dimension weights (instruction 0.4, CFG 0.3, call-ngram 0.2, semantic 0.1). - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/` - Sprint: SPRINT_20260118_026_BinaryIndex_deltasig_enhancements.md - [x] **Golden Corpus Bundle Export/Import Service** - Status: IMPLEMENTED - Import/export services for golden corpus bundles with standalone verification support, enabling offline corpus distribution and validation. The known list has "Offline Corpus Bundle Export/Import" but this provides reproducible bundle management with trust-profile-aware verification specific to the golden corpus. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GroundTruth.Reproducible/` - Sprint: SPRINT_20260121_035_BinaryIndex_golden_corpus_connectors_cli.md - [x] **Golden Corpus KPI Regression Service** - Status: IMPLEMENTED - KPI regression tracking service for golden corpus validation, including SBOM hash stability validation, regression detection across corpus runs, and automated KPI reporting. The known list has "Golden Corpus" and "Golden Set" entries but not a dedicated KPI regression service for tracking validation quality over time. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GroundTruth.Reproducible/` - Sprint: SPRINT_20260121_034_BinaryIndex_golden_corpus_foundation.md - [x] **Golden Corpus Validation Harness** - Status: IMPLEMENTED - Validation harness infrastructure for running golden corpus tests against binary index results, comparing expected vs actual outcomes. While "Validation Harness and Reproducibility Verification" is in the known list, this is a distinct BinaryIndex-specific validation harness with its own abstraction layer. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Validation/` - Sprint: SPRINT_20260121_034_BinaryIndex_golden_corpus_foundation.md - [x] **PatchDiffEngine (Binary Pre/Post Patch Comparison for Fix Verification)** - Status: IMPLEMENTED - Compares pre-patch and post-patch binaries at multiple levels (BasicBlock, CFG, StringRefs, Semantic/KSG fingerprints) to determine if a vulnerability has been remediated. Produces structured verification results with confidence scores based on match depth. Core verification logic for the Golden Set Diff Layer. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/` - Sprint: SPRINT_20260110_012_004_BINDEX_golden_set_diff_verify.md - [x] **Reproducible Distro Build Pipeline (Container-Based Builders)** - Status: IMPLEMENTED - Container-based reproducible build pipeline for Alpine, Debian, and RHEL packages. Rebuilds upstream source packages in isolated containers to produce reference binaries for function-level fingerprint comparison, enabling backport detection by comparing distro-patched binaries against unpatched originals. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/`, `src/BinaryIndex/StellaOps.BinaryIndex.Worker/` - Sprint: SPRINT_1227_0002_0001_LB_reproducible_builders.md - [x] **SBOM Bom-Ref Linkage in Binary Function Identity** - Status: IMPLEMENTED - Extended function identity model (SymbolSignatureV2) with SBOM bom-ref linkage following the format `module:bom-ref:offset:canonical-IR-hash`. Includes IBomRefResolver interface for resolving binary artifacts to SBOM component references with graceful fallback. - Modules: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/` - Sprint: SPRINT_20260118_026_BinaryIndex_deltasig_enhancements.md - [x] **Vulnerable Code Fingerprint Matching (CFG + Basic Block + String Refs Ensemble)** - Status: IMPLEMENTED - Function-level vulnerability detection independent of package metadata using an ensemble of fingerprint algorithms: basic block hashing, control flow graph fingerprinting, and string reference fingerprinting. Combined generator provides multi-algorithm similarity matching with configurable thresholds. Includes pre-seeded fingerprints for high-impact CVEs in OpenSSL, glibc, zlib, and curl. - Modules: `src/BinaryIndex/` - Sprint: SPRINT_20251226_013_BINIDX_fingerprint_factory.md - [x] **Binary Symbol Table Diff Engine** - Status: IMPLEMENTED - Symbol table comparison between binary versions tracking exported/imported symbol changes, version map diffs, GOT/PLT table modifications, and ABI compatibility assessment. Produces content-addressed diff IDs for deterministic reporting. - Sprint: SPRINT_20260106_001_003_BINDEX_symbol_table_diff.md - [x] **BinaryIndex Ops CLI Commands (stella binary ops)** - Status: IMPLEMENTED - CLI commands for BinaryIndex ops: health, bench, cache, config subcommands with JSON/table output and BinaryIndex base URL configuration. Also adds --semantic flag to deltasig extract/author/match commands. - Sprint: SPRINT_20260112_006_CLI_binaryindex_ops_cli.md - [x] **BinaryIndex Ops Endpoints (Health, Bench, Cache Stats, Config)** - Status: IMPLEMENTED - Ops endpoints for BinaryIndex: health (lifter warmness), bench/run (latency measurement), cache stats (Valkey hit/miss), and effective config with deterministic JSON responses. - Sprint: SPRINT_20260112_004_BINIDX_b2r2_lowuir_perf_cache.md - [x] **BinaryIndex User Configuration System** - Status: IMPLEMENTED - Comprehensive user configuration for B2R2 lifter pooling, LowUIR enablement, Valkey function cache behavior, PostgreSQL persistence, with ops endpoints for health/bench/cache/config and redaction rules for operator visibility. - Sprint: SPRINT_20260112_007_BINIDX_binaryindex_user_config.md - [x] **Byte-Level Binary Diffing with Rolling Hash Windows** - Status: IMPLEMENTED - Byte-level binary comparison using rolling hash windows that identifies exactly which byte ranges changed between binary versions. Produces binary proof snippets with section analysis and privacy controls to strip raw bytes. Supports stream and file-based comparison. - Sprint: SPRINT_20260112_200_004_CHGTRC_byte_diffing.md - [x] **ML Function Embedding Service (CodeBERT/ONNX Inference)** - Status: IMPLEMENTED - ONNX-based function embedding inference service for binary function matching using CodeBERT-derived models. Includes training corpus schema, embedding generation pipeline, and ensemble integration with existing matchers. No direct match in known features list. - Sprint: batch_37/file_17.md - [x] **Symbol Change Tracking in Binary Diffs (SymbolChangeTracer)** - Status: IMPLEMENTED - Extends BinaryIndex DeltaSignature module to track which specific symbols changed between binary versions (not just whether they match). Adds change metadata to SymbolMatchResult and provides detailed CFG hash and instruction hash comparison for symbol-level binary change forensics. - Sprint: SPRINT_20260112_200_003_BINDEX_symbol_tracking.md ### Cli (104 features) - [x] **Backward-Compatible Command Aliases** - Status: IMPLEMENTED - Old command paths preserved as aliases with deprecation warnings, allowing smooth migration without breaking existing CI pipelines. - Modules: `src/Cli` - [-] **Baseline Selection Logic (Last Green / Previous Release)** - Status: PARTIALLY_IMPLEMENTED - Compare feature infrastructure exists with services and CLI builder. The specific baseline selection logic (last green verdict, previous release tag) and its visibility to users may be partially implemented. - Modules: `src/Cli, src/Web` - [x] **CLI and Automation UX** - Status: IMPLEMENTED - Full CLI with command groups for replay, verdict, air-gap, prove, audit, and feeds operations. - Modules: `src/Cli` - [x] **CLI Commands for Ground-Truth and Golden Set Management** - Status: IMPLEMENTED - CLI command groups for ground-truth management (`stella groundtruth`) and golden set operations including fix verification commands. - Modules: `src/Cli` - [x] **CLI Deprecation Warning System** - Status: IMPLEMENTED - Deprecation warnings displayed when users invoke old command paths, guiding them to the new consolidated equivalents. - Modules: `src/Cli` - [x] **CLI Help Text and Discoverability** - Status: IMPLEMENTED - Improved help text generation showing the new command hierarchy with clear categories for better discoverability. - Modules: `src/Cli` - [x] **CLI Offline/Offline-POE Verification** - Status: IMPLEMENTED - CLI has offline proof-of-existence verification capability documented and implemented through evidence commands. - Modules: `src/Cli` - [-] **CLI Parity (stella advise)** - Status: PARTIALLY_IMPLEMENTED - The CLI infrastructure is extensive but a dedicated `stella advise` command with `--evidence --no-action` flags as described is not explicitly found. - Modules: `src/Cli` - [x] **CLI Plugin/Module Loading Architecture** - Status: IMPLEMENTED - Plugin-based module loading for CLI commands, enabling extensible command registration and routing. - Modules: `src/Cli` - [x] **CLI Tools (stella-extract, stella-sbomer, stella-sign, stella-provenance)** - Status: IMPLEMENTED - CLI tooling exists for verdict attestation verification and provenance attestation tooling. - Modules: `src/Cli, src/Provenance` - [x] **CLI verify command for attestation chain validation** - Status: IMPLEMENTED - CLI verify commands validate attestation chains for images with determinism testing and golden output verification. - Modules: `src/Cli` - [x] **CLI with Plugin-Based Command Modules** - Status: IMPLEMENTED - Modular CLI with ICliCommandModule interface, dynamic module loader, and multiple plugin command modules covering VEX, verdict, timestamp, symbols, AOC, and delta signatures. - Modules: `src/Cli` - [-] **Determinism Hash / Signature Verification in UI** - Status: PARTIALLY_IMPLEMENTED - Proofs and proof-studio UI features exist for browsing proof artifacts. Bundle verification exists in CLI. Full inline determinism hash and signature verification status display in the compare view may be partially wired up. - Modules: `src/Cli, src/Web` - [x] **Deterministic Replayability for Tests** - Status: IMPLEMENTED - Test infrastructure includes determinism manifests, run manifest validation, test run attestation generation, and golden output replay verification, supporting the advisory's call for deterministic replayability. - Modules: `src/Cli, src/Replay, src/__Tests` - [-] **DSSE Envelope Size Management** - Status: PARTIALLY_IMPLEMENTED - Envelope size awareness exists in EPSS fetcher and delta-sig CLI commands, but no dedicated chunking/sharding service for splitting large attestations into Rekor-friendly sizes was found. The architecture stores full attestations internally and uses Rekor for lightweight proofs. - Modules: `src/Cli, src/RiskEngine` - [x] **Evidence Pack Download and Verification** - Status: IMPLEMENTED - Full evidence pack system with UI for browsing, exporting, and ribbon/thread views. CLI for bundle export and verification. Dedicated Evidence Locker module for evidence storage. - Modules: `src/Cli, src/EvidenceLocker, src/Web` - [x] **Feed Snapshotting for Deterministic Replay** - Status: IMPLEMENTED - Feed snapshot repository with persistence, a fixture harvester command for feed snapshots, and CLI feed commands for managing snapshots. - Modules: `src/Cli, src/Concelier` - [x] **OCI Referrer-Based Artifact Association** - Status: IMPLEMENTED - OCI referrer-based attachment of SBOMs, attestations, and verdicts to image digests using the OCI referrers API, with discovery, publishing, and fallback mechanisms. - Modules: `src/Cli, src/ExportCenter` - [-] **OCI Referrers for Evidence Storage (StellaBundle)** - Status: PARTIALLY_IMPLEMENTED - Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module. - Modules: `src/Cli, src/Verifier` - [x] **Reachability query API and triage flow** - Status: IMPLEMENTED - CLI commands and policy engine services consume reachability facts to drive triage decisions (reachable/unreachable/unknown). - Modules: `src/Cli, src/Policy, src/Signals` - [x] **Reachability-Aware Security as Gate** - Status: IMPLEMENTED - Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules. - Modules: `src/Cli, src/ReachGraph, src/Scanner` - [x] **Rekor CLI Commands** - Status: IMPLEMENTED - CLI commands for attestation and checkpoint operations related to Rekor transparency log. - Modules: `src/Cli` - [x] **Replay button / determinism as UX** - Status: IMPLEMENTED - Replay executor with drift tracking, dedicated Replay web service, and determinism golden tests implement the "replay this verdict" capability. - Modules: `src/Cli, src/Replay, src/__Libraries/StellaOps.AuditPack` - [x] **Resource-Oriented CLI Hierarchy (18 top-level commands)** - Status: IMPLEMENTED - Reduction of 81+ top-level CLI commands to a resource-oriented hierarchy with ~18 top-level groups (scan, release, verify, attest, evidence, policy, vex, reachability, sbom, crypto, config, auth, admin, ci, setup, explain, tools). A FullConsolidationTests test suite validates the entire consolidation. - Modules: `src/Cli` - [x] **Settings Consolidation under `stella config`** - Status: IMPLEMENTED - Unification of scattered settings commands (notify, feeds, integrations, registry) under a single `stella config` umbrella for improved discoverability. - Modules: `src/Cli` - [-] **Unknowns Export Artifacts** - Status: PARTIALLY_IMPLEMENTED - Backend unknowns ranking and proof emission services exist along with CLI command group. However, explicit export schema artifacts for reproducible offline export of unknowns data were not located as standalone schema documents. - Modules: `src/Cli, src/Unknowns` - [-] **Verdict ladder UI (8-step verdict explainability)** - Status: PARTIALLY_IMPLEMENTED - CLI compare command and verdict rationale renderer address verdict explainability. The full 8-step ladder as a UI component has limited direct evidence in the Angular codebase, though the backend support exists. - Modules: `src/Cli, src/Policy, src/Web` - [x] **Verification Command Consolidation (verify umbrella)** - Status: IMPLEMENTED - Consolidation of `attest verify`, `vex verify`, `patchverify` etc. under a unified `stella verify` umbrella command with sub-commands for attestation, vex, patch, image, bundle, and offline verification. - Modules: `src/Cli` - [x] **VEX-gated policy decisions (gate decision with decision hash)** - Status: IMPLEMENTED - VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. - Modules: `src/Cli, src/Scanner, src/Web` - [x] **Witness CLI Commands** - Status: IMPLEMENTED - CLI command group for managing witnesses with core witness operations and handler implementations. - Modules: `src/Cli` - [x] **Zastava CLI Commands** - Status: IMPLEMENTED - Zastava CLI commands backed by dedicated Zastava module with agent, observer, and webhook components for offline replay verification. - Modules: `src/Cli, src/Zastava` - [x] **Advisory Database Status and Connector CLI Commands** - Status: IMPLEMENTED - CLI commands `stella db status` and `stella db connectors` for checking advisory database health, connector status, sync timestamps, and reason codes for connector failures. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_008_CLI - [x] **Audit Bundle Generation and Verification CLI** - Status: IMPLEMENTED - CLI command `stella audit bundle ` that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus `stella audit verify` for bundle integrity verification with manifest hash checking and optional DSSE signature verification. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_027_CLI - [x] **CI Template Generator CLI Command (stella ci init)** - Status: IMPLEMENTED - CLI command `stella ci init` generating ready-to-run CI pipeline templates for GitHub Actions, GitLab CI, and Gitea. Supports gate/scan/verify/full template types, offline-friendly bundles with pinned scanner image digests, and template validation via `stella ci validate`. - Modules: `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20251229_015_CLI_ci_template_generator.md - [x] **CLI API Spec Download Command** - Status: IMPLEMENTED - `stella api spec download` command for retrieving the aggregate OpenAPI specification with checksum/ETag verification, enabling offline API reference consumption. - Modules: `src/Cli/` - Sprint: SPRINT_0204_0001_0004_cli_iv.md - [x] **CLI Command Router Infrastructure** - Status: IMPLEMENTED - Foundation infrastructure for CLI command consolidation including a route-based command router, JSON-driven route mapping (60+ mappings), command group builder for hierarchical command trees, and deprecation warning system. - Modules: `src/Cli/StellaOps.Cli/Infrastructure/` - Sprint: SPRINT_20260118_010_CLI_consolidation_foundation.md - [x] **CLI Config Command Hub (list/show/set/export/import)** - Status: IMPLEMENTED - Extended `stella config` command with list/show/set/export/import subcommands, consolidating notify/feeds/integrations/registry/sources/signals under the config umbrella. - Modules: `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20260118_011_CLI_settings_consolidation.md - [x] **CLI Determinism Score Report Generator** - Status: IMPLEMENTED - `stella detscore report` command that aggregates determinism.json results into table, markdown, CSV, and JSON formats for CI/CD determinism compliance reporting. - Modules: `src/Cli/` - Sprint: SPRINT_0203_0001_0003_cli_iii.md - [x] **CLI Export Profile and Run Management** - Status: IMPLEMENTED - CLI commands for managing export profiles, triggering export runs, downloading artifacts with hash verification, and scheduling evidence/attestation exports with selectors and callbacks. - Modules: `src/Cli/` - Sprint: SPRINT_0202_0001_0001_cli_ii.md - [x] **CLI Forensic Snapshot Commands** - Status: IMPLEMENTED - CLI commands for creating, listing, and showing forensic snapshots with DSSE verification and timeline validation, enabling incident response workflows from the command line. - Modules: `src/Cli/` - Sprint: SPRINT_0201_0001_0001_cli_i.md - [x] **CLI IR Commands (stella ir)** - Status: IMPLEMENTED - Standalone CLI command group for intermediate representation (IR) operations including `stella ir lift` (binary to IR lifting), `stella ir canon` (IR canonicalization), `stella ir fp` (fingerprint generation from IR), and `stella ir pipeline` (full lift-canon-fingerprint pipeline). While "Semantic Analysis Library" exists in known features, these CLI commands providing direct access to IR operations are a distinct user-facing capability. - Modules: `src/Cli/StellaOps.Cli/Commands/Ir/` - Sprint: SPRINT_20260118_025_CLI_stella_ir_commands.md - [x] **CLI Notification Simulation and Acknowledgment** - Status: IMPLEMENTED - CLI commands for simulating notification rules against events (`stella notify simulate`) and acknowledging incidents (`stella notify ack`) with tenant-scoped operation support. - Modules: `src/Cli/` - Sprint: SPRINT_0202_0001_0001_cli_ii.md - [x] **CLI Observability Dashboard Commands (stella obs top/trace/logs)** - Status: IMPLEMENTED - Real-time observability commands providing health/SLO/burn-rate dashboards with TUI rendering, distributed trace inspection, and log querying with pagination and evidence links. - Modules: `src/Cli/` - Sprint: SPRINT_0203_0001_0003_cli_iii.md - [x] **CLI Policy Lifecycle Commands** - Status: IMPLEMENTED - Full policy lifecycle management from CLI including version bumping, submission, review, approval, simulation, publish/promote/rollback with DSSE signing and canary deployment support. - Modules: `src/Cli/` - Sprint: SPRINT_0204_0001_0004_cli_iv.md - [x] **CLI Reachability Upload and Explain Commands** - Status: IMPLEMENTED - Commands for uploading call graphs (`stella reachability upload-callgraph`) and querying reachability status with explanation (`stella reachability list/explain`), with streaming upload and pagination support. - Modules: `src/Cli/` - Sprint: SPRINT_0204_0001_0004_cli_iv.md - [x] **CLI Scan Command Consolidation (run/download/workers/graph/secrets/image)** - Status: IMPLEMENTED - Unified `stella scan` command hub with run/download/workers/graph/secrets/image subcommands, consolidating previously separate scanning commands. - Modules: `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20260118_013_CLI_scanning_consolidation.md - [x] **CLI Slice Management Commands (stella slice query/verify/export/import)** - Status: IMPLEMENTED - CLI commands for reachability slice lifecycle: query by CVE/symbol, verify DSSE signature with replay, export to offline bundle (OCI layout tar.gz), and import from bundle with integrity verification. - Modules: `src/Cli/` - Sprint: SPRINT_3850_0001_0001_oci_storage_cli.md - [x] **CLI VEX Consensus Commands** - Status: IMPLEMENTED - VEX consensus workflow commands (`stella vex consensus list/show/simulate/export`) for querying quorum status, trust/threshold overrides, and exporting NDJSON bundles with signature verification. - Modules: `src/Cli/` - Sprint: SPRINT_0205_0001_0005_cli_v.md - [x] **CLI Vulnerability Workflow Commands** - Status: IMPLEMENTED - Complete vulnerability triage CLI commands (`stella vuln list/show/assign/comment/accept-risk/verify-fix/target-fix/reopen/simulate/export/bundle verify`) enabling full vulnerability lifecycle management from the command line. - Modules: `src/Cli/` - Sprint: SPRINT_0205_0001_0005_cli_v.md - [x] **Delta Scan CLI Command (stella scan delta)** - Status: IMPLEMENTED - CLI command `stella scan delta --old --new ` for delta scanning between container image versions. Supports JSON/text/summary output formats, exit codes for CVE status (0=clean, 1=new CVEs, 2=error), and flags for policy, platform, SBOM format, signing, Rekor submission, and timeout configuration. - Modules: `src/Cli/StellaOps.Cli/Commands/Scan/` - Sprint: SPRINT_20260118_026_Scanner_delta_scanning_engine.md - [x] **Doctor CLI Command Group** - Status: IMPLEMENTED - Top-level `stella doctor` CLI command group providing CLI parity with Doctor web UI, including watch mode for continuous monitoring, per-environment health filtering, export capabilities for health reports, fix execution from CLI, and historical trend reporting. The known features list mentions "Doctor Diagnostics Runner" and "Doctor Health Check Plugins" generically, but the full CLI command group with watch mode, export, and fix execution is a distinct capability. - Modules: `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20260118_021_Doctor_cli_ui_parity.md - [x] **Explain Block CLI Command** - Status: IMPLEMENTED - CLI command `stella explain block ` that provides a complete "why is this blocked?" explanation with evidence linking, policy rule identification, and deterministic output formatting for audit trails. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_026_CLI - [x] **GitOps Controller** - Status: IMPLEMENTED - GitOps controller for Git event handling that triggers automated releases from Git events, enabling Git-native release workflows. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_037 - [x] **HLC Status and Timeline Query CLI Commands** - Status: IMPLEMENTED - CLI commands `stella hlc status` for Hybrid Logical Clock status inspection and `stella timeline query` for querying the immutable event timeline with temporal filtering and deterministic output ordering. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_014_CLI - [x] **Local Validator for Offline Config Checking** - Status: IMPLEMENTED - Offline local validator that checks stella.yaml configuration files without requiring server connectivity, enabling developers to validate configs before committing. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_037 - [x] **Notification Channel Management CLI Commands** - Status: IMPLEMENTED - CLI commands for notification channel management including `stella notify channels list/test`, `stella notify templates list/render`, and `stella notify preferences export/import` for managing notification channels, testing connectivity, previewing templates, and bulk-configuring user notification preferences. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_017_CLI - [x] **SBOM Analytics CLI Commands** - Status: IMPLEMENTED - CLI command group for SBOM analytics queries (stella analytics suppliers, licenses, vulnerabilities, backlog, attestation-coverage, trends) with tabular and CSV output formats. Not present in the known features list. - Modules: `src/Cli/StellaOps.Cli/Commands/` - Sprint: SPRINT_20260120_032_Cli_sbom_analytics_cli.md - [x] **SBOM Format Conversion CLI** - Status: IMPLEMENTED - CLI command `stella sbom convert` to convert between SPDX and CycloneDX SBOM formats with deterministic output, plus `stella sbom export --type cbom` for Cryptographic BOM export. - Modules: `src/Cli/` - Sprint: SPRINT_20260117_004_CLI - [x] **stella admin CLI Command Group (Policy/Users/Feeds/System)** - Status: IMPLEMENTED - Consolidated `stella admin` CLI command group providing administrative operations for policy management, user administration, feed management, and system diagnostics. Replaces previously scattered admin operations. - Modules: `src/Cli/` - Sprint: batch_02/file_13.md - [x] **Advisory Source Management CLI (stella sources list/check/enable/disable/status)** - Status: IMPLEMENTED - Manage advisory data sources: list by category (primary/distro/ecosystem/scoring), check connectivity, enable/disable sources, and view detailed source status. - Modules: `src/Cli/` - [x] **AdvisoryAI Chat CLI (stella advise ask)** - Status: IMPLEMENTED - Interactive AI chat queries from the terminal scoped to specific container images, digests, or environments for security advisory assistance. - Modules: `src/Cli/` - [x] **AI Code Guard CLI (stella guard run/status)** - Status: IMPLEMENTED - CLI commands for analyzing AI-generated code for security issues including secrets scanning, attribution checking, and license hygiene. Provides `stella guard run` to analyze directories/files and `stella guard status` to check guard configuration. - Modules: `src/Cli/` - [x] **Auth Revocation Bundle Export/Verify CLI (stella auth revoke export/verify)** - Status: IMPLEMENTED - Export revocation bundles with JWS signatures to disk and verify bundles against detached JWS signatures using PEM public keys for offline revocation verification. - Modules: `src/Cli/` - [x] **Concelier Database Operations CLI (stella db fetch/merge/export)** - Status: IMPLEMENTED - Trigger Concelier advisory database operations: connector fetch/parse/map stages with mode selection (init/resume/cursor), canonical merge reconciliation, and export jobs with ORAS publishing and offline bundle toggles. - Modules: `src/Cli/` - [x] **Evidence Legal Holds CLI (stella evidence holds create/list/show/release)** - Status: IMPLEMENTED - CLI commands for managing legal holds on evidence artifacts. Users can create holds scoped by digest, component, time-range, or all artifacts; list active/released holds; show hold details with affected artifact counts; and release holds with confirmation and audit reasons. Held artifacts are protected from retention policy deletion. - Modules: `src/Cli/` - [x] **Excititor VEX Ingest Management CLI (stella excititor init/pull/export)** - Status: IMPLEMENTED - Manage Excititor VEX ingest workflows: initialize state with checkpoint resume, pull from providers with time windows and force mode, and run exports. - Modules: `src/Cli/` - [x] **Function Map CLI (stella functionmap generate/verify)** - Status: IMPLEMENTED - Runtime linkage verification workflow: generate function_map predicates from SBOMs defining expected runtime call paths and hot functions, then verify actual runtime observations against the map with DSSE signing and Rekor attestation. - Modules: `src/Cli/` - [x] **Incident Response CLI (stella findings incident start/status/end/list)** - Status: IMPLEMENTED - CLI commands for incident response lifecycle management. Users can start incident mode with severity/scope/description (auto-creates evidence holds and sends notifications), view incident status with timeline, end incidents with resolution notes and optional evidence hold release/report generation, and list all incidents filtered by status. - Modules: `src/Cli/` - [x] **Key Rotation CLI (stella key list/add/revoke/rotate/status/history/verify)** - Status: IMPLEMENTED - Comprehensive key rotation lifecycle: list keys (with include-revoked filtering), add, revoke, rotate, check status, view history, and verify validity. - Modules: `src/Cli/` - [x] **KMS Key Export/Import CLI (stella kms export/import)** - Status: IMPLEMENTED - File-backed signing key management via export/import with passphrase protection, version selection, and force-overwrite options for portable key bundles. - Modules: `src/Cli/` - [x] **Offline Verdict Verification CLI Plugin (stella verify --verdict)** - Status: IMPLEMENTED - Offline and online verdict verification via CLI plugin: verify verdict signatures, replay bundles for deterministic verification, and validate input hashes using knowledge snapshots without server connectivity. - Modules: `src/Cli/` - [x] **Policy DSL Compiler CLI (stella policy compile)** - Status: IMPLEMENTED - Compile policy DSL files to intermediate representation (IR) with optimization passes, strict mode (warnings as errors), SHA-256 digest output, and validation-only mode. - Modules: `src/Cli/` - [x] **Policy DSL Testing CLI (stella policy test)** - Status: IMPLEMENTED - Run coverage test fixtures against policy DSL files with fixture directory selection, pattern filtering, fail-fast mode, and multi-format output. - Modules: `src/Cli/` - [x] **Policy History CLI (stella policy history)** - Status: IMPLEMENTED - View policy run history with filtering by tenant, time range (from/to ISO-8601), status (completed/failed/running), pagination, and table/JSON output. - Modules: `src/Cli/` - [x] **Policy Publish and Sign CLI (stella policy publish)** - Status: IMPLEMENTED - Publish approved policy revisions with optional cryptographic signing using configurable algorithm (ecdsa-sha256, ed25519) and key ID selection. - Modules: `src/Cli/` - [x] **Policy Review Workflow CLI (stella policy submit/review status/comment/approve/reject)** - Status: IMPLEMENTED - Full policy review workflow from CLI: submit policies for review with reviewer assignment and urgency marking, check review status, add blocking/non-blocking comments with line/rule references, approve reviews, and reject reviews with reasons. - Modules: `src/Cli/` - [x] **Policy Rollback CLI (stella policy rollback)** - Status: IMPLEMENTED - Rollback a policy to a previous version with environment scoping, incident association, and reason documentation for audit trail. - Modules: `src/Cli/` - [x] **Policy Scaffolding CLI (stella policy new)** - Status: IMPLEMENTED - Create new policy files from templates (minimal, baseline, vex-precedence, reachability, secret-leak, full) with metadata tagging, shadow mode configuration, and optional Git repository/fixtures initialization. - Modules: `src/Cli/` - [x] **Policy Simulation Batch Mode with SBOM Selectors (stella policy simulate --mode batch --sbom-selector)** - Status: IMPLEMENTED - Batch mode policy simulation with SBOM selector patterns (e.g., registry:docker.io/*, tag:production), severity heatmap summaries, and manifest download for offline analysis. - Modules: `src/Cli/` - [x] **Policy Simulation Reachability Overrides (stella policy simulate --reachability-state/--reachability-score)** - Status: IMPLEMENTED - What-if reachability overrides in policy simulation: override reachability states (reachable/unreachable) and scores for specific vulnerabilities or packages to model hypothetical scenarios. - Modules: `src/Cli/` - [x] **Policy Version Bump CLI (stella policy version bump)** - Status: IMPLEMENTED - Bump policy versions using semantic versioning (patch/minor/major) with changelog messages and DSL file upload. - Modules: `src/Cli/` - [x] **Policy Workspace Initialization CLI (stella policy init)** - Status: IMPLEMENTED - Initialize a policy workspace directory with template support (minimal, baseline, vex-precedence, reachability, secret-leak, full). Creates policy files, optional Git repository, README, and test fixtures directory. - Modules: `src/Cli/` - [x] **Proof of Exposure Export/Verify CLI (stella poe export/verify)** - Status: IMPLEMENTED - CLI commands for exporting and verifying Proof of Exposure artifacts for offline verification. Exports include Rekor inclusion proofs, richgraph subgraphs, and SBOM artifacts in tar.gz format. Verification validates bundle integrity independently. - Modules: `src/Cli/` - [x] **Python Workspace Analyzer CLI (stella python inspect)** - Status: IMPLEMENTED - Language-specific CLI for inspecting Python workspaces and virtual environments with site-packages scanning, framework detection, and capability signal analysis. - Modules: `src/Cli/` - [x] **Runtime Observations Query CLI (stella observations query)** - Status: IMPLEMENTED - CLI commands for querying historical runtime observations filtered by symbol name (glob pattern), node hash, container, pod, or namespace with time window filtering. Complements function-map verification for runtime linkage analysis. - Modules: `src/Cli/` - [x] **SBOM Deterministic Generation CLI (stella sbom generate/hash/verify)** - Status: IMPLEMENTED - Deterministic SBOM generation from container images or directories in CycloneDX, SPDX, or both formats. Includes hash computation and verification for SBOM determinism validation. - Modules: `src/Cli/` - [x] **Scan Entry Trace Analysis CLI (stella scan entrytrace)** - Status: IMPLEMENTED - Show entry trace summary for a scan with optional raw NDJSON output and semantic entrypoint analysis covering intent, capabilities, and threat vectors. - Modules: `src/Cli/` - [x] **Scan Reproducibility Verification Flag (stella scan run --verify-reproducibility)** - Status: IMPLEMENTED - CLI flag to trigger reproducibility verification (rebuild) during scans, verifying whether builds are reproducible as part of the build provenance verification pipeline. - Modules: `src/Cli/` - [x] **Scan Snapshot Compare CLI (stella compare)** - Status: IMPLEMENTED - Compare two scan snapshots by digest producing structured security state diffs with severity filtering and multiple output formats (table, JSON, SARIF). - Modules: `src/Cli/` - [x] **Setup Wizard CLI (stella setup run/resume/status/reset/validate)** - Status: IMPLEMENTED - Interactive setup wizard with checkpoint-based state management: run full or specific steps, resume from interruption, check status, reset state, and validate configuration. Supports YAML config files and non-interactive mode. - Modules: `src/Cli/` - [x] **Symbol Ingestion CLI (stella symbols ingest/upload/verify/health)** - Status: IMPLEMENTED - Symbol table operations: ingest symbols from binary files, upload manifests to backend, verify symbol integrity, and check service health. Supports dry-run mode. - Modules: `src/Cli/` - [x] **System Database Migrations CLI (stella system migrations-run)** - Status: IMPLEMENTED - PostgreSQL database migration management across modules (Authority, Scheduler, Concelier, Policy, Notify, Excititor) with category selection (startup/release/seed/data), dry-run mode, connection string overrides, and timeout configuration. - Modules: `src/Cli/` - [x] **Tenant Context Management CLI (stella tenants list/use/current/clear)** - Status: IMPLEMENTED - Multi-tenant context switching: list available tenants, set/use a default tenant context, show current tenant, and clear the active context. - Modules: `src/Cli/` - [x] **Token Minting and Delegation CLI (stella auth token mint/delegate)** - Status: IMPLEMENTED - Service account token minting with scope/expiry/tenant control, and token delegation to other principals with scope restriction and audit reasons. - Modules: `src/Cli/` - [x] **Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key)** - Status: IMPLEMENTED - Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. - Modules: `src/Cli/` - [x] **Verification Receipt CLI (stella proof receipt get/verify)** - Status: IMPLEMENTED - Retrieve and verify verification receipts by proof bundle ID in text, JSON, or CBOR format for audit trail cryptographic proof. - Modules: `src/Cli/` - [x] **VEX Observation and Webhooks CLI (stella vex evidence/webhooks/observation)** - Status: IMPLEMENTED - Extended VEX CLI plugin providing evidence linking, webhook management for VEX events, and VEX observation commands with Rekor attestation support for transparency log integration. - Modules: `src/Cli/` - [x] **DeltaSig CLI Module (stella deltasig)** - Status: IMPLEMENTED - Proposed CLI module for creating, signing, verifying, and packing ELF delta signatures. The advisory provides complete code samples but these have not been implemented. The BinaryDiff attestation predicates exist as the backend foundation. - Modules: `src/Cli, src/BinaryIndex` - [x] **CLI Reachability Trace Export (stella reachability trace)** - Status: IMPLEMENTED - New stella reachability trace command with flags for scan ID, output format (GraphSON/JSON), runtime-confirmed filtering, minimum score threshold, and deterministic output. - Sprint: SPRINT_20260112_004_CLI_reachability_trace_export.md - [x] **Evidence Card and Remediation PR CLI Commands** - Status: IMPLEMENTED - CLI commands for viewing evidence cards per finding and opening remediation pull requests (`stella remediate open-pr`) directly from CLI output, enabling automated PR creation for AI-generated fix suggestions. - Sprint: SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md - [x] **Image Inspect CLI Command (`stella image inspect`)** - Status: IMPLEMENTED - CLI command `stella image inspect` for querying OCI image metadata including manifest type, architecture platforms, layer digests, annotations, and SBOM/attestation referrers in table or JSON output. - Sprint: SPRINT_20260113_002_002_CLI_image_inspect_command.md - [x] **Offline SBOM Verification CLI (`stella sbom verify`)** - Status: IMPLEMENTED - CLI command `stella sbom verify` for offline SBOM verification including signature validation, canonical hash recomputation, and format compliance checks for CycloneDX/SPDX documents without network connectivity. - Sprint: SPRINT_20260112_016_CLI_sbom_verify_offline.md - [x] **Replay Command Generator Service** - Status: IMPLEMENTED - Backend service that generates copy-ready replay commands for deterministic verdict reproduction. Builds command strings with all necessary hashes (artifact, manifest, feeds, policy) and provides downloadable evidence bundles as ZIP for one-click replay from the UI. - Sprint: SPRINT_9200_0001_0003_CLI_replay_command_generator.md - [x] **VEX Generation with Evidence Links (`--link-evidence` CLI Flag)** - Status: IMPLEMENTED - Extension to `stella vex gen` command with `--link-evidence` flag that includes binary-diff evidence links in VEX output, showing evidence type, confidence score, and URI in both table and JSON formats. - Sprint: SPRINT_20260113_003_002_CLI_vex_evidence_integration.md ### Concelier (36 features) - [x] **4-Tier Backport Evidence Resolver** - Status: IMPLEMENTED - Multi-tier backport evidence resolution with tier precedence, distro mappings, cross-distro OVAL integration, and deterministic backport verdicts. - Modules: `src/Concelier` - [x] **Advisory Connector Architecture (NVD, OSV, GHSA, Vendor Feeds)** - Status: IMPLEMENTED - Extensive advisory connector ecosystem with vendor-specific connectors for VMware, Oracle, MSRC, Cisco, Chromium, Apple, plus NVD, OSV, GHSA, RedHat, SUSE, Debian, Alpine, Ubuntu, KEV, EPSS, CERT-FR, CERT-CC, CERT-Bund feeds. - Modules: `src/Concelier` - [x] **Advisory Ingestion with Canonical Deduplication** - Status: IMPLEMENTED - Advisory ingestion pipeline with canonical deduplication, linkset observation factory, and raw advisory processing. - Modules: `src/Concelier` - [x] **Distro Connectors (Alpine, Debian, RedHat, SUSE, Ubuntu)** - Status: IMPLEMENTED - All major distro connectors for vulnerability feed ingestion (Alpine secdb, Debian security tracker, RHEL errata, SUSE advisories, Ubuntu USN). - Modules: `src/Concelier` - [x] **Distro Fix Database with Multi-Provider Ingestion** - Status: IMPLEMENTED - Comprehensive vulnerability feed ingestion from distro (Alpine, Debian, RHEL, SUSE, Ubuntu) and vendor sources with normalization and merge. - Modules: `src/Concelier` - [-] **Feed Snapshot Coordinator** - Status: PARTIALLY_IMPLEMENTED - Feed snapshot persistence and retrieval exists (repository, entity model). However, the advisory notes this as TODO (Feed Snapshot Coordinator for cross-platform pinning/coordination is still in progress). - Modules: `src/Concelier` - [x] **Ingestion Telemetry and Orchestration** - Status: IMPLEMENTED - Telemetry instrumentation for ingestion pipeline with OpenTelemetry metrics and orchestration registry for connector management. - Modules: `src/Concelier` - [x] **Link-Not-Merge Advisory Architecture** - Status: IMPLEMENTED - Advisory confirmed that existing Link-Not-Merge model is architecturally superior to proposed Unified Advisory Schema (UAS). Preserves conflict evidence and 3-component trust vector. - Modules: `src/Concelier` - [x] **Linkset Correlation V2 Algorithm** - Status: IMPLEMENTED - V2 linkset correlation algorithm with graph connectivity scoring, pairwise PURL coverage scoring, typed conflict severities, and reference conflict logic fixes. Has dedicated tests. - Modules: `src/Concelier` - [x] **Plugin System with DI, Signing, and Version Attributes** - Status: IMPLEMENTED - Plugin architecture using IDependencyInjectionRoutine and ServiceBinding attributes for dependency injection, with isolated AssemblyLoadContext loading. Cosign signature verification and StellaPluginVersion attributes are defined. - Modules: `src/Concelier, src/Cryptography, src/Notify` - [x] **PostgreSQL as System of Record (with JSONB)** - Status: IMPLEMENTED - PostgreSQL is universally adopted as the system of record across all persistence-bearing modules via Npgsql/NpgsqlDataSource. - Modules: `src/Concelier, src/IssuerDirectory, src/OpsMemory, src/Orchestrator, src/Platform, src/Scanner, src/Scheduler, src/Signals, src/Signer, src/VexHub` - [x] **PostgreSQL Storage Layer (Proof Evidence Repositories)** - Status: IMPLEMENTED - Three PostgreSQL repository implementations backed by Dapper/Npgsql. Database schema defines 6 tables across 3 schemas (vuln: distro_advisories, changelog_evidence, patch_evidence, patch_signatures; feedser: binary_fingerprints; attestor: proof_blobs) with 18 indices including GIN indices for CVE array queries and composite indices for CVE+package lookups. - Modules: `src/Concelier` - [x] **Source Intelligence Parsing (Changelog + Patch Header)** - Status: IMPLEMENTED - Source intelligence parsing for Tier 2 and Tier 3 evidence collection. Includes changelog parsing (debian/changelog, RPM changelog), patch header parsing, and integration with upstream advisory sources (Debian Security Tracker, Red Hat Errata). - Modules: `src/Concelier` - [x] **VEX conflict resolution (side-by-side merge with provenance)** - Status: IMPLEMENTED - VEX conflict resolver and consensus engine merge statements from multiple sources with rationale models explaining merge outcomes. - Modules: `src/Concelier, src/VexLens` - [x] **VEX Distribution Network (Moat Score 3-4)** - Status: IMPLEMENTED - 32 advisory connectors covering national CERTs, distro security trackers, vendor advisories, ICS sources, and general vulnerability databases. - Modules: `src/Concelier` - [-] **Astra Linux OVAL Feed Connector** - Status: PARTIALLY_IMPLEMENTED - Advisory feed connector for Astra Linux (Russian certified distro) implementing IFeedConnector interface. Includes OVAL XML feed research, plugin scaffold, AstraOptions configuration, and trust defaults. Reuses DebianVersionComparer for version comparison. OVAL XML parser is partially implemented. - Modules: `src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/` - Sprint: SPRINT_20251229_005_CONCEL_astra_connector.md - [x] **Backport FixIndex Service with O(1) Distro Patch Lookups** - Status: IMPLEMENTED - FixIndex service providing O(1) constant-time lookups for backport patch status across distributions. FixRule type system (Boundary, Range, BuildDigest, Status rules) with BackportStatusService.EvalPatchedStatus for deterministic patch-status evaluation. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/` - Sprint: SPRINT_20251229_004_002_BE_backport_status_service.md - [x] **CCCS Advisory Connector** - Status: IMPLEMENTED - Canadian Centre for Cyber Security (CCCS) advisory connector with HTML parsing, raw document mapping, and scheduled job ingestion. The known list has "Cross-Distro Advisory Connectors" and "Advisory Connector Architecture (NVD, OSV, GHSA, Vendor Feeds)" but not CCCS specifically. - Modules: `src/Concelier/__Connectors/` - Sprint: Sprint 0117 (batch_14/file_18.md) - [x] **Cisco Vendor Advisory Connector** - Status: IMPLEMENTED - Cisco vendor advisory connector for ingesting Cisco security advisories with provenance-tracked mapping. Not individually listed in the known features. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/` - Sprint: Sprint 0117 (batch_14/file_18.md) - [x] **Concelier Deprecation Headers Middleware** - Status: IMPLEMENTED - HTTP deprecation headers middleware for Concelier API endpoints, signaling API version lifecycle to consumers. Not in the known list. - Modules: `src/Concelier/StellaOps.Concelier.WebService/` - Sprint: Sprint 0116 (batch_14/file_17.md) - [x] **Concelier LNM Linkset Cache with Telemetry** - Status: IMPLEMENTED - PostgreSQL-backed deterministic cache for Link-Not-Merge advisory linksets with telemetry instrumentation, OpenAPI spec, and deprecation headers. While "Link-Not-Merge Advisory Architecture" is in the known list, this specific linkset caching with persistence and telemetry is a distinct implementation detail. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`, `src/Concelier/StellaOps.Concelier.WebService/` - Sprint: Sprint 0112 (batch_14/file_13.md) - [x] **Concelier Policy Studio Signal Picker** - Status: IMPLEMENTED - Policy Studio integration that selects and filters risk signals from advisory data for policy evaluation, including vendor risk signal extraction and fix availability emission. Not in the known list. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/` - Sprint: Sprint 0114-0115 (batch_14/file_15-16.md) - [x] **Concelier Tenant Scoping** - Status: IMPLEMENTED - Tenant-scoped advisory data isolation with scope normalization and capabilities endpoint for multi-tenant Concelier deployments. Not in the known list as a Concelier-specific feature. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/` - Sprint: Sprint 0115 (batch_14/file_16.md) - [x] **Concelier Vendor Risk Signal Provider** - Status: IMPLEMENTED - Extracts vendor-specific risk signals from advisory data, emits fix availability events, and tracks advisory field changes for risk scoring. Not in the known list. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/` - Sprint: Sprint 0115 (batch_14/file_16.md) - [x] **Deterministic Semantic Merge Hash for Advisory Deduplication** - Status: IMPLEMENTED - Computes identity-based semantic hash from (CVE + PURL/CPE + version-range + CWE + patch_lineage) for cross-distro advisory deduplication. Includes normalizers (PURL, CPE, version range, CWE, patch lineage), golden corpus validation (Debian/RHEL/SUSE/Alpine), fuzzing tests (1000 random inputs), shadow-write migration mode, and backfill service. Distinct from "Advisory Ingestion with Canonical Deduplication" which is the overall dedup concept; this is the specific merge_hash identity algorithm. - Modules: `src/Concelier/` - Sprint: SPRINT_8200_0012_0001_CONCEL_merge_hash_library.md - [x] **EPSS Feed Connector (Concelier Three-Stage Pattern)** - Status: IMPLEMENTED - Concelier connector for EPSS (Exploit Prediction Scoring System) feed ingestion following three-stage Fetch/Parse/Map pattern. Reuses Scanner's EpssCsvStreamParser for CSV parsing, supports ETag conditional requests, air-gap bundle fallback, priority band classification (Critical/High/Medium/Low at 0.70/0.40/0.10 thresholds), and daily scheduled ingestion (10:00 UTC). - Modules: `src/Concelier/` - Sprint: SPRINT_4000_0002_0001_epss_feed_connector.md - [x] **VEX Consumption from SBOM Documents (Embedded VEX Extraction)** - Status: IMPLEMENTED - Extracts embedded VEX statements from CycloneDX and SPDX SBOMs, evaluates per-statement trust based on source provenance and evidence quality, resolves conflicts when multiple VEX sources disagree, and generates consumption reports. This is distinct from the known "VEX Multi-Source Consensus Engine" which merges standalone VEX documents; this feature specifically processes VEX embedded within SBOM documents. - Modules: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/` - Sprint: SPRINT_20260119_020_Concelier_vex_consumption.md - [x] **Advisory Federation with Delta Bundle Export/Import** - Status: IMPLEMENTED - Cursor-based federation system for synchronizing canonical advisories across sites (including air-gapped). Exports ZST-compressed NDJSON delta bundles with DSSE signatures, imports with verification (hash, signature, site policy), merge with conflict detection, and sync ledger for cursor tracking. Supports CLI commands (feedser bundle export/import) and REST API endpoints. - Sprint: SPRINT_8200_0014_0001 + 0002 + 0003 - [x] **Advisory Interest Scoring Service** - Status: IMPLEMENTED - Learns which advisories matter to an organization by computing interest scores from SBOM intersection, reachability, deployment, VEX status, and age decay signals. Includes background recalculation jobs and stub degradation for low-interest advisories. - Sprint: SPRINT_8200_0013_0002_CONCEL_interest_scoring.md - [x] **Advisory-Mode Formula for Evidence-Weighted Scoring** - Status: IMPLEMENTED - New FormulaMode enum (Advisory vs Legacy) for the EWS scoring engine that adds CVSS base score, exploit maturity level, and patch proof confidence as first-class scoring dimensions. Includes VEX override logic where authoritative not_affected status forces score to zero. Extends beyond the known "Evidence-Weighted Score (EWS) Model" with new dimensions and formula modes. - Sprint: batch_37/file_05.md - [x] **Backport-Aware Advisory Deduplication with Provenance Scope** - Status: IMPLEMENTED - Enhances canonical advisory deduplication to be backport-aware. Same CVE with different backport status produces correctly differentiated canonicals. Includes provenance_scope tracking, configurable vendor vs. distro precedence lattice, and patch lineage normalization for merge_hash computation. - Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration.md - [x] **Canonical Advisory Source Edge Schema (Database Layer)** - Status: IMPLEMENTED - Database schema for provenance-scoped canonical advisory deduplication. Stores deduplicated advisories with merge_hash identity and links each to source documents via DSSE-signed source edges. Enables multi-source advisory merge with full provenance tracking. - Sprint: SPRINT_8200_0012_0002_DB_canonical_source_edge_schema.md - [x] **Concelier Advisory Chunks API (Paragraph-Anchored)** - Status: IMPLEMENTED - REST API endpoint serving paragraph-anchored advisory chunks with tenant enforcement, AdvisoryRead scopes, and filters for sections/formats/limits/minLength. Designed for Advisory AI to pull deterministic paragraph anchors plus source metadata. - Sprint: 2025-11-07-concelier-advisory-chunks.md - [x] **Full SBOM Extraction with Enriched ParsedSbom Model** - Status: IMPLEMENTED - Upgraded SBOM parser that extracts ALL fields from CycloneDX 1.7 and SPDX 3.0.1 (not just PURL/CPE). The enriched ParsedSbom model carries full SBOM data including services, crypto properties, ML model metadata, build/formulation info, compositions, vulnerabilities, and dependencies for downstream consumers (Scanner, Policy, etc.). - Sprint: SPRINT_20260119_015_Concelier_sbom_full_extraction.md - [x] **SBOM-Advisory Intersection Matching and Learning** - Status: IMPLEMENTED - SBOM registration and learning system that finds which canonical advisories affect an organization's components. Matches by PURL and CPE, triggers interest score updates, and supports incremental delta SBOM matching. Provides POST /api/v1/learn/sbom endpoint and auto-learning from scan events. - Sprint: SPRINT_8200_0013_0003_SCAN_sbom_intersection_scoring.md - [x] **Valkey Advisory Cache Service** - Status: IMPLEMENTED - Valkey (Redis-compatible) caching layer for canonical advisories with TTL policies based on interest score, PURL index lookups, hot set ranking, and p99 < 20ms read target. Includes cache warmup, metrics, and fallback mode. - Sprint: SPRINT_8200_0013_0001_GW_valkey_advisory_cache.md ### Cryptography (6 features) - [x] **Crypto Provider Plugin Architecture (GOST, SM, FIPS, eIDAS)** - Status: IMPLEMENTED - Full plugin-based crypto architecture with dedicated plugins for GOST, SM (Chinese), FIPS, and eIDAS regional crypto profiles. MultiProfileSigner supports runtime profile selection. - Modules: `src/Cryptography` - [x] **eIDAS Qualified Timestamping** - Status: IMPLEMENTED - EU-qualified timestamp verification with TSA configuration, EU Trust List integration, and CAdES signature building for eIDAS compliance. - Modules: `src/Cryptography` - [x] **Hardware-Backed Org Key / KMS Signing** - Status: IMPLEMENTED - HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing. - Modules: `src/Cryptography, src/Signer` - [x] **HSM Integration (PKCS#11)** - Status: IMPLEMENTED - PKCS#11 HSM client implementation for hardware security module integration, with integration tests. - Modules: `src/Cryptography` - [x] **Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)** - Status: IMPLEMENTED - Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles. - Modules: `src/Cryptography, src/__Libraries/StellaOps.Cryptography.*` - [ ] **Additional Crypto Profiles (GOST, SM2, eIDAS, PQC)** - Status: NOT_FOUND - The advisory explicitly deferred GOST R 34.10-2012, SM2, eIDAS, and post-quantum crypto profiles to future work. Note: the broader repo does have crypto modules under src/Cryptography and src/SmRemote, but those are part of separate efforts. ### DevPortal (1 features) - [x] **Developer Portal (Astro/Starlight)** - Status: IMPLEMENTED - Static developer portal built with Astro/Starlight framework providing interactive schema viewer, try-it API console, SDK quickstart guides, and offline bundle for air-gapped environments. - Modules: `src/DevPortal/` - Sprint: SPRINT_0206_0001_0001_devportal.md ### Doctor (8 features) - [x] **Doctor Diagnostics Runner** - Status: IMPLEMENTED - Doctor plugin infrastructure with multiple plugins (Vex, BinaryAnalysis, Notify, Observability, Timestamping) providing health checks, diagnostics, and remediation commands is implemented. - Modules: `src/Doctor` - [x] **Doctor Health Checks for Integrations** - Status: IMPLEMENTED - Individual health checks for webhooks, Slack, Teams, email, OTLP endpoints, debuginfod, corpus mirrors, and more are implemented as pluggable Doctor checks. - Modules: `src/Doctor` - [x] **Doctor AdvisoryAI Integration** - Status: IMPLEMENTED - Integration between Doctor diagnostics and AdvisoryAI system to provide AI-powered health diagnosis explanations, with an evidence schema registry for Doctor health results, prompt templates for health context, and a diagnosis API endpoint. While "AdvisoryAI Pipeline with Guardrails" and "AdvisoryAI Orchestrator" exist in known features, the Doctor-specific AI integration for health diagnostics is a distinct feature. - Modules: `src/Doctor/__Libraries/StellaOps.Doctor/`, `src/Web/StellaOps.Web/src/app/features/doctor/` - Sprint: SPRINT_20260118_022_Doctor_advisoryai_integration.md - [x] **Doctor Check Quality Improvements (Real Diagnostics Replacing Mocks)** - Status: IMPLEMENTED - Replaced mock implementations in PolicyEngineHealthCheck, OidcProviderConnectivityCheck, and FipsComplianceCheck with real diagnostic logic. Added discriminating evidence fields for AI reasoning and safety annotations (IsDestructive/DryRunVariant) for destructive remediation commands. - Modules: `src/Doctor/__Plugins/` - Sprint: SPRINT_20260118_015_Doctor_check_quality_improvements.md - [x] **Doctor Runbook URL Integration** - Status: IMPLEMENTED - Extended Doctor diagnostic framework to support runbook URL links in remediation output, making operational runbooks discoverable directly from `stella doctor` CLI and UI results. - Modules: `src/Doctor/` - Sprint: SPRINT_20260117_029_DOCS - [x] **Doctor Scheduled Runs with Alerting and Trend Analysis** - Status: IMPLEMENTED - Cron-based scheduled execution of Doctor health checks with configurable schedules, trend data storage for historical analysis, anomaly detection for health metric degradation, and alerting service integration for notifications on health regressions. - Modules: `src/Doctor/StellaOps.Doctor.Scheduler/` - Sprint: SPRINT_20260118_020_Doctor_scheduled_runs_trending.md - [x] **Doctor YAML Pack Loader and First-Party Packs** - Status: IMPLEMENTED - YAML-based diagnostic pack loader allowing first-party and user-defined diagnostic packs, with a self-service Doctor UI page for running health checks interactively. - Modules: `src/Doctor/` - Sprint: SPRINT_20260113_005_DOCTOR - [x] **Doctor Diagnostic Bundle Export for Support Tickets** - Status: IMPLEMENTED - Generates comprehensive shareable diagnostic bundles (.zip) for support tickets containing doctor check results, system configuration, evidence, and remediation suggestions. Enables self-service troubleshooting without support escalation. - Sprint: SPRINT_20260112_001_009_DOCTOR_self_service.md ### EvidenceLocker (17 features) - [x] **Evidence Locker with Deterministic Bundles** - Status: IMPLEMENTED - Full Evidence Locker module with snapshot services, timeline publishing, and infrastructure for deterministic evidence bundle management. - Modules: `src/EvidenceLocker` - [x] **Evidence Packets for Every Decision** - Status: IMPLEMENTED - Evidence bundles with manifests, attestations, and export capabilities are implemented for audit-grade decision records. - Modules: `src/EvidenceLocker, src/ExportCenter` - [x] **Incident Mode** - Status: IMPLEMENTED - Incident mode management with state tracking, manager service, and incident notifier for evidence integrity violations. - Modules: `src/EvidenceLocker` - [x] **Offline Kit with SBOM + DSSE + Rekor Receipt** - Status: IMPLEMENTED - Offline kit import with SBOM, DSSE attestation verification, offline timestamp verification, and bundled test fixtures for offline scenarios. - Modules: `src/EvidenceLocker, src/Scanner, src/__Tests` - [x] **Provenance Bundle Export and Independent Verification** - Status: IMPLEMENTED - Provenance attestation with build models, signers, and verification is implemented. EvidenceLocker supports tar.gz bundle export with Merkle tree integrity. - Modules: `src/EvidenceLocker, src/Provenance` - [x] **Verifiable Evidence for Every Release Decision** - Status: IMPLEMENTED - Timestamped evidence with attestation assembly and export services supports verifiable, audit-grade release decision records. - Modules: `src/EvidenceLocker, src/ExportCenter` - [x] **Sovereign Crypto Routing for Evidence Locker** - Status: IMPLEMENTED - Regional crypto profile routing within the Evidence Locker, directing signing and verification operations to the appropriate crypto provider (FIPS, eIDAS, GOST, SM) based on tenant configuration. - Modules: `src/EvidenceLocker/` - Sprint: SPRINT_0161_0001_0001_evidencelocker.md - [x] **Verdict Ledger bom-ref Extraction and Indexing** - Status: IMPLEMENTED - Added bom-ref extraction and component-level indexing to the verdict ledger, enabling queries by SBOM component reference for auditing which components were evaluated in each verdict. - Modules: `src/EvidenceLocker/`, `src/Zastava/` - Sprint: SPRINT_20260118_015_Attestor_verdict_ledger_foundation.md - [x] **Doctor Evidence Integrity Check (DSSE + Rekor + Hash Verification)** - Status: IMPLEMENTED - Doctor health check that validates DSSE signature validity, Rekor inclusion (or offline ledger), and evidence hash consistency using canonical JSON, with deterministic and offline-friendly output. - Sprint: SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md - [x] **Evidence Bundle Export with Embedded Verify Scripts** - Status: IMPLEMENTED - Standardized evidence-bundle tar.gz export format with embedded verify.sh (POSIX) and verify.ps1 (PowerShell) scripts, bundled public keys for offline verification, Merkle root verification (RFC 6962), BSD-format SHA256 checksums, and async export worker for large bundles with status tracking (pending/processing/ready/failed). - Sprint: SPRINT_20260106_003_003_EVIDENCE_export_bundle.md - [x] **Evidence Bundle Importer (Import Pipeline)** - Status: IMPLEMENTED - Import pipeline for evidence bundles with DSSE signature verification, content-addressed ID recomputation, deduplication, and conflict resolution. Complements the existing "Evidence Bundles (Release Evidence Packs)" and "Audit Bundle Export" with inbound import capability. - Sprint: batch_37/file_04.md - [x] **Evidence Card API Endpoint** - Status: IMPLEMENTED - API endpoint for evidence card export with format query parameter, response headers (X-Evidence-Pack-Id, X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index), and OpenAPI spec. - Sprint: SPRINT_20260112_005_BE_evidence_card_api.md - [x] **Evidence Card Core (Single-File Receipt Export)** - Status: IMPLEMENTED - Single-file evidence card export packaging SBOM excerpt, DSSE envelope, and Rekor receipt with deterministic output and offline verification support. - Sprint: SPRINT_20260112_004_LB_evidence_card_core.md - [x] **Evidence Re-Index Tooling (CLI)** - Status: IMPLEMENTED - CLI commands for evidence store maintenance including reindexing (`stella evidence reindex`), chain-of-custody verification (`stella evidence verify-continuity`), and evidence migration between storage backends. - Sprint: SPRINT_20260112_018_EVIDENCE_reindex_tooling.md - [x] **Rekor Timestamp in Evidence Graph Metadata** - Status: IMPLEMENTED - Evidence graph signature metadata extended with Rekor integrated time (RFC3339) and entry URL for UI timestamp linking and verifiable provenance display. - Sprint: SPRINT_20260112_004_FINDINGS_evidence_graph_rekor_time.md - [x] **S3 Object Lock (WORM Retention) for Evidence Locker** - Status: IMPLEMENTED - Object Lock configuration in EvidenceLockerOptions with mode, default retention days, legal hold; enforcement headers in S3 storage for WORM retention and legal hold behavior with startup validation. - Sprint: SPRINT_20260112_002_EVIDENCE_evidence_locker_audit_pack_hardening.md - [x] **VEX Evidence Auto-Linking Service (IVexEvidenceLinker)** - Status: IMPLEMENTED - Service that auto-links VEX assertions to supporting binary-diff evidence by matching patched findings to VEX entries, storing evidence URIs with confidence scores, and validating DSSE signatures before accepting links. - Sprint: SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md ### Excititor (18 features) - [ ] **VEX Delta Persistence Table** - Status: NOT_FOUND - Persistent tracking of VEX status transitions between artifact versions with rationale and replay hashes. Schema designed but not implemented. - Modules: `(planned for src/Excititor, src/VexLens)` - [x] **Excititor VEX escalation service** - Status: IMPLEMENTED - Excititor module with auto-VEX justification, calibration comparison engine, CycloneDX export, and export engine with test coverage. - Modules: `src/Excititor` - [x] **OpenVEX Format Support** - Status: IMPLEMENTED - OpenVEX format supported with golden corpus test fixtures for all VEX statuses (affected, not_affected, fixed, under_investigation) and OpenVEX export snapshot tests in the Excititor module. - Modules: `src/Excititor, src/__Tests/__Benchmarks` - [x] **VEX annotation and export (OpenVEX + CycloneDX VEX formats)** - Status: IMPLEMENTED - OpenVEX, CycloneDX, and CSAF VEX normalizers plus consensus export service implement multi-format VEX annotation and export. - Modules: `src/Excititor, src/VexLens` - [x] **VEX Claim Normalization (Multi-Format Ingestion)** - Status: IMPLEMENTED - Normalization of VEX claims from OpenVEX, CycloneDX VEX, and CSAF formats into canonical internal representation with vendor-specific connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco). - Modules: `src/Excititor` - [x] **VEX Claims Resolution Engine (Multi-Source Merge)** - Status: IMPLEMENTED - Multi-source VEX claim resolution with policy-controlled merge semantics resolving conflicts between vendor, distro, internal, and scanner claims into a deterministic resolved status. - Modules: `src/Excititor` - [x] **VEX Cryptographic Verification** - Status: IMPLEMENTED - Cryptographic signature verification of VEX documents at ingestion time with crypto profile selection and issuer validation. - Modules: `src/Excititor` - [x] **VEX Handling with Formal Reasoning (Lattice-Based Merge)** - Status: IMPLEMENTED - VEX handling with a K4 trust lattice engine for deterministic merging of vendor/distro/internal VEX claims, claim score merging, conflict penalization, and disposition selection via policy-driven rules. - Modules: `src/Excititor, src/Policy, src/VexHub, src/VexLens` - [x] **VEX Issuer Identity Verification** - Status: IMPLEMENTED - Cryptographic verification of VEX issuer identities with signature verification, issuer directory lookup, verification caching, and configurable verification options. - Modules: `src/Excititor` - [x] **VEX normalization and multi-format ingestion (OpenVEX, CSAF)** - Status: IMPLEMENTED - VEX normalization, delta mapping, export compatibility testing, and auto-VEX justification across VexLens, VexHub, and Excititor modules. - Modules: `src/Excititor, src/VexHub, src/VexLens` - [x] **VEX Policy-Controlled Trust and Evidence Requirements** - Status: IMPLEMENTED - Policy-driven trust weights and evidence requirements for VEX claims, with guardrails ensuring safe statuses require evidence satisfaction. - Modules: `src/Excititor, src/Policy` - [x] **VEX Source Registration and Verification Pipeline** - Status: IMPLEMENTED - VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion. - Modules: `src/Excititor` - [x] **Automatic code_not_reachable VEX Justification Generation** - Status: IMPLEMENTED - Automatically generates VEX `code_not_reachable` justifications when reachability slice verdict is "unreachable", including slice digest as evidence reference and supporting OpenVEX, CSAF, and CycloneDX formats. Auto-generated justifications require human approval by default. - Modules: `src/Excititor/` - Sprint: SPRINT_3830_0001_0001_vex_integration_policy_binding.md - [x] **Excititor VEX Evidence Chunk Service** - Status: IMPLEMENTED - Chunked evidence service for VEX data that splits large evidence payloads into manageable chunks for API transport and storage. Not in the known list. - Modules: `src/Excititor/` - Sprint: Sprints 0119 (batch_14/file_19.md) - [x] **Excititor VEX Observation and Linkset Stores** - Status: IMPLEMENTED - PostgreSQL append-only stores for VEX observations and linksets with list endpoints, projection services, and conflict annotation support. The known list has "Excititor VEX escalation service" but not the specific observation/linkset store and projection architecture. - Modules: `src/Excititor/` - Sprint: Sprints 0119 I-III (batch_14/file_19-21.md) - [x] **Trust Vector Calibration System** - Status: IMPLEMENTED - Full trust calibration system including: DefaultTrustVectors (per-source baseline trust), SourceClassificationService, CalibrationManifest (versioned calibration snapshots), CalibrationComparisonEngine (post-mortem comparison), TrustVectorCalibrator with learning rate, and TrustCalibrationService. Distinct from "VEX Source Trust Scoring" which is about individual scoring; this is the calibration/tuning infrastructure. - Modules: `src/Excititor/` - Sprint: SPRINT_7100_0002_0002_source_defaults_calibration.md - [x] **Excititor VEX Justification Normalization API** - Status: IMPLEMENTED - Normalized VEX justification projections served at a REST endpoint, enabling consumers to retrieve standardized VEX observation data for vulnerability/product combinations. - Sprint: batch_54/file_12.md (Sprint 110 update) - [x] **VEX Override Workflow with Attestation Linkage** - Status: IMPLEMENTED - VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client. - Sprint: SPRINT_20260112_004_VULN_vex_override_workflow.md ### ExportCenter (7 features) - [-] **CLI/UI Surfacing of Hidden Backend Capabilities** - Status: PARTIALLY_IMPLEMENTED - The advisory itself identifies this as a gap - backend capabilities are rich but CLI/UI coverage needs surfacing work. This is a meta-advisory about exposing existing features. - Modules: `src/ExportCenter, src/Web, various backend modules` - [x] **Export Telemetry and Worker** - Status: IMPLEMENTED - Export telemetry instrumentation and dedicated background worker for async export job processing. - Modules: `src/ExportCenter` - [x] **OCI Digest-First Release Identity** - Status: IMPLEMENTED - OCI distribution with digest-based artifact publishing and type-safe models is implemented. - Modules: `src/ExportCenter` - [x] **OCI Distribution for Export Artifacts** - Status: IMPLEMENTED - OCI registry distribution with push client, referrer support, configurable options, and export distribution lifecycle management. - Modules: `src/ExportCenter` - [x] **OCI Referrer Publishing** - Status: IMPLEMENTED - OCI referrer push client and discovery service for publishing attestations as OCI-attached artifacts. - Modules: `src/ExportCenter` - [x] **Export Center Risk Bundle Builder** - Status: IMPLEMENTED - Generates signed risk bundles aggregating vulnerability findings, VEX decisions, and policy evaluations into portable, DSSE-signed export artifacts for compliance reporting and auditor handoff. - Modules: `src/ExportCenter/` - Sprint: SPRINT_0163_0001_0001_exportcenter_ii.md - [x] **Local Evidence Cache with Deferred Enrichment Queue** - Status: IMPLEMENTED - Disk-backed local evidence cache that stores scan artifacts (SBOM, VEX, reachability data) alongside findings with a deferred enrichment queue pattern for offline-first evidence collection and lazy hydration. - Modules: `src/ExportCenter/` - Sprint: SPRINT_3605_0001_0001_local_evidence_cache.md ### Feedser (1 features) - [x] **EPSS Signal-Ready Layer (Tenant-Scoped Actionable Events)** - Status: IMPLEMENTED - EPSS signal emission pipeline with change detection, signal flow integration, and signal attaching to risk evaluations. EPSS evidence feeds into the policy determinization scoring system. - Modules: `src/Feedser, src/Policy, src/Scanner` ### Findings (7 features) - [x] **Admin audit trails (comprehensive logging of changes)** - Status: IMPLEMENTED - Policy evaluation trace snapshots, evidence graph builder, and exception event auditing provide admin-level audit trails for governance. - Modules: `src/Findings, src/Policy` - [x] **CVSS/VEX Sorting (Multi-Dimension)** - Status: IMPLEMENTED - CVSS v4.0 scoring engine combined with findings summary builder supports multi-dimensional sorting by CVSS and VEX status. - Modules: `src/Findings, src/Policy` - [x] **Findings Ledger with Append-Only Events** - Status: IMPLEMENTED - Findings Ledger with event write service, event constants, integration tests, and contract tests for append-only event persistence. - Modules: `src/Findings` - [x] **Ledger Projections** - Status: IMPLEMENTED - Projection worker that materializes event streams into queryable read models. - Modules: `src/Findings` - [x] **Ledger Replay Determinism** - Status: IMPLEMENTED - Replay determinism verification with dedicated tests and a replay harness tool for offline validation. - Modules: `src/Findings` - [x] **Merkle Anchoring for Audit Integrity** - Status: IMPLEMENTED - Dedicated Merkle anchor worker that periodically anchors ledger events to Merkle trees for tamper-evident audit integrity. - Modules: `src/Findings` - [x] **Attested Reduction Scoring in Findings Ledger** - Status: IMPLEMENTED - Anchor-aware evidence wiring into Findings Ledger scoring with reduction profile metadata, hard-fail flag, short-circuit reason, and anchor metadata (DSSE envelope digest, Rekor log index/entry) in API responses. - Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md ### Gateway (8 features) - [-] **Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker)** - Status: PARTIALLY_IMPLEMENTED - Rate limiting is present in the Gateway and Graph API services. The advisory's highly detailed dual-window rate limiter with Redis/Valkey-backed environment limiter, ring counter, and custom circuit breaker pattern is not implemented as described. Standard ASP.NET rate limiting is used instead. - Modules: `src/Gateway, src/Graph` - [-] **StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs)** - Status: PARTIALLY_IMPLEMENTED - The StellaRouter gateway service exists but the advisory's proposed k6 performance testing scenarios (A-G), correlation ID instrumentation, and Prometheus metric dashboards for performance curve modeling are not present as source code artifacts. These may exist as devops artifacts outside src/. - Modules: `src/Gateway` - [x] **Gateway Connection Lifecycle Management** - Status: IMPLEMENTED - HELLO frame processing for microservice registration, connection lifecycle management with cleanup on disconnect, and `ConnectionManager` hosted service for monitoring active connections. - Modules: `src/Gateway/StellaOps.Gateway.WebService/` - Sprint: batch_51/file_22.md - [x] **Gateway HTTP Middleware Pipeline** - Status: IMPLEMENTED - Full HTTP middleware pipeline for the Gateway WebService including endpoint resolution, authorization with claims propagation, routing decision, transport dispatch, correlation ID tracking, tenant isolation, health checks, and global error handling. - Modules: `src/Gateway/StellaOps.Gateway.WebService/` - Sprint: batch_51/file_21.md - [x] **Gateway Identity Header Strip-and-Overwrite Policy Middleware** - Status: IMPLEMENTED - Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication. - Modules: `src/Gateway/`, `src/Router/` - Sprint: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md - [x] **Router Authority Claims Integration** - Status: IMPLEMENTED - `IAuthorityClaimsProvider` integration enabling centralized Authority service to override endpoint claim requirements. Three-tier precedence: Code attributes < YAML config < Authority overrides. EffectiveClaimsStore caches resolved claims. - Modules: `src/Gateway/StellaOps.Gateway.WebService/`, `src/Router/__Libraries/StellaOps.Router.Common/` - Sprint: batch_52/file_09.md - [x] **Router Heartbeat and Health Monitoring** - Status: IMPLEMENTED - Heartbeat protocol with configurable intervals, `HealthMonitorService` for stale instance detection, ping latency tracking with exponential moving average, Draining health status for graceful shutdown, and automatic instance removal on missed heartbeats. - Modules: `src/Gateway/StellaOps.Gateway.WebService/`, `src/Router/__Libraries/StellaOps.Router.Common/` - Sprint: batch_51/file_23.md - [x] **Router Payload Size Enforcement** - Status: IMPLEMENTED - PayloadLimitsMiddleware with per-request, per-connection, and aggregate byte limits using `ByteCountingStream`. Returns HTTP 413 (payload too large), 429 (rate limited), or 503 (service unavailable) with configurable thresholds. - Modules: `src/Gateway/StellaOps.Gateway.WebService/`, `src/Router/__Libraries/StellaOps.Router.Common/` - Sprint: batch_52/file_02.md ### Graph (7 features) - [x] **Graph Analytics Engine** - Status: IMPLEMENTED - Graph analytics with engine, pipeline, DI extensions, and Postgres persistence for analytics results. - Modules: `src/Graph` - [-] **Graph Edge Metadata with Reason/Evidence/Provenance** - Status: PARTIALLY_IMPLEMENTED - EdgeReason and CallgraphEdge models exist in Signals with persistence projection, and EdgeBundle exists in Scanner reachability. However, the Graph module itself (src/Graph) does not contain EdgeReason/EdgeVia/ExplanationPayload types -- the human-readable explanation layer described in the advisory is not present in the Graph API. - Modules: `src/Graph, src/Scanner, src/Signals` - [x] **Graph Overlay System (Policy, VEX, Reachability)** - Status: IMPLEMENTED - Overlay system with exporter, in-memory overlay service, and tests for layering policy/VEX/reachability data onto dependency graphs. - Modules: `src/Graph` - [x] **Graph Query and Search API** - Status: IMPLEMENTED - Graph API with query, search, and path services for traversing and querying dependency graphs. - Modules: `src/Graph` - [x] **Graph Explorer API with Streaming Tiles** - Status: IMPLEMENTED - Graph query and visualization API providing streaming tile-based graph rendering, path queries, diff computation between graph revisions, RBAC-enforced exports (SVG/PNG/GraphML), and overlay support for policy/VEX/reachability annotations. - Modules: `src/Graph/` - Sprint: SPRINT_0207_0001_0001_graph.md - [x] **Graph Indexer Clustering and Centrality Background Jobs** - Status: IMPLEMENTED - Background hosted service that runs graph analytics (Louvain community detection, betweenness/closeness centrality) on the dependency graph, producing cluster assignments and centrality scores for risk prioritization. - Sprint: SPRINT_0141_0001_0001_graph_indexer.md - [x] **Graph Indexer Incremental Update Pipeline** - Status: IMPLEMENTED - Change-stream processor for incremental graph updates, consuming SBOM/scan events and applying delta mutations to the indexed graph with idempotency tracking and backfill metrics. - Sprint: SPRINT_0141_0001_0001_graph_indexer.md ### Integrations (11 features) - [-] **AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene)** - Status: PARTIALLY_IMPLEMENTED - AI Code Guard has policy signal binding and annotation services. Evidence provider interfaces and annotation contracts exist. The advisory's proposed `stella guard run` CLI and full YAML-driven pipeline checks are partially represented through policy signal binding rather than a standalone CLI tool. - Modules: `src/Integrations, src/Policy` - [x] **GitHub App Connector** - Status: IMPLEMENTED - GitHub App connector with authentication, health checks, annotation support, and Code Scanning extensions is fully implemented. - Modules: `src/Integrations` - [x] **GitHub Code Scanning Upload Client** - Status: IMPLEMENTED - GitHub Code Scanning REST API client is implemented with SARIF upload, processing status polling, alert filtering, and integration with the GitHubApp connector plugin. - Modules: `src/Integrations` - [x] **Integration Concierge (Setup Wizard + Health)** - Status: IMPLEMENTED - Integration wizard UI, integration hub with detail views, and service-layer models for integration management are implemented in the Angular frontend. - Modules: `src/Integrations, src/Web` - [x] **Toolchain-Agnostic Integrations (SCM/CI/Registry)** - Status: IMPLEMENTED - Plugin-based integration architecture with connector plugins, integration hub UI, and setup wizard is implemented. - Modules: `src/Integrations, src/Web` - [x] **Built-in Container Registry Connectors (Docker Hub, Harbor, ACR, ECR, GCR, Generic OCI)** - Status: IMPLEMENTED - Six container registry connectors implemented using raw HTTP clients (no cloud SDKs): Docker Hub with rate limiting, Harbor for self-hosted, ACR with Azure AD token exchange, ECR with AWS SigV4, GCR with JWT/OAuth2, and Generic OCI for any compliant registry. All resolve tags to digests. - Sprint: SPRINT_20260110_102_004_INTHUB_registry_connectors.md - [x] **Built-in Vault Connectors (HashiCorp Vault, Azure Key Vault, AWS Secrets Manager)** - Status: IMPLEMENTED - Three vault connectors using raw HTTP clients: HashiCorp Vault (Token, AppRole, Kubernetes auth), Azure Key Vault (Service Principal, Managed Identity), and AWS Secrets Manager (IAM SigV4). Unified secret resolution interface for integration configuration encryption. - Sprint: SPRINT_20260110_102_005_INTHUB_vault_connector.md - [x] **Connector Runtime with Resilience Patterns (Circuit Breaker, Retry, Rate Limiting, Pooling)** - Status: IMPLEMENTED - Connector runtime managing connector instantiation, connection pooling, retry with exponential backoff, circuit breaker for fault isolation, and per-integration rate limiting. Handles both built-in and plugin connectors uniformly via ConnectorFactory. - Sprint: SPRINT_20260110_102_002_INTHUB_connector_runtime.md - [x] **Integration Doctor Checks (Connectivity, Credentials, Permissions, Rate Limits)** - Status: IMPLEMENTED - Doctor diagnostic checks for integration health: connectivity verification, credential validation, permission checks, and rate limit status monitoring. Generates aggregated health reports across all integrations. - Sprint: SPRINT_20260110_102_006_INTHUB_doctor_checks.md - [x] **Registry Webhook Handlers (Docker/Harbor)** - Status: IMPLEMENTED - Webhook handlers for Docker Registry v2 and Harbor image-push events that trigger async gate evaluation. Accepts webhook payloads at `/api/v1/webhooks/registry/*` and queues gate evaluation jobs via an in-memory Channel-based queue with a background worker. - Sprint: SPRINT_20251226_001_BE_cicd_gate_integration.md - [x] **SCM Annotation Client Contracts (PR/MR Comments + Status Checks)** - Status: IMPLEMENTED - Unified SCM annotation contracts for PR/MR comments, status checks, and check runs with evidence link fields, plus GitHub App and GitLab implementations. - Sprint: SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md ### Mirror (1 features) - [-] **Mirror Creator** - Status: PARTIALLY_IMPLEMENTED - Mirror creator module exists as a separate directory but appears to have limited implementation compared to the comprehensive AirGap module. - Modules: `src/Mirror` ### Notifier (7 features) - [x] **Ack Tokens for Approval Workflows** - Status: IMPLEMENTED - HMAC-based ack token service with bridge integration for acknowledgement workflows. Note: uses HMAC rather than DSSE-signed tokens as described in the advisory. - Modules: `src/Notifier` - [x] **Digest Windows and Throttling** - Status: IMPLEMENTED - Digest generation for coalescing notifications within configurable time windows. - Modules: `src/Notifier` - [x] **Multi-Channel Delivery (Slack, Teams, Email, Webhooks)** - Status: IMPLEMENTED - Multi-channel notification delivery with Slack, Webhook connectors (and PagerDuty in Notifier), with snapshot testing and error handling. - Modules: `src/Notifier, src/Notify` - [x] **Notification Correlation Engine** - Status: IMPLEMENTED - Correlates related notification events across time windows to reduce noise and group related alerts, preventing notification storms during large-scale vulnerability disclosures or policy changes. - Modules: `src/Notifier/` - Sprint: SPRINT_0172_0001_0002_notifier_ii.md - [x] **Notification Digest Generator** - Status: IMPLEMENTED - Configurable digest aggregation that batches notifications into scheduled summary digests (hourly/daily/weekly) with customizable grouping and priority thresholds. - Modules: `src/Notifier/` - Sprint: SPRINT_0172_0001_0002_notifier_ii.md - [x] **Notification Storm Breaker** - Status: IMPLEMENTED - Circuit breaker mechanism that detects notification storms and applies adaptive throttling to prevent overwhelming downstream channels during mass event cascades. - Modules: `src/Notifier/` - Sprint: SPRINT_0172_0001_0002_notifier_ii.md - [x] **Notification Rules Engine** - Status: IMPLEMENTED - Rules engine with NotifyRule model, rule evaluator interface, evaluation outcomes, and schema migration support. - Modules: `src/Notify` ### Orchestrator (15 features) - [x] **Event Fan-Out (SSE/Streaming)** - Status: IMPLEMENTED - Job and pack-run streaming coordinators with stream payload models for real-time SSE event delivery. - Modules: `src/Orchestrator` - [x] **Export Job Service** - Status: IMPLEMENTED - Export job management with service and domain model for orchestrated export operations. - Modules: `src/Orchestrator` - [x] **Job Lifecycle State Machine** - Status: IMPLEMENTED - Job scheduling with Postgres-backed job repository, event envelope domain model, and air-gap compatible scheduling tests. - Modules: `src/Orchestrator` - [x] **Pack-Run Bridge (TaskRunner Integration)** - Status: IMPLEMENTED - Pack-run integration with Postgres repository, API endpoints, stream coordinator for log/artifact streaming, and domain model. - Modules: `src/Orchestrator` - [-] **Quota Governance and Circuit Breakers** - Status: PARTIALLY_IMPLEMENTED - Job scheduling exists but dedicated quota governance services and circuit breaker automation were not found as separate implementations. May be embedded in scheduler logic. - Modules: `src/Orchestrator` - [x] **SKIP LOCKED Queue Pattern** - Status: IMPLEMENTED - SKIP LOCKED queue pattern is used in Scheduler and Orchestrator job repositories for reliable work distribution. - Modules: `src/Orchestrator, src/Scheduler` - [x] **DAG Planner with Critical-Path Metadata** - Status: IMPLEMENTED - DAG-based job planner that computes critical-path metadata for orchestrator execution plans, enabling dependency-aware scheduling and parallel execution of independent job chains. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0152_0001_0002_orchestrator_ii.md - [x] **Network Intent Validator (Air-Gap Orchestrator Controls)** - Status: IMPLEMENTED - NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0151_0001_0001_orchestrator_i.md - [x] **Orchestrator Audit Ledger** - Status: IMPLEMENTED - Append-only audit ledger tracking all orchestrator job lifecycle state changes, rate-limit decisions, and dead-letter events with tenant-scoped isolation. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0152_0001_0002_orchestrator_ii.md - [x] **Orchestrator Event Envelopes with SSE/WebSocket Streaming** - Status: IMPLEMENTED - Typed event envelope system with SSE and WebSocket streaming for real-time orchestrator job progress, enabling live UI updates and CLI monitoring of pack-run execution. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0153_0001_0003_orchestrator_iii.md - [x] **Orchestrator Golden Signals Observability** - Status: IMPLEMENTED - Built-in golden signal metrics (latency, traffic, errors, saturation) for orchestrator job execution, with timeline event emission and job capsule provenance tracking. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0151_0001_0001_orchestrator_i.md - [x] **Orchestrator Worker SDKs (Go and Python)** - Status: IMPLEMENTED - Multi-language Worker SDKs enabling external workers to participate in orchestrator job execution via Go and Python clients, with examples and structured API packages. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0153_0001_0003_orchestrator_iii.md - [x] **SLO Burn-Rate Computation and Alert Budget Tracking** - Status: IMPLEMENTED - SLO burn-rate computation for orchestrator operations with configurable alert budgets, enabling proactive capacity and reliability management. - Modules: `src/Orchestrator/` - Sprint: SPRINT_0152_0001_0002_orchestrator_ii.md - [x] **Orchestrator Admin Quota Controls (orch:quota, orch:backfill)** - Status: IMPLEMENTED - New `orch:quota` and `orch:backfill` scopes with mandatory reason/ticket fields. Token requests must include `quota_reason`/`backfill_reason` and optionally `quota_ticket`/`backfill_ticket`. Authority persists these as claims and audit properties for traceability of capacity-affecting operations. - Sprint: 2025-11-01-orch-admin-scope.md - [x] **Orchestrator Operator Scope with Audit Metadata** - Status: IMPLEMENTED - New `orch:operate` scope and `Orch.Operator` role requiring explicit `operator_reason` and `operator_ticket` parameters on token requests. Authority enforces these fields and captures them as audit properties, giving SecOps traceability for every orchestrator control action. - Sprint: 2025-10-27-orch-operator-scope.md ### PacksRegistry (1 features) - [x] **Packs Registry Service with Mirroring and Compliance Dashboards** - Status: IMPLEMENTED - Registry service for managing pack lifecycle (publish, version, deprecate) with mirroring support for air-gapped environments, attestation integration, and compliance dashboard APIs. - Modules: `src/PacksRegistry/` - Sprint: SPRINT_0154_0001_0001_packsregistry.md ### Platform (6 features) - [x] **Advisory Locks / LISTEN-NOTIFY** - Status: IMPLEMENTED - Advisory lock patterns are used in classification history for safe concurrent updates; LISTEN/NOTIFY patterns support real-time event propagation. - Modules: `src/Platform, src/Scanner` - [x] **Materialized Views for Analytics** - Status: IMPLEMENTED - Materialized views with indexes, VEX validity filters, and deterministic arrays are used for analytics with a dedicated maintenance service for refresh. - Modules: `src/Platform` - [x] **SBOM Analytics Lake (Star-Schema PostgreSQL)** - Status: IMPLEMENTED - Star-schema PostgreSQL analytics layer for SBOM data with component registry, vulnerability correlation tables, attestation tracking, materialized views for trend analysis, and stored procedures for analytics queries. While "Materialized Views for Analytics" is in the known list, this is a much broader star-schema analytics subsystem with dedicated migration, ingestion services, and multi-table analytics design. - Modules: `src/Platform/__Libraries/StellaOps.Platform.Database/`, `src/Platform/__Tests/StellaOps.Platform.Analytics.Tests/` - Sprint: SPRINT_20260120_030_Platform_sbom_analytics_lake.md - [x] **Platform Service Aggregation Layer** - Status: IMPLEMENTED - Backend Platform Service acting as aggregation layer for health status, quotas, onboarding progress, user preferences, and global search across all modules. - Sprint: SPRINT_20251229_043_PLATFORM_platform_service_foundation - [x] **Platform Setup Wizard Backend API** - Status: IMPLEMENTED - Real /api/v1/setup/* endpoints replacing UI mocks with deterministic session state (create, resume, execute, skip, finalize), tenant scoping, and offline-first "data as of" metadata. - Sprint: SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md - [x] **Scanner Platform Events (Redis Streams)** - Status: IMPLEMENTED - Scanner WebService emits `scanner.report.ready` and `scanner.scan.completed` platform events via Redis Streams with DSSE envelopes embedded verbatim, configurable via `scanner:events:*` settings. - Sprint: 2025-10-19-scanner-policy.md ### Plugin (6 features) - [x] **Plugin Configuration and Context** - Status: IMPLEMENTED - Plugin configuration loading and context injection for runtime plugin behavior customization. - Modules: `src/Plugin` - [x] **Plugin Dependency Resolution** - Status: IMPLEMENTED - Plugin dependency resolution with resolver service, interface, and comprehensive tests. - Modules: `src/Plugin` - [x] **Plugin Discovery (FileSystem and Embedded)** - Status: IMPLEMENTED - Multi-strategy plugin discovery with filesystem scanning, embedded plugins, and composite discovery that combines both approaches. - Modules: `src/Plugin` - [x] **Plugin Host with Assembly Isolation** - Status: IMPLEMENTED - Plugin host with assembly-based loading, isolated AssemblyLoadContext, and configurable host options. - Modules: `src/Plugin` - [x] **Plugin Sandbox (Process Isolation)** - Status: IMPLEMENTED - Process-level plugin sandboxing with gRPC communication bridge for secure out-of-process plugin execution. - Modules: `src/Plugin` - [x] **Unified Plugin Architecture with Trust-Based Execution Model** - Status: IMPLEMENTED - Complete unified plugin system reworking seven disparate plugin patterns (Crypto, Auth, LLM, SCM, Scanner, Router, Concelier) into a single IPlugin interface with trust-based execution (Built-in=in-process, Untrusted=sandboxed), capability composition (11 capability interfaces including ICryptoCapability, IAuthCapability, ILlmCapability, IScmCapability), database-backed PostgreSQL registry with health tracking, process-based sandbox with gRPC bridge/resource limits/filesystem isolation/secret pr - Sprint: SPRINT_20260110_100_000_INDEX_plugin_unification.md ### Policy (89 features) - [ ] **Dry-Run Policy Application API** - Status: NOT_FOUND - Backend support for dry-run policy application with diff preview and rollback plan generation. Not yet implemented. - Modules: `(planned for src/Policy)` - [x] **Auditable Exception Objects** - Status: IMPLEMENTED - First-class exception entities with scope, subject, reason, evidence references, expiry, policy binding, and persistence in Postgres. Exposed via REST API endpoints. - Modules: `src/Policy/StellaOps.Policy.Engine, src/Policy/StellaOps.Policy.Gateway, src/Policy/__Libraries/StellaOps.Policy.Exceptions, src/Policy/__Libraries/StellaOps.Policy.Persistence` - [x] **Batch Simulation Orchestration** - Status: IMPLEMENTED - Batch simulation orchestration for running multiple policy simulations in parallel with a dedicated simulation service in the policy registry. - Modules: `src/Policy` - [x] **Belnap K4 Trust Lattice Engine (VEX Resolution, Trust Algebra)** - Status: IMPLEMENTED - Full K4 lattice implementation with 4-valued logic (unknown/true/false/conflict), trust labels, lattice store, claim score merging, conflict penalization, and disposition selection. VEX normalization for OpenVEX and CSAF formats. Deterministic, commutative, idempotent merge operations. Comprehensive tests including property-based tests. - Modules: `src/Policy` - [x] **Blast radius / fleet view** - Status: IMPLEMENTED - Blast radius containment schema and unknown ranker service assess impact across environments and services. - Modules: `src/Policy, src/Unknowns` - [x] **Comprehensive Testing Strategy (Epic 5100)** - Status: IMPLEMENTED - The testing strategy advisory was translated into Epic 5100 with 12 sprints covering run manifests, evidence indexes, offline bundles, golden corpus, canonicalization, replay runners, delta verdicts, SBOM interop, no-egress enforcement, unknowns budget CI gates, router chaos, and audit pack export/import. Implementation evidence exists for all major themes. - Modules: `src/Policy, src/Replay, src/Router, src/Scanner, src/__Tests` - [x] **Console Simulation Diff (Shadow Gate Visual Output)** - Status: IMPLEMENTED - Console-based simulation diff output for visual comparison of policy simulation results. - Modules: `src/Policy` - [x] **Counterfactual Engine (Policy Diff Analysis)** - Status: IMPLEMENTED - Counterfactual engine that computes the difference between current and proposed policy configurations to show what would change. - Modules: `src/Policy` - [x] **CVSS v4.0 Scoring Engine (Multi-Version, Pipeline Integration, Receipts)** - Status: IMPLEMENTED - Full CVSS v4.0 engine with macro vector lookup, multi-version support (v3.x + v4.0), environmental scoring, policy-driven pipeline integration, and threshold gate for blocking promotions. Deterministic receipt system with audit-grade reproducibility (input hashes, policy references, cryptographic binding). Postgres persistence for score receipts. Extensive test coverage. - Modules: `src/Policy` - [x] **Exponential Confidence Decay for Unknown Reachability (Half-Life Calculator)** - Status: IMPLEMENTED - Exponential half-life decay of confidence scores implemented in DecayedConfidenceCalculator with formula exp(-ln(2) * ageDays / halfLifeDays), configurable half-life (default 14 days), floor value, and metrics emission. Includes ObservationDecay models, uncertainty scoring, signal state tracking, and property-based tests. Integrated into policy determinization gate. - Modules: `src/Policy` - [x] **Declarative Multi-Modal Policy Engine** - Status: IMPLEMENTED - Policy engine with 12+ gate types, trust lattice merge, OPA adapter integration, policy DSL, evidence-weighted scoring, and determinization gates covering CVSS, EPSS, VEX trust, reachability, unknowns, SBOM presence, and signature requirements. - Modules: `src/Policy` - [x] **Delta Verdict Engine** - Status: IMPLEMENTED - Full delta verdict computation comparing two evaluation states, with signed delta JSON, API endpoints for delta generation, and verdict ID generation. - Modules: `src/Policy` - [ ] **Delta-If-Present Calculations for Missing Signals** - Status: NOT_FOUND - The advisory proposed computing "delta if present" values showing what would change if missing signals arrived (TSF-004). This was marked TODO and has not been implemented. - Modules: `src/Policy` - [x] **Determinism Guards (Runtime Enforcement)** - Status: IMPLEMENTED - Runtime enforcement of determinism constraints during policy evaluation. Prohibited pattern analysis detects wall-clock, RNG, and network usage. A guarded evaluator wraps the policy engine. - Modules: `src/Policy` - [x] **Deterministic Evaluation with Knowledge Snapshots** - Status: IMPLEMENTED - Deterministic evaluation engine that pins all inputs via knowledge snapshot digests and can replay evaluations offline with identical results. - Modules: `src/Policy` - [x] **Deterministic SBOM-to-VEX Pipeline with Signed State Transitions** - Status: IMPLEMENTED - Full verdict pipeline determinism tests, SBOM determinism validation, determinism gate infrastructure, baseline store, and manifest writer for verifying byte-identical outputs from identical inputs. - Modules: `src/Policy, src/__Tests (Integration/Determinism)` - [-] **Deterministic Trust Score Algebra (Weighted Scoring Engine)** - Status: PARTIALLY_IMPLEMENTED - Existing EWS (Evidence-Weighted Score) engine and Determinization system provide the core scoring foundation. The advisory proposed a unified facade (B+C+D approach) over these existing systems. Core scoring exists but the unified facade API is not yet built. - Modules: `src/Policy, src/RiskEngine, src/Signals` - [x] **Diff-Aware Release Gates (Semantic Delta Computation)** - Status: IMPLEMENTED - Full delta computation engine that computes semantic diffs across SBOMs, vulnerabilities, and risk scores. Includes component deltas, vulnerability status deltas, and risk score deltas. - Modules: `src/Policy, src/__Libraries/StellaOps.DeltaVerdict` - [x] **DSSE-signed reversible decisions (MUTE_REACH, MUTE_VEX, ACK, EXCEPTION)** - Status: IMPLEMENTED - VEX decision signing service produces DSSE-signed decisions; exception objects model scoped, time-boxed exceptions with evidence requirements. - Modules: `src/Policy` - [x] **EPSS Raw Feed Layer (Immutable Storage)** - Status: IMPLEMENTED - EPSS feed ingestion with CSV parsing, repository storage, and enrichment jobs. Database migrations exist for EPSS risk scores storage. - Modules: `src/Policy, src/RiskEngine, src/Scanner` - [x] **EPSS Threshold Policy Gate** - Status: IMPLEMENTED - Policy gate that evaluates EPSS probability thresholds to block or allow releases based on configurable risk bands and delta thresholds. - Modules: `src/Policy` - [x] **Evidence Freshness and Time-Decay Scoring** - Status: IMPLEMENTED - Evidence freshness calculation with time-decay models and freshness-aware scoring service, matching the advisory's half-life decay model. - Modules: `src/Policy` - [x] **Evidence Requirement Validation for Exceptions** - Status: IMPLEMENTED - Validates that exceptions include required evidence (attestation IDs, VEX notes, reachability proofs) before approval. - Modules: `src/Policy/__Libraries/StellaOps.Policy.Exceptions` - [-] **Evidence-Weighted Score (EWS) Model (6-Dimension Scoring)** - Status: PARTIALLY_IMPLEMENTED - Scoring infrastructure with policy-driven weights, profiles, and explanations exists. The advisory proposed a new unified 6-dimension model (RCH/RTS/BKP/XPL/SRC/MIT) to replace 4 independent scoring systems. Core normalizers and guardrails engine appear partially built; full unification is in progress. - Modules: `src/Policy` - [x] **Exception System (API, Lifecycle, Policy Integration, Evidence-Backed Workflow)** - Status: IMPLEMENTED - Full exception system: CRUD API with query by scope/owner/expiry/environment, auto-expiry with lifecycle state transitions and background workers, policy engine integration (deterministic outcome alteration with recheck gate), and auditable workflow with entity model (scope, subject, evidence refs, expiry), evidence requirement validation, and persistence (Postgres + in-memory). - Modules: `src/Policy, src/Policy/StellaOps.Policy.Engine, src/Policy/StellaOps.Policy.Gateway` - [x] **Explainability Testing Framework** - Status: IMPLEMENTED - Explainability testing framework with assertion helpers and verdict rationale rendering, ensuring decisions can be traced back to evidence and assumptions. - Modules: `src/Policy, src/__Tests` - [x] **Explainability with Proof Extracts** - Status: IMPLEMENTED - Verdict rationale rendering with full explainability system, reachability explanation UI with "why" drawer for interactive proof browsing. - Modules: `src/Policy, src/Web` - [x] **Gate Level Selection (G0-G4)** - Status: IMPLEMENTED - Diff-aware release gate levels G0-G4 with automatic gate selection based on RRS score and budget status, exposed via API endpoints. - Modules: `src/Policy` - [-] **Impact Scoring for Unknowns** - Status: PARTIALLY_IMPLEMENTED - The advisory proposed weighted impact scoring with factors like environment exposure, data sensitivity, fleet prevalence, SLA tier, and CVSS severity. UncertaintyScoreCalculator and TrustScoreAggregator with configurable SignalWeights exist in the Determinization library, and ReachabilityScoringService exists in Signals. The exact multi-factor impact formula (w_env * EnvExposure + w_data * DataSensitivity + ...) is partially reflected through the existing signal weights system, though the specific per-factor normalization described in the advisory is not confirmed. - Modules: `src/Policy, src/Signals` - [x] **Knowledge Snapshot Manifest** - Status: IMPLEMENTED - Knowledge Snapshot Manifest as a content-addressed sealed record containing source descriptors with hashes/digests, policy IDs, engine versions, plugin versions, and trust anchor set hashes. - Modules: `src/Policy` - [x] **Path-Scope Simulation Bridge** - Status: IMPLEMENTED - Scoped simulation that evaluates policy changes against specific artifact paths rather than the entire estate. - Modules: `src/Policy` - [x] **Policy Bundles with Proof Objects** - Status: IMPLEMENTED - Policy bundles with proof objects, security atoms, claims, and subjects forming the trust lattice algebra substrate. - Modules: `src/Policy` - [-] **Policy DSL (stella-dsl@1)** - Status: PARTIALLY_IMPLEMENTED - Policy loading and evaluation exist but the full `.stella` file DSL format with dedicated parser/compiler/simulator (stella policy lint/compile/simulate) was not found as a standalone tool. Policy evaluation is implemented through structured configuration. - Modules: `src/Policy` - [x] **Policy Engine with Proofs (Moat Score 3)** - Status: IMPLEMENTED - Policy engine with gate levels, delta verdict statements, gateway endpoints, and exception approval rules. - Modules: `src/Policy` - [x] **Policy gate with evidence-linked approval** - Status: IMPLEMENTED - Policy gates (CVE, EPSS, budget, reachability, signature-required) evaluate artifacts against configurable rules and produce evidence-linked attestations. - Modules: `src/Policy` - [x] **Policy Simulation Engine (Shadow Runs / What-If Analysis)** - Status: IMPLEMENTED - Full policy simulation engine with risk simulation, what-if analysis, simulation analytics, and breakdown services. Multiple simulation endpoints exist (RiskSimulationEndpoints, PathScopeSimulationEndpoint, OverlaySimulationEndpoint, ConsoleSimulationEndpoint). - Modules: `src/Policy` - Sprint: SPRINT_20251229_048_FE_policy_simulation_studio - [x] **ProhibitedPatternAnalyzer (Static Purity Analysis)** - Status: IMPLEMENTED - Static purity analysis detecting prohibited patterns (ambient IO, clock access, etc.) in evaluation code. - Modules: `src/Policy, src/Scanner` - [x] **Proof Replay / Deterministic Verdict Replay** - Status: IMPLEMENTED - Full replay service with a dedicated module, determinism verifier, run manifests, and extensive E2E tests that verify byte-identical verdict replay across runs. - Modules: `src/Policy, src/Replay, src/Scanner` - [-] **Proof Studio UX (Explainable Confidence Scoring)** - Status: PARTIALLY_IMPLEMENTED - Backend confidence calculation, verdict rationale rendering, and counterfactual engine exist. The advisory identified frontend proof studio UI as a remaining gap. - Modules: `src/Policy, src/Web` - [x] **Property-Based Tests (FsCheck)** - Status: IMPLEMENTED - Property-based tests using FsCheck for canonical JSON determinism, SBOM/VEX ordering invariants, floating-point stability, digest computation determinism, smart-diff properties, and VEX lattice merge commutativity. - Modules: `src/Policy, src/Scanner, src/__Tests` - [x] **Release Gate Levels (G0-G4)** - Status: IMPLEMENTED - Five gate levels (G0 through G4) with escalating requirements. GateSelector computes RRS, maps to gate level, and applies budget modifiers (Yellow/Red/Exhausted escalations). Each gate level has defined requirements matching the advisory specification. - Modules: `src/Policy` - [x] **Replayable Verdict Evaluation** - Status: IMPLEMENTED - Full replay engine that re-evaluates verdicts using stored snapshot inputs, producing match/mismatch reports with delta explanations when results differ. Exposed via API endpoints. - Modules: `src/Policy` - [x] **Risk Budget API Endpoints** - Status: IMPLEMENTED - API endpoints for risk budget management and enforcement with integration-level testing of budget enforcement. - Modules: `src/Policy` - [x] **Risk Budget Management** - Status: IMPLEMENTED - Per-service risk budget management with budget ledger (RP consumed per release, remaining, trendline), constraint enforcement, threshold notifications, and earned capacity replenishment. - Modules: `src/Policy` - [x] **Risk Budget Model (Service Tiers + Risk Points)** - Status: IMPLEMENTED - Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity. - Modules: `src/Policy` - [x] **Risk Point Scoring** - Status: IMPLEMENTED - Risk Point (RP) scoring model computing Release Risk Score from base criticality, diff risk, operational context, and mitigations with monotonicity guarantees. - Modules: `src/Policy` - [x] **Risk Verdict Attestation (RVA) Contract** - Status: IMPLEMENTED - Structured Risk Verdict Attestation with PASS/FAIL/PASS_WITH_EXCEPTIONS/INDETERMINATE verdicts, policy references, knowledge snapshot bindings, evidence references, and reason codes as a first-class product artifact. - Modules: `src/Policy` - [x] **Score Attestation and Proof Ledger** - Status: IMPLEMENTED - Score attestation statements linked to proof nodes in a proof ledger for auditable scoring decisions. - Modules: `src/Policy` - [x] **Security State Delta (Diff Engine)** - Status: IMPLEMENTED - A diff engine that takes baseline and target snapshot digests and produces structured delta objects with baseline selection methods (previous build, last approved, last deployed). - Modules: `src/Policy` - [x] **Smart-Diff Semantic Risk Delta (Moat Score 4)** - Status: IMPLEMENTED - Material risk change detection with delta verdict computation, security state delta analysis, and delta computing. - Modules: `src/Policy, src/Scanner` - [x] **Time-Travel Replay Engine** - Status: IMPLEMENTED - Re-evaluation of any historical decision using only snapshot content and recorded execution contract, producing match/mismatch reports with deterministic comparison. - Modules: `src/Policy` - [ ] **Unified Score Facade Service (combining EWS + Determinization)** - Status: NOT_FOUND - The advisory proposed a unified facade service (TSF-002) combining EWS scores and Determinization entropy into a single API. This was marked TODO in the sprint and has not been implemented yet. - Modules: `src/Policy` - [x] **Unknown Budget Policy Enforcement** - Status: IMPLEMENTED - Unknown budget enforcement with environment-aware thresholds, supporting policy evaluation that can fail/warn based on unknown counts by type. - Modules: `src/Policy` - [x] **Unknowns budget dashboard (budgeted unknowns with policy thresholds)** - Status: IMPLEMENTED - Grey queue, SLA monitoring, unknown budget service, and budget constraint enforcer implement first-class unknowns management with policy thresholds. - Modules: `src/Policy, src/Unknowns` - [-] **Unknowns Decay and Triage Queue** - Status: PARTIALLY_IMPLEMENTED - Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest. - Modules: `src/Policy` - [x] **Unknowns Ranking Algorithm (HOT/WARM/COLD bands)** - Status: IMPLEMENTED - Unknown ranker with weighted scoring (popularity, exploit potential, uncertainty density, centrality, staleness), HOT/WARM/COLD band assignment, and BlastRadius model. Database migration for blast radius/containment exists. - Modules: `src/Policy` - [x] **Verdict Explainability / Rationale Renderer** - Status: IMPLEMENTED - Verdict rationale renderer and rationale model in Policy Explainability library. Testing infrastructure includes explainability assertions, IExplainableDecision interface, and explainability models. - Modules: `src/Policy, src/__Tests` - [x] **VEX Decisioning Engine (Not Just Ingestion) (Moat Score 4)** - Status: IMPLEMENTED - Full VEX decisioning with consensus engine, trust scoring, OpenVEX and CSAF normalization, and trust lattice conflict resolution. - Modules: `src/Policy, src/VexLens` - [x] **VEX Format Normalization (CycloneDX, OpenVEX, CSAF)** - Status: IMPLEMENTED - Normalizers for CSAF and OpenVEX formats to convert heterogeneous VEX statements into the unified trust lattice representation. - Modules: `src/Policy` - [x] **VEX Status Promotion Gate** - Status: IMPLEMENTED - Promotion gate that blocks environment promotions based on VEX status thresholds, ensuring only properly triaged artifacts can advance. - Modules: `src/Policy` - [x] **VEX Trust Lattice with Provenance/Coverage/Replayability Scoring** - Status: IMPLEMENTED - Full trust lattice engine with claim score merging, conflict penalization, trust labels, and configurable trust source weights per the advisory's P/C/R model. - Modules: `src/Policy` - [x] **Batch Exception Loading for Policy Evaluation** - Status: IMPLEMENTED - Optimized batch loading of exceptions during policy evaluation, loading once per tenant per batch with per-finding scope filtering and ConcurrentDictionary-based caching to avoid duplicating exception instances across findings. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0002_0001_policy_engine_integration.md - [x] **Blast Radius Scoring for Unknowns (Dependency Graph Impact)** - Status: IMPLEMENTED - Adds dependency graph impact scoring (dependent count, network-facing flag, privilege level) to the unknowns ranking algorithm. Isolated packages (0 dependents) get 15% risk reduction, non-network-facing gets 5%, non-root privilege gets 5%. - Modules: `src/Policy/` - Sprint: SPRINT_4000_0001_0002_unknowns_blast_radius_containment.md - [x] **ClaimScore Merger and Policy Gate Registry** - Status: IMPLEMENTED - Implements a lattice-based ClaimScore merger with conflict penalization, plus four specialized policy gates (MinimumConfidenceGate, UnknownsBudgetGate, SourceQuotaGate, ReachabilityRequirementGate) registered through a PolicyGateRegistry. Distinct from existing "Policy Gates (G0-G4)" which is about gate levels; this is the trust lattice merge algebra and specific claim-score-aware gate implementations. - Modules: `src/Policy/`, `src/Excititor/` - Sprint: SPRINT_7100_0002_0001_policy_gates_merge.md - [x] **CVSS v4.0 Environmental Metrics Completion** - Status: IMPLEMENTED - Completes CVSS v4.0 scoring with all Modified Attack/Impact environmental metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA). Extends the existing MacroVector scoring engine with environment-specific risk adjustments. Includes receipt-based deterministic scoring and REST endpoints. - Modules: `src/Policy/` - Sprint: SPRINT_1227_0013_0002_LB_cvss_v4_environmental.md - [x] **Earned Capacity Replenishment for Risk Budgets** - Status: IMPLEMENTED - Extends Risk Budget Management with automated enforcement: BudgetLedger for tracking risk point consumption, BudgetConstraintEnforcer for policy gate integration, and EarnedCapacityReplenishment for automatically restoring budget when vulnerabilities are remediated. Includes PostgreSQL persistence and REST endpoints. Goes beyond the known "Risk Budget Management" (which covers configuration/dashboard) by adding the enforcement automation and earned capacity mechanism. - Modules: `src/Policy/` - Sprint: SPRINT_20251226_002_BE_budget_enforcement.md - [x] **Evidence Hooks for Exception Approval** - Status: IMPLEMENTED - Requires specific attestations before exception approval with 7 evidence types (feature flag disabled, backport merged, compensating control, security review, runtime mitigation, WAF rule deployed, custom attestation). Validates evidence freshness (MaxAge), trust score, DSSE signature verification, and schema compliance. Mandatory hooks block approval until satisfied. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md - [x] **Exception Application Audit Trail (policy.exception_applications)** - Status: IMPLEMENTED - Records every instance of an exception being applied to a finding in a dedicated `policy.exception_applications` table, capturing exception ID, finding context, original and applied status, purl, vulnerability ID, and evaluation run ID. Exposed via ledger export for compliance. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0002_0001_policy_engine_integration.md - [x] **Exception Effect Registry (Type-to-Effect Mapping)** - Status: IMPLEMENTED - Registry mapping (ExceptionType + ExceptionReason) pairs to policy effects (Suppress, Defer, RequireControl). Covers 11 predefined mappings including false_positive, wont_fix, vendor_pending, compensating_control, license_waiver, etc. Extensible via DI configuration with max-duration constraints. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0002_0001_policy_engine_integration.md - [x] **Exception Recheck Build Gate** - Status: IMPLEMENTED - CI/CD build gate that evaluates recheck policies for all active exceptions on an artifact before deployment. Fails the pipeline if any Block-action conditions are triggered (e.g., EPSS exceeds threshold, KEV flagged). Returns warnings for non-blocking conditions. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md - [x] **Exception Recheck Policy System** - Status: IMPLEMENTED - Auto-invalidation policies for exceptions with 9 condition types (EPSS threshold, CVSS threshold, reachability graph change, unknowns budget, new CVE in package, KEV flagging, expiry proximity, VEX status change, package version change). Actions: Warn, RequireReapproval, Revoke, Block. Environment-scoped conditions with per-condition action overrides. - Modules: `src/Policy/` - Sprint: SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md - [x] **Jurisdiction-Specific VEX Trust Rules (US/EU/RU/CN)** - Status: IMPLEMENTED - Configurable jurisdiction-specific trust rules for VEX statements, enabling different trust levels and source preferences for US, EU, Russia, and China regulatory contexts. - Modules: `src/Policy/` - Sprint: SPRINT_3850_0001_0001_competitive_gap_closure.md - [x] **License Compliance Evaluation Engine** - Status: IMPLEMENTED - Full license compliance evaluation with SPDX expression parsing, license compatibility matrix checking against configurable allow/deny/copyleft lists, attribution report generation, and policy engine integration. While the known list has SPDX license expression parsers in the Attestor writers, this is a distinct policy-engine-integrated compliance evaluator with attribution generation capabilities. - Modules: `src/Policy/__Libraries/StellaOps.Policy/Licensing/`, `src/Policy/StellaOps.Policy.Engine/` - Sprint: SPRINT_20260119_021_Policy_license_compliance.md - [x] **Runtime Containment Signals for Unknowns Scoring** - Status: IMPLEMENTED - Incorporates runtime isolation posture (Seccomp enforcement, read-only filesystem, network isolation) as risk reduction factors in unknowns scoring. Enforced Seccomp gives 10% reduction, read-only FS gives 10%, network isolation gives 5%. Total containment reduction capped at 40%. - Modules: `src/Policy/` - Sprint: SPRINT_4000_0001_0002_unknowns_blast_radius_containment.md - [x] **VexTrustGate Policy Integration** - Status: IMPLEMENTED - Integrates VEX trust evaluation as a named policy gate in the policy evaluation chain. VexTrustGate validates VEX statement trust levels against configurable thresholds before accepting VEX-based risk reductions. Registered in the GateSelector alongside existing gates. Distinct from known "VEX Trust Scoring" (which computes scores) -- this gates policy decisions based on those scores. - Modules: `src/Policy/` - Sprint: SPRINT_1227_0004_0003_BE_vextrust_gate.md - [-] **Versioned Weight Manifests** - Status: PARTIALLY_IMPLEMENTED - Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001). - Modules: `etc/weights, src/Policy` - [x] **Adversarial Input Validation for Scoring Inputs** - Status: IMPLEMENTED - Adversarial input validation framework that detects and rejects tampered or suspicious scoring inputs (EPSS anomalies, VEX statement manipulation, reachability data inconsistencies) before they enter the scoring pipeline. Validates VEX key roster trust and enforces input provenance via PinnedInput model. - Sprint: batch_37/file_10.md - [x] **Anchor-Aware Determinization Rules in Policy Engine** - Status: IMPLEMENTED - High-priority anchored determinization rules: anchored affected + runtime => hard-fail blocked, anchored VEX not_affected/fixed => short-circuit allow, anchored backport/unreachable => allow. VexProofGate anchor-aware mode with strict preset. - Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules.md - [x] **CI/CD Gate Exit Code Convention** - Status: IMPLEMENTED - Standardized CI exit code convention for gate evaluation: 0=Pass, 1=Warn (configurable pass-through), 2=Fail/Block, 10+=errors. The `stella gate evaluate` CLI command returns these exit codes, enabling direct CI/CD pipeline integration without parsing output. - Sprint: SPRINT_20251226_001_BE_cicd_gate_integration.md - [x] **CVE-Aware Release Policy Gates (EPSS/KEV/Reachable/Delta/Aggregate)** - Status: IMPLEMENTED - Five specialized CVE-aware policy gates (EpssThresholdGate, KevBlockerGate, ReachableCveGate, CveDeltaGate, ReleaseAggregateCveGate) that use real-time EPSS scores, KEV catalog membership, reachability status, and cross-release delta to make gate decisions. Distinct from existing generic "CVSS Threshold Gate" or "EPSS Threshold Policy Gate" because these are an integrated multi-gate system with OPA/Rego support. - Sprint: batch_37/file_01.md - [x] **Determinization Reanalysis Configuration (Persisted Policy Config)** - Status: IMPLEMENTED - Persisted configuration for the determinization reanalysis pipeline, controlling how grey-queue unknowns are re-evaluated (interval, thresholds, auto-promote rules). Includes API client and backend persistence for policy-driven reanalysis schedules. - Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md - [x] **Gate Bypass Audit Logging** - Status: IMPLEMENTED - Dedicated gate bypass audit system that records who/when/why for any gate override, persisting actor identity, justification text, IP address, and CI context to an audit repository. Includes rate limiting support for bypass abuse prevention. - Sprint: SPRINT_20251226_001_BE_cicd_gate_integration.md - [x] **SBOM Presence Policy Gate (SbomPresenceGate)** - Status: IMPLEMENTED - Policy gate that blocks releases lacking a valid SBOM document, with configurable format requirements (CycloneDX/SPDX), minimum component count thresholds, and freshness checks. - Sprint: SPRINT_20260112_017_POLICY_sbom_presence_gate.md - [x] **Signature Required Policy Gate (SignatureRequiredGate)** - Status: IMPLEMENTED - Policy gate requiring valid cryptographic signatures on release artifacts before promotion, with configurable signing key allowlists, certificate chain validation, and Rekor inclusion proof requirements. - Sprint: SPRINT_20260112_017_POLICY_signature_required_gate.md - [x] **Signed VEX Override Enforcement in Policy Engine** - Status: IMPLEMENTED - Policy engine requires signed VEX override attestations with DSSE/Rekor validation, exposes override_signed and override_rekor_verified signals to DSL, and supports key trust levels and validity period enforcement. - Sprint: SPRINT_20260112_004_POLICY_signed_override_enforcement.md - [x] **Unknowns Grey Queue with Conflict Detection and Reanalysis Fingerprints** - Status: IMPLEMENTED - Deterministic reanalysis fingerprints, conflict detection routing (VEX/reachability contradiction, static/runtime contradiction, VEX status conflict), grey queue with Disputed state and manual adjudication gates, versioned signal event handling. - Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md - [-] **Policy Interop Framework (JSON Export/Import)** - Status: PARTIALLY_IMPLEMENTED - Policy interoperability framework enabling bidirectional JSON export/import of policy rules. OPA/Rego export was planned but only JSON export confirmed in source. Includes PolicyPack document format for portable policy bundles. - Sprint: batch_38/file_06.md - [ ] **Score.v1 Policy Format** - Status: NOT_FOUND - No Score.v1 policy format was found in the codebase. Scoring is embedded in the TrustVerdict and SmartDiff modules without a standalone schema. - [ ] **NTIA Compliance Validation with Supplier Trust Verification** - Status: NOT_FOUND - Sprint described NTIA minimum element compliance checking with supplier trust scoring and regulatory framework mapping (FDA/CISA/EU CRA). No dedicated implementation library found. May have been folded into the SBOM validation layer or deferred despite DONE status in the sprint. - Sprint: SPRINT_20260119_023_Compliance_ntia_supplier.md ### Provenance (1 features) - [-] **Provcache Invalidation with SignerRevokedEvent and FeedEpochAdvancedEvent Fan-Out** - Status: PARTIALLY_IMPLEMENTED - Event-driven cache invalidation for the provenance cache, triggered by signer revocation (SignerRevokedEvent fan-out) and feed epoch advancement (FeedEpochAdvancedEvent). Includes evidence chunk storage with Merkle verification and lazy evidence fetch for air-gap scenarios. 90% complete with 6 tasks blocked on cross-module integration. - Modules: `src/Provenance/`, `src/Attestor/` - Sprint: batch_02/file_24.md ### ReachGraph (9 features) - [-] **8-State Reachability Lattice** - Status: PARTIALLY_IMPLEMENTED - Reachability infrastructure exists with triage integration, but the full 8-state lattice model (U/SR/SU/RO/RU/CR/CU/X) with mathematical state transitions as described is not fully implemented as a distinct subsystem. - Modules: `src/ReachGraph, src/Scanner` - [x] **CVE-to-Symbol Mapping Service** - Status: IMPLEMENTED - CVE-to-symbol mapping service with controller endpoint and service interface for reachability analysis in the ReachGraph module. - Modules: `src/ReachGraph` - [x] **Reachability Analysis with Call Graph Evidence** - Status: IMPLEMENTED - Reachability analysis is implemented with a dedicated ReachGraph backend service, frontend reachability explanation views, and witness path components showing call graph evidence traces. - Modules: `src/ReachGraph, src/Web` - [-] **Reachability Core Library with Unified Query Interface** - Status: PARTIALLY_IMPLEMENTED - ReachGraph has a web service with store and slice services, but the unified `IReachabilityIndex` facade combining static + runtime evidence is not present as a distinct library. - Modules: `src/ReachGraph` - [x] **Reachability Fallback Mechanisms** - Status: IMPLEMENTED - ReachGraph service with slice and replay capabilities for reachability analysis with deterministic replay support. - Modules: `src/ReachGraph` - [x] **Reachability Replay Verification** - Status: IMPLEMENTED - Replay verification service for reachability computations is implemented in the ReachGraph module. - Modules: `src/ReachGraph` - [x] **Reachability-Aware Vulnerability Analysis (Multi-Layer)** - Status: IMPLEMENTED - Multi-layer reachability with source (Layer1/2/3), binary mapping, and runtime correlation. Lattice-based states and hybrid results combining static and runtime analysis. - Modules: `src/ReachGraph, src/Scanner, src/__Libraries/StellaOps.Reachability.Core` - [x] **Static SBOM Call-Graph Pruning** - Status: IMPLEMENTED - SBOM-based reachability filtering is implemented as a pipeline stage in the Scanner worker, with dependency reachability reporting and ReachGraph storage. - Modules: `src/ReachGraph, src/Scanner` - [x] **ReachGraph Slice Query REST APIs** - Status: IMPLEMENTED - REST API layer for ReachGraph with slice queries by package, CVE, entrypoint, and file path. Includes replay endpoint for deterministic verification, pagination service, and store service. While "ReachGraph Service" is known, the specific slice query API layer with multi-dimensional querying (by-package, by-CVE, by-entrypoint, by-file) is a distinct shipped capability. - Modules: `src/ReachGraph/` - Sprint: SPRINT_1227_0012_0002_BE_reachgraph_store.md ### ReleaseOrchestrator (45 features) - [x] **Centralized Release Control Plane for Non-K8s** - Status: IMPLEMENTED - The pivot from vulnerability scanning platform to release control plane is reflected in the implemented ReleaseOrchestrator module with promotions, deployments, and environment management. - Modules: `src/ReleaseOrchestrator` - [x] **Deployment Execution to Non-K8s Targets** - Status: IMPLEMENTED - Deployment orchestration with manifest generation and artifact creation for non-Kubernetes targets is implemented. - Modules: `src/ReleaseOrchestrator` - [x] **Release Orchestration (Environment Promotions)** - Status: IMPLEMENTED - Promotion management with manager interface and tests is implemented for environment-based release promotions. - Modules: `src/ReleaseOrchestrator` - [x] **A/B Testing Experiment Engine** - Status: IMPLEMENTED - A/B testing experiment engine with deterministic variant assignment, p-value statistical analysis, and experiment lifecycle management for controlled rollouts. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_035 - [x] **Agent Lifecycle Operations (Auto-Update, Certificate Management, Configuration, Bootstrap, Doctor, Remediation)** - Status: IMPLEMENTED - Comprehensive agent lifecycle system: auto-update with staged rollouts and DSSE-signed bundles, mTLS certificate provisioning and renewal, configuration management with server-side push and drift detection, zero-touch bootstrap with time-limited tokens, 11 diagnostic health checks (Doctor), and guided remediation engine with pattern-based auto-fix and dry-run support. - Modules: `src/ReleaseOrchestrator/__Agents/StellaOps.Agent.Core/` - Sprint: SPRINT_20260117_041_ReleaseOrchestrator_agent_operations.md - [x] **Agent Cluster Manager with HA Topologies** - Status: IMPLEMENTED - Agent clustering with support for multiple HA topologies (ActivePassive, ActiveActive, Sharded), leader election, health monitoring, and automatic failover for release orchestrator agents. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_034 - [x] **Agent Self-Healing and Auto-Scaling with Infrastructure Health Monitoring** - Status: IMPLEMENTED - Self-healing engine that monitors health, orchestrates multi-step recovery from failures, auto-scales agent instances based on load metrics/queue depth/latency, anomaly detection with threshold alerting, and state synchronization via vector clocks and gossip protocol. - Modules: `src/ReleaseOrchestrator/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.SelfHealing/` - Sprint: SPRINT_20260117_034, SPRINT_20260117_040_ReleaseOrchestrator_self_healing.md - [x] **Audit Query Engine with Scheduled Reporting and Evidence Visualization** - Status: IMPLEMENTED - Query engine for audit evidence with time-range filtering, framework scoping, aggregation capabilities, cron-based scheduled compliance report generation and distribution, evidence chain visualization (Graph/DOT/Mermaid/CSV formats), and automated control validation against requirements. - Modules: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/` - Sprint: SPRINT_20260117_039_ReleaseOrchestrator_compliance.md - [x] **Automated Drift Remediation Engine** - Status: IMPLEMENTED - Automated drift remediation engine with severity scoring, rate limiting, circuit breaker patterns, and reconciliation scheduling that can automatically apply fixes for configuration drift detected between environments. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_031 - [-] **Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking)** - Status: PARTIALLY_IMPLEMENTED - Performance optimization suite: batched OCI digest resolution, concurrent gate evaluation with configurable concurrency limits, predictive data prefetching for gate inputs/scan results/attestation data, connection pool management with idle timeouts, and performance baseline tracking with regression detection. Bulk digest resolver is partially implemented. - Modules: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Core/Performance/` - Sprint: SPRINT_20260117_038_ReleaseOrchestrator_performance.md - [x] **Compliance Engine (SOC2/ISO27001/PCI-DSS/HIPAA/FedRAMP/GDPR with Framework Mapping and Reporting)** - Status: IMPLEMENTED - Multi-framework compliance engine that maps release controls to regulatory requirements across SOC2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, and GDPR. Includes framework mapper for automated control alignment and gap analysis, multi-format report generation with evidence linking, and control implementation status tracking per framework. - Modules: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/` - Sprint: SPRINT_20260117_039_ReleaseOrchestrator_compliance.md - [x] **Multi-Region Federation System (Sync, Replication, Routing, Dashboard)** - Status: IMPLEMENTED - Federation hub for geographically distributed deployments: cross-region data sync with vector clock-based conflict resolution (KeepLocal/KeepRemote/Merge/LastWriteWins), global promotion orchestration (Sequential/Canary/Parallel/BlueGreen strategies), evidence replication with data residency compliance (GDPR/sovereignty), latency-based region routing with automatic probing, and global dashboard with cross-region visibility, alert management, and sync status. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_036 - [x] **Feature Flag Bridge (Multi-Provider)** - Status: IMPLEMENTED - Feature flag bridge integrating with external providers (LaunchDarkly, Split, Unleash, Flagsmith, ConfigCat) for progressive delivery flag-based rollouts coordinated with the release orchestrator. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_035 - [x] **Release Orchestrator Observability Hub (Metrics, Traces, Logs)** - Status: IMPLEMENTED - Centralized observability for release orchestrator: dual-format metric export (Prometheus/OTLP) for gate latency, promotion throughput, and agent health; W3C-standard trace correlation linking spans across orchestrator, agents, gates, and external CI/CD systems; and unified log aggregation for release workflows. - Modules: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Observability/` - Sprint: SPRINT_20260117_041_ReleaseOrchestrator_observability.md - [x] **Multi-Language Script Engine (6 Languages with Monaco Editor, Sandbox, Library Management, and Policy Evaluation)** - Status: IMPLEMENTED - Polyglot script execution engine supporting C#, Python, Java, Go, Bash, and TypeScript with containerized isolation, resource limits, timeout enforcement, Monaco-based editor with language server protocol IntelliSense, security sandbox with network/filesystem/resource policies, dependency resolution with version pinning, policy-based script approval and signing, and runtime image management per language. - Modules: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Scripts/` - Sprint: SPRINT_20260117_040_ReleaseOrchestrator_multi_language_scripts.md - [x] **Intelligent Rollback System (Predictive + Metric-Driven)** - Status: IMPLEMENTED - Predictive rollback engine that forecasts deployment health trajectory using metrics from Prometheus/Datadog/CloudWatch, detects anomalies (Z-score, isolation forest), plans partial component-level rollbacks, and makes automated rollback decisions based on health analysis with baseline comparison. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_033 - [x] **Progressive Delivery REST API** - Status: IMPLEMENTED - REST API endpoints for managing progressive delivery rollouts, canary deployments, feature flag operations, traffic splitting, and A/B experiments. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_035 - [x] **Traffic Manager with Load Balancer Adapters** - Status: IMPLEMENTED - Traffic management abstraction with adapters for Nginx Plus, HAProxy, Traefik, and AWS ALB, enabling weighted traffic splitting for canary and blue-green deployments. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_035 - [x] **Workflow Event Broadcaster and Log Aggregator** - Status: IMPLEMENTED - Real-time workflow event broadcasting via SignalR and centralized log aggregation for workflow execution visualization and monitoring. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_032 - [x] **Workflow Simulation Engine** - Status: IMPLEMENTED - Simulation engine for testing release workflows without side effects, enabling what-if analysis of workflow changes before deployment. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_032 - [x] **Workflow Time-Travel Debugger** - Status: IMPLEMENTED - Time-travel debugging capability for release workflows allowing step-by-step replay of workflow execution with state inspection at any point, powered by an execution recorder that captures full state snapshots. - Modules: `src/ReleaseOrchestrator/` - Sprint: SPRINT_20260117_032 - [x] **A/B Release Manager (Traffic Splitting Between Versions)** - Status: IMPLEMENTED - A/B release management for running parallel control/treatment versions with configurable traffic weight distribution, experiment metrics tracking, and promote/rollback based on results. - Sprint: SPRINT_20260110_110_001_PROGDL_ab_release_manager.md - [x] **Agent Core Runtime with gRPC Communication** - Status: IMPLEMENTED - Foundational agent host process with gRPC server for task reception, heartbeat service for health reporting, credential resolution at runtime, log streaming to orchestrator, and capability registration system. - Sprint: SPRINT_20260110_108_001_AGENTS_core_runtime.md - [x] **Agent Manager with Certificate-Based Registration and Heartbeat** - Status: IMPLEMENTED - Agent registration system with one-time token generation, certificate issuance, heartbeat processing, capability registration, and agent lifecycle management (active/inactive/revoked). Manages secure deployment executors on target hosts. - Sprint: SPRINT_20260110_103_003_ENVMGR_agent_manager.md - [x] **Approval Gateway with Multi-Approver and Separation of Duties** - Status: IMPLEMENTED - Approval workflow engine enforcing separation of duties (requester != approver), multi-approver requirements (N of M), group-based eligibility checking, approval history tracking, notification integration, and governance controls for release promotions. - Sprint: SPRINT_20260110_106_002_PROMOT_approval_gateway.md - [x] **Audit Exporter (Multi-Format Compliance Reports)** - Status: IMPLEMENTED - Audit export system generating compliance reports from signed evidence packets in multiple formats: JSON (machine processing), PDF (human-readable), CSV (spreadsheet), and SLSA provenance format. Supports batch export for audit periods. - Sprint: SPRINT_20260110_109_004_RELEVI_audit_exporter.md - [x] **AWS ECS Deployment Agent** - Status: IMPLEMENTED - ECS agent capability for AWS Elastic Container Service deployments: service create/update/delete, task execution, task definition registration, service scaling, deployment health monitoring, and CloudWatch log streaming. Supports Fargate and EC2 launch types. - Sprint: SPRINT_20260110_108_006_AGENTS_ecs.md - [x] **Built-in Workflow Steps (Script, Approval, Notify, Wait, Security Gate, Deploy, Rollback)** - Status: IMPLEMENTED - Seven core built-in workflow step types for v1: script (shell execution), approval (manual gates), notify (notifications), wait (time delays), security-gate (vulnerability checks), deploy (trigger deployments), and rollback (revert releases). - Sprint: SPRINT_20260110_105_005_WORKFL_builtin_steps.md - [x] **Canary Deployment Controller with Auto-Advance, Statistical Analysis, and Auto-Rollback** - Status: IMPLEMENTED - Canary controller for gradual traffic promotion through configurable steps (e.g., 5% -> 10% -> 25% -> 50% -> 100%) with multiple progression strategies (linear, exponential, fibonacci). Auto-advances based on statistical metrics analysis, auto-rolls back on metric threshold breaches, supports manual intervention and configurable promotion schedules. - Sprint: SPRINT_20260110_110_003_PROGDL_canary_controller.md - [x] **Component Registry for Container Image Tracking** - Status: IMPLEMENTED - Registry for tracking container images as deployable components with registry/repository metadata, component discovery from connected registries, label management, and component lifecycle (active/deprecated). - Sprint: SPRINT_20260110_104_001_RELMAN_component_registry.md - [x] **DAG-Based Workflow Engine with Parallel Execution** - Status: IMPLEMENTED - DAG executor for orchestrating workflow step execution with parallel and sequential support. Includes start/pause/resume/cancel operations, step retry/skip, workflow run state tracking, and checkpoint persistence. - Sprint: SPRINT_20260110_105_003_WORKFL_dag_executor.md - [x] **Deployment Artifact Generator (Digest-Locked Compose Files and Version Stickers)** - Status: IMPLEMENTED - Generates immutable deployment artifacts for each deployment: digest-locked compose files (compose.stella.lock.yml with image@digest pinning and stella labels), version sticker files (stella.version.json with release metadata), and full deployment manifests. All artifacts are deterministic and stored for audit. - Sprint: SPRINT_20260110_107_003_DEPLOY_artifact_generator.md - [x] **Deployment Rollback Manager with Automated Failure Recovery** - Status: IMPLEMENTED - Automated deployment rollback system that plans rollback strategies for failed deployments, executes rollback to previous releases across multiple targets, tracks rollback progress, and generates rollback evidence. Supports RedeployPrevious, RestoreSnapshot, and Manual strategies. - Sprint: SPRINT_20260110_107_004_DEPLOY_rollback_manager.md - [x] **Digest-First Version Manager for Container Images** - Status: IMPLEMENTED - Version management system with digest-first identity: resolves tags to immutable digests, tracks component versions with metadata, watches for new versions from registries, and supports semantic versioning extraction. - Sprint: SPRINT_20260110_104_002_RELMAN_version_manager.md - [x] **Docker Compose Deployment Agent** - Status: IMPLEMENTED - Compose agent capability for docker-compose stack management: pull, up, down, scale, health-check operations. Includes compose file management with digest-locked image references. - Sprint: SPRINT_20260110_108_003_AGENTS_compose.md - [x] **Docker Deployment Agent** - Status: IMPLEMENTED - Docker agent capability for standalone container management: pull, run, stop, remove, health-check, and log streaming operations on target hosts with registry authentication. - Sprint: SPRINT_20260110_108_002_AGENTS_docker.md - [x] **HashiCorp Nomad Deployment Agent** - Status: IMPLEMENTED - Nomad agent capability for HashiCorp Nomad job deployments: register/run/stop jobs, scaling, deployment monitoring, allocation tracking, log streaming. Supports multiple task drivers (docker, raw_exec, java). - Sprint: SPRINT_20260110_108_007_AGENTS_nomad.md - [x] **Inventory Sync with Container Drift Detection** - Status: IMPLEMENTED - Inventory synchronization service that pulls current container state from targets, creates inventory snapshots (containers, networks, volumes), and detects drift from expected deployment state. Supports scheduled and on-demand sync. - Sprint: SPRINT_20260110_103_004_ENVMGR_inventory_sync.md - [x] **Promotion Decision Engine (Gate + Approval Combination)** - Status: IMPLEMENTED - Decision engine combining gate evaluation results and approval status into final promotion decisions. Generates decision records with evidence, supports configurable decision rules, and maintains decision history. - Sprint: SPRINT_20260110_106_005_PROMOT_decision_engine.md - [x] **Promotion Gate Registry with Built-in Gates (Freeze Window, Manual, Policy, Approval, Schedule, Dependency)** - Status: IMPLEMENTED - Gate registry managing 8 built-in promotion gate types. This sprint implements 6: freeze-window-gate, manual-gate, policy-gate (OPA/Rego), approval-gate (N of M), schedule-gate (deployment windows), and dependency-gate (upstream health checks). Supports plugin gates via IGateProviderCapability. - Sprint: SPRINT_20260110_106_003_PROMOT_gate_registry.md - [x] **Release Bundle Manager (Multi-Component Release Creation)** - Status: IMPLEMENTED - Release bundle management for creating releases containing multiple component versions. Supports add/remove components from draft releases, finalization to lock versions, and release manifest generation. - Sprint: SPRINT_20260110_104_003_RELMAN_release_manager.md - [x] **Release Catalog with Status Lifecycle and Deployment History** - Status: IMPLEMENTED - Release catalog with status lifecycle (draft -> ready -> promoting -> deployed/deprecated), deployment history tracking per environment, release comparison, and paginated query support. - Sprint: SPRINT_20260110_104_004_RELMAN_release_catalog.md - [x] **Target Registry for Deployment Destinations (Docker, Compose, ECS, Nomad Hosts)** - Status: IMPLEMENTED - Registry for managing deployment targets within environments, supporting docker_host, compose_host, ecs_service, and nomad_job target types. Includes target registration, health monitoring, connection validation, capability detection, and target-agent associations. - Sprint: SPRINT_20260110_103_002_ENVMGR_target_registry.md - [x] **Traffic Router Framework (Weighted, Header, Cookie Routing)** - Status: IMPLEMENTED - Traffic routing framework with ITrafficRouter interface supporting weighted (percentage-based), header-based, and cookie-based routing strategies. Includes router registry, routing state persistence, and metrics collection. Extensible via plugins for Nginx, HAProxy, Traefik, AWS ALB. - Sprint: SPRINT_20260110_110_002_PROGDL_traffic_router.md - [x] **Version Sticker Writer (Deployment State Recording)** - Status: IMPLEMENTED - Version sticker system that writes stella.version.json files to each deployment target via agents, recording deployment state (release, components, digests, environment, evidence IDs). Supports write and read operations for deployment verification. - Sprint: SPRINT_20260110_109_003_RELEVI_version_sticker.md ### Replay (3 features) - [-] **Immutable Advisory Feed Snapshots** - Status: PARTIALLY_IMPLEMENTED - The replay infrastructure supports input manifests and determinism tracking which conceptually align with point-in-time query capability, but a dedicated feed snapshotting system with per-provider immutable blobs and point-in-time advisory resolution is not directly implemented as described. - Modules: `src/Replay, src/__Tests` - [x] **Replay Infrastructure (Manifest, Determinism Verifier, Verdict Engine, Drift Detection)** - Status: IMPLEMENTED - Full replay infrastructure: DeterminismVerifier re-hydrates exact inputs from manifest and verifies bit-for-bit verdict reproduction. Run manifest model capturing pipeline state (feeds, rules, versions). DeterministicResolver with feed snapshots, bundle export, and web service. Verdict replay with divergence detection and input drift testing. - Modules: `src/Replay, src/__Libraries/StellaOps.Replay.Core, src/__Libraries/StellaOps.Resolver, src/__Libraries/StellaOps.AuditPack, src/__Tests` - [x] **Replay Recording and Verification Service** - Status: IMPLEMENTED - Dedicated replay service that records verdict inputs/outputs and provides endpoints to replay and verify deterministic verdict execution, ensuring reproducibility of security decisions. - Modules: `src/Replay/` - Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md ### RiskEngine (3 features) - [x] **CVSS + KEV Risk Signal Combination** - Status: IMPLEMENTED - Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula tested via integration tests. - Modules: `src/RiskEngine` - [x] **EPSS Risk Band Mapping** - Status: IMPLEMENTED - EPSS provider with bundle loading, fetching, and risk band mapping that converts EPSS probabilities into actionable risk categorizations. - Modules: `src/RiskEngine, src/Scanner` - [ ] **Exploit Maturity Mapping** - Status: NOT_FOUND - No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this. ### Router (18 features) - [x] **Router Backpressure (HTTP 429/503 + Retry-After)** - Status: IMPLEMENTED - Rate limiting and backpressure testing with dedicated chaos test suite for the router, including Testcontainers-based fixture for burst testing. - Modules: `src/Router, src/Scanner` - [x] **ASP.NET Endpoint Discovery and Router Dispatch Bridge** - Status: IMPLEMENTED - SDK that bridges ASP.NET Core minimal API / controller endpoints to StellaRouter dispatch. Includes EndpointDiscoveryService, ASP.NET Core discovery provider (via reflection and source generation), authorization mapping, and DI extensions. Enables microservices to auto-register their endpoints with the StellaRouter without manual configuration. - Modules: `src/Router/`, `src/__Libraries/` - Sprint: SPRINT_8100_0011_0001_router_sdk_aspnet_bridge.md - [x] **Gateway Core Routing Infrastructure** - Status: IMPLEMENTED - Gateway core with `InMemoryRoutingState` for tracking connected microservice instances, `DefaultRoutingPlugin` with version-compatible/health-based/region-aware instance filtering, and rate limiting per instance. - Modules: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Gateway/StellaOps.Gateway.WebService/` - Sprint: batch_51/file_20.md - [x] **InMemory Transport Plugin** - Status: IMPLEMENTED - In-process transport using System.Threading.Channels for development and testing. Implements InMemoryTransportServer, InMemoryTransportClient, InMemoryConnectionRegistry, and InMemoryChannel with zero-copy semantics. - Modules: `src/Router/__Libraries/StellaOps.Router.Transport.InMemory/`, `src/__Libraries/StellaOps.Router.Transport.InMemory/` - Sprint: batch_51/file_17.md - [x] **Messaging Abstractions Library (Queue, Cache, Event Stream, Rate Limiter)** - Status: IMPLEMENTED - Transport-agnostic messaging abstractions library providing IMessageQueue, IDistributedCache, IEventStream, IRateLimiter, IIdempotencyStore, and IAtomicTokenStore contracts. Includes InMemory, Postgres, and Valkey transport implementations with plugin-based transport registration. - Modules: `src/Router/__Libraries/StellaOps.Messaging/`, `src/Router/__Libraries/StellaOps.Messaging.Transport.InMemory/`, `src/Router/__Libraries/StellaOps.Messaging.Transport.Postgres/`, `src/Router/__Libraries/StellaOps.Messaging.Transport.Valkey/` - Sprint: Discovered via source verification (part of Router ecosystem, Sprint 7000 series) - [x] **Microservice Endpoint YAML Configuration Overrides** - Status: IMPLEMENTED - Per-endpoint YAML configuration overrides for timeouts, claim requirements, streaming enablement, and payload limits. Merges code-level `[StellaEndpoint]` attributes with YAML overrides at runtime. - Modules: `src/Router/__Libraries/StellaOps.Microservice/` - Sprint: batch_52/file_08.md - [x] **Microservice SDK Core (Endpoint Discovery and Connection Management)** - Status: IMPLEMENTED - SDK for building Stella microservices with `[StellaEndpoint]` attribute-based endpoint discovery, `RouterConnectionManager` for HELLO/HEARTBEAT handshake with Gateway, and `AddStellaMicroservice()` DI registration. Enables services to register endpoints and communicate through the Router Gateway. - Modules: `src/Router/__Libraries/StellaOps.Microservice/`, `src/__Libraries/StellaOps.Microservice/` - Sprint: batch_51/file_18.md - [x] **Microservice SDK Request Dispatcher and Typed Endpoint Adapters** - Status: IMPLEMENTED - Request dispatch pipeline with `RequestDispatcher`, `TypedEndpointAdapter` for strongly-typed endpoint handling, `PathMatcher` with wildcard support, `EndpointRegistry`, and per-request DI scoping. Handles frame routing from Gateway to the correct endpoint handler. - Modules: `src/Router/__Libraries/StellaOps.Microservice/` - Sprint: batch_51/file_19.md - [x] **Region-Aware Routing Algorithm** - Status: IMPLEMENTED - Full routing algorithm with 3-tier region preference (Tier 0: same region, Tier 1: same continent, Tier 2: cross-continent), ping-based latency selection within tiers, heartbeat recency weighting, and round-robin/random tie-breaking for deterministic load distribution. - Modules: `src/Router/__Libraries/StellaOps.Router.Common/`, `src/Router/__Libraries/StellaOps.Router.Gateway/` - Sprint: batch_51/file_24.md - [x] **Roslyn Endpoint Source Generator (AOT-Compatible)** - Status: IMPLEMENTED - Roslyn incremental source generator that detects `[StellaEndpoint]` attributes at compile time and generates AOT-compatible endpoint registration code, eliminating runtime reflection for endpoint discovery. Supports Native AOT deployment scenarios. - Modules: `src/Router/__Libraries/StellaOps.Microservice.SourceGen/`, `src/__Libraries/StellaOps.Microservice.SourceGen/` - Sprint: batch_52/file_10.md - [x] **Router Common Models and Abstractions Library** - Status: IMPLEMENTED - Core shared library defining frame types (REQUEST, RESPONSE, HELLO, HEARTBEAT, CANCEL, STREAM_DATA), transport abstractions (ITransportServer, ITransportClient), routing contracts (IGlobalRoutingState, IRoutingPlugin, IRegionProvider), and model types (EndpointDescriptor, InstanceDescriptor, ConnectionState, RoutingContext, RoutingDecision, PayloadLimits). - Modules: `src/Router/__Libraries/StellaOps.Router.Common/` - Sprint: batch_51/file_16.md - [x] **Router Reference Implementation Examples** - Status: IMPLEMENTED - Complete reference implementations including Examples.Gateway, Examples.Billing.Microservice, Examples.Inventory.Microservice, Examples.MultiTransport.Gateway, and Examples.NotificationService demonstrating all Router SDK capabilities with docker-compose orchestration. - Modules: `src/Router/examples/` - Sprint: batch_52/file_11.md - [x] **Router Request Cancellation Propagation** - Status: IMPLEMENTED - CANCEL frame type for explicit request cancellation, inflight request tracking, client disconnect detection with automatic cancellation propagation to microservices, and CancellationToken integration in endpoint handlers. - Modules: `src/Router/__Libraries/StellaOps.Router.Common/`, `src/Router/__Libraries/StellaOps.Microservice/` - Sprint: batch_52/file_00.md - [x] **Router Streaming Data Transfer** - Status: IMPLEMENTED - REQUEST_STREAM_DATA and RESPONSE_STREAM_DATA frame types for chunked streaming, backpressure handling via flow control, and streaming endpoint support in the Microservice SDK. - Modules: `src/Router/__Libraries/StellaOps.Router.Common/`, `src/Router/__Libraries/StellaOps.Microservice/` - Sprint: batch_52/file_01.md - [x] **Router YAML/JSON Configuration with Hot-Reload** - Status: IMPLEMENTED - Centralized router configuration supporting YAML and JSON formats with `IOptionsMonitor` integration and `FileSystemWatcher`-based hot-reload. Includes validation, change event notification, and per-service routing options. - Modules: `src/Router/__Libraries/StellaOps.Router.Config/` - Sprint: batch_52/file_07.md - [x] **Router/Microservice SDK Solution Infrastructure** - Status: IMPLEMENTED - Complete solution skeleton for the Router ecosystem including 17 library projects, 17 test projects, example applications, and Gateway WebService. Establishes the project structure for inter-service communication. - Modules: `src/Router/`, `src/Gateway/` - Sprint: batch_51/file_15.md - [x] **TLS/mTLS Transport Plugin** - Status: IMPLEMENTED - TLS transport wrapping TCP with SslStream, supporting mutual TLS (mTLS) with client certificate validation, certificate hot-reload without connection drops, and configurable cipher suites. - Modules: `src/Router/__Libraries/StellaOps.Router.Transport.Tls/` - Sprint: batch_52/file_04.md - [x] **Valkey (Redis-Compatible) Messaging Transport for Gateway** - Status: IMPLEMENTED - Adds Valkey (Redis-compatible) as a messaging transport option for the Gateway/Router, including DI wiring, HELLO/heartbeat handling, atomic token store, cache factory, and messaging dispatch. Provides a high-performance alternative to the existing messaging infrastructure. - Modules: `src/Router/` - Sprint: SPRINT_8100_0011_0003_gateway_valkey_messaging_transport.md ### RuntimeInstrumentation (1 features) - [x] **Tetragon/eBPF Runtime Instrumentation Bridge (Runtime Witnesses, Build Correlation)** - Status: IMPLEMENTED - Tetragon-based eBPF runtime instrumentation with event adaptation, witness bridging, frame canonicalization, privacy filtering, hot-symbol tracking, stack sampling, and runtime correlation to build artifacts for runtime reachability analysis. - Modules: `src/RuntimeInstrumentation, src/Signals` ### SbomService (8 features) - [x] **SBOM-Verdict Linking Table** - Status: IMPLEMENTED - Join table linking SBOM versions to VEX consensus verdicts per CVE. Schema designed but not implemented. - Modules: `(planned for src/SbomService, src/VexLens)` - [x] **SBOM Lineage API Backend** - Status: IMPLEMENTED - REST API endpoints for lineage graph queries, diff computation, and export. Architecture fully documented but backend implementation pending. - Modules: `(planned for src/SbomService)` - [-] **SBOM Lineage Graph Visualization** - Status: PARTIALLY_IMPLEMENTED - SBOM lineage graph with Git-like visualization. Architecture fully documented, UI components mostly built, but API endpoints not implemented and services use stubs. - Modules: `src/SbomService, src/Web` - [x] **SBOM Lineage Edge Persistence (PostgreSQL)** - Status: IMPLEMENTED - PostgreSQL-backed persistence for SBOM lineage graph edges with ISbomLineageEdgeRepository interface, sbom_lineage_edges table schema, and in-memory test implementation. Stores parent-child relationships between SBOM versions across image rebuilds. - Modules: `src/SbomService/` - Sprint: SPRINT_20251228_005_BE_sbom_lineage_graph_i.md - [x] **SBOM Lineage Hover Cache with Valkey** - Status: IMPLEMENTED - Valkey-backed (Redis-compatible) caching layer for SBOM lineage graph hover card data. Pre-computes and caches component diff summaries, VEX delta counts, and provenance metadata for instant hover card rendering without round-trips to PostgreSQL. - Modules: `src/SbomService/` - Sprint: SPRINT_20251228_005_BE_sbom_lineage_graph_i.md - [x] **SBOM Lineage NDJSON Streaming Export** - Status: IMPLEMENTED - NDJSON (newline-delimited JSON) streaming export for SBOM lineage graphs. Enables efficient bulk export of lineage data for offline analysis, air-gap transfer, and integration with external tools that consume streaming JSON formats. - Modules: `src/SbomService/StellaOps.SbomService/` - Sprint: BATCH_20251229_BE_COMPLETION_SUMMARY.md (SBOM Lineage API sprint section) - [x] **SBOM Service Lineage Projection API** - Status: IMPLEMENTED - REST API for querying SBOM lineage projections including component lookup, version history, and dependency graph traversal with LNM v1 schema support. - Sprint: SPRINT_0142_0001_0001_sbomservice.md - [x] **SBOM Service Registry Source Integration** - Status: IMPLEMENTED - Registry webhook and source management endpoints allowing container registries to push SBOM metadata events and manage trusted source configurations. - Sprint: SPRINT_0142_0001_0001_sbomservice.md ### Scanner (151 features) - [x] **OCI Ancestry Extraction** - Status: IMPLEMENTED - Extract base image references from OCI manifest config.history to populate lineage parent relationships. Not yet implemented. - Modules: `(planned for src/Scanner)` - [x] **3-Bit Reachability Gate** - Status: IMPLEMENTED - Gate-based reachability system with multiple gate detectors (auth, admin-only, feature flags, non-default config), gate multiplier calculator, and rich graph annotation for gate-aware reachability. - Modules: `src/Scanner` - [x] **Auto-VEX Generation from Smart-Diff** - Status: IMPLEMENTED - VEX candidate emission from SmartDiff detection results, generating VEX statements backed by delta evidence. - Modules: `src/Scanner` - [x] **Base Image Detection and Recommendations** - Status: IMPLEMENTED - Base image detection via layer diffID fingerprinting with PostgreSQL-backed fingerprint database, in-memory index, exact layer match and fuzzy matching, and bulk detection support. Interface `IBaseImageDetector` with full `BaseImageDetector` implementation. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/` - [x] **Binary SBOM and Build-ID to PURL Mapping** - Status: IMPLEMENTED - Binary call graph extraction, patch verification with signature stores and evidence models, and binary index service extensions for the scanner worker. - Modules: `src/Scanner` - [x] **Compositional Library-Aware Call-Graph Reachability** - Status: IMPLEMENTED - Multi-layer reachability analysis combining call-graph extraction, dependency-aware analysis, surface-aware analysis, and conditional reachability with ReachGraph integration. - Modules: `src/Scanner` - [x] **Dataflow-Aware Diffs (Entrypoint-to-Sink Reachability)** - Status: IMPLEMENTED - Semantic entrypoint orchestrator with dataflow boundary analysis, data boundary mapping, and service security dataflow analyzer for entrypoint-to-sink reachability. - Modules: `src/Scanner` - [x] **Deterministic Diff-Aware Rescans (SmartDiff / Diff-Native CI)** - Status: IMPLEMENTED - SmartDiff with golden fixture tests, schema validation, state comparison, reachability gates, SARIF output, performance benchmarks, and layer caching for diff-native CI capability. - Modules: `src/Scanner` - [-] **DSSE Gateway Traversal (mTLS + provenance headers)** - Status: PARTIALLY_IMPLEMENTED - HMAC-based DSSE envelope signing exists in the scanner worker. No explicit NGINX/WAF gateway configuration or provenance header middleware found in source code (likely infrastructure-level, not application code). - Modules: `src/Scanner` - [x] **eBPF Capture Abstraction** - Status: IMPLEMENTED - Platform-level eBPF capture adapter for Linux with runtime evidence aggregation, plus dedicated eBPF library at `src/Signals/__Libraries/StellaOps.Signals.Ebpf/` with probe loaders, parsers, and air-gap support. - Modules: `src/Scanner, src/Signals` - [-] **eBPF Probe Type Granularity (ProbeType field)** - Status: PARTIALLY_IMPLEMENTED - The advisory identified adding an optional ProbeType field to RuntimeObservation as a gap. Probe infrastructure exists in Signals.Ebpf but the specific ProbeType enum on RuntimeObservation was marked TODO. - Modules: `src/Scanner, src/Signals` - [-] **Ecosystem Reality Acceptance Test Fixtures** - Status: PARTIALLY_IMPLEMENTED - SCA fixtures and acceptance packs exist but the advisory called for mapping five specific real-world incidents (credential leak, offline DB schema mismatch, SBOM parity drift, scanner instability) into deterministic tests. Some catalogue fixtures exist but the full incident-to-test mapping is not fully evidenced. - Modules: `src/Scanner, src/__Tests` - [x] **Explainable triage UX with evidence-linked findings** - Status: IMPLEMENTED - Tabbed evidence panel with policy, binary diff, confidence meter, and SBOM evidence tabs provides expandable evidence views per finding. - Modules: `src/Scanner, src/Web` - [x] **False-negative drift (FN-Drift) tracking and metrics** - Status: IMPLEMENTED - FN-Drift calculation, metrics export, and classification change history tracking with dedicated Postgres migration. - Modules: `src/Scanner` - [x] **GitHub Code Scanning Endpoints (Backend)** - Status: IMPLEMENTED - Backend endpoints for triggering SARIF uploads to GitHub Code Scanning are implemented, with a null service for environments without GitHub integration. - Modules: `src/Scanner` - [x] **Ground Truth Corpus and Benchmark Evaluator** - Status: IMPLEMENTED - Benchmark infrastructure with corpus manifests and metrics calculation exists for measuring scanner precision. - Modules: `src/Scanner` - [-] **Ground-Truth Corpus with Reachability Tiers (R0-R4)** - Status: PARTIALLY_IMPLEMENTED - Golden fixture tests exist for smart-diff and reachability, but the full ground-truth corpus structure (/toys/svc-XX-/ with labels.yaml) was not found as described in the advisory. - Modules: `src/Scanner` - [-] **Idempotent Attestation Submission** - Status: PARTIALLY_IMPLEMENTED - Verdict push stage executor and scheduler event publisher handle attestation submission, but explicit idempotency/retry logic specific to Rekor resubmission was not found as a separate concern. - Modules: `src/Scanner, src/Scheduler` - [x] **Multi-Language Call Graph Extractors and Analyzers (.NET, Go, Java, JS, Python, Ruby, PHP, Bun, Deno)** - Status: IMPLEMENTED - Call graph extractors for .NET, Go, Java, JavaScript, Python, Ruby, PHP, Bun, and Deno. .NET has dedicated language analyzer with entrypoint resolver and capability scanner. Includes capability scanning, sink matching, and binary call graph extraction. - Modules: `src/Scanner` - [x] **Layer-SBOM Cache with Hash-Based Reuse** - Status: IMPLEMENTED - Layer-level SBOM caching is implemented with a dedicated cache store, cache entries, put requests, maintenance service, and a LayerSbomService that integrates with the scanner pipeline. - Modules: `src/Scanner` - [x] **Layered Resolver Pipeline (ELF/PE Feature Extraction)** - Status: IMPLEMENTED - Binary analysis with call graph extraction for ELF/PE formats and patch verification orchestration. - Modules: `src/Scanner` - [x] **Model Version Change Detection** - Status: IMPLEMENTED - Change detection for EPSS model version updates that suppresses noisy deltas when the underlying model changes, preventing false signal cascades. - Modules: `src/Scanner` - [x] **Offline Kit Import and Attestation Verification** - Status: IMPLEMENTED - Offline kit import service and offline attestation verifier with test coverage in Scanner module, enabling verification of DSSE-signed attestations without network access. - Modules: `src/Scanner` - [x] **Outbox Pattern for Event Dispatch** - Status: IMPLEMENTED - Outbox pattern for reliable event dispatch with idempotent processing, dispatch tracking, and retry logic. - Modules: `src/Scanner` - [x] **Quiet Scans Validation (Reachability + VEX + Dedup)** - Status: IMPLEMENTED - Reachability gates and VEX candidate emission are tested and integrated into the SmartDiff pipeline for quieter scan results. - Modules: `src/Scanner` - [x] **Reachability Caching with Incremental Updates** - Status: IMPLEMENTED - Postgres-backed reachability cache with incremental updates, graph delta computation, impact set calculation, and state flip detection for efficient cache invalidation. - Modules: `src/Scanner` - [x] **Reachability Status Classification (R0-R3/UNREACHABLE through REACHABLE_PROVEN)** - Status: IMPLEMENTED - Reachability classification with multiple tiers (unreachable, possibly reachable, reachable static, reachable proven) and confidence scoring with deterministic modifiers. - Modules: `src/Scanner` - [x] **Reachability Subgraph Extraction and Proof of Exposure** - Status: IMPLEMENTED - Full subgraph extraction for reachability proofs with witness tracking, explanation generation, and proof spine building. - Modules: `src/Scanner` - [x] **Runtime Witness Predicate Types** - Status: IMPLEMENTED - Runtime witness predicate types with DSSE signing, path witnesses, runtime observations, and suppression witnesses for reachability analysis. - Modules: `src/Scanner` - [x] **SARIF 2.1.0 Export System (Findings, SmartDiff, GitHub Code Scanning)** - Status: IMPLEMENTED - Full SARIF 2.1.0 export service with rule registry (STELLA-VULN, STELLA-SEC, STELLA-SC, STELLA-BIN taxonomy), fingerprint generation, schema validation, export options, and dedicated library. Exports both main findings and SmartDiff results (rules SDIFF001-004). GitHub code scanning integration endpoints and IDE-compatible output. - Modules: `src/Scanner` - [x] **SCA Failure Catalogue Test Fixtures** - Status: IMPLEMENTED - SCA failure catalogue with test fixtures (including Dockerfile scenarios) and dedicated determinism tests verifying catalogue stability. - Modules: `src/Scanner, src/__Tests` - [x] **Scan Manifest with DSSE Signing** - Status: IMPLEMENTED - ScanManifest with DSSE signing, proof bundle writing, PostgreSQL persistence, and test coverage. - Modules: `src/Scanner` - [x] **Scanner Analyzers (Language-Specific and Binary)** - Status: IMPLEMENTED - Extensive analyzer ecosystem covering language-specific (Ruby, Java), OS-specific (Windows WinSxS, MSI, Chocolatey, macOS Homebrew, pkgutil), and secrets analyzers. - Modules: `src/Scanner` - [-] **Scanner Deterministic Regression Test Framework** - Status: PARTIALLY_IMPLEMENTED - The advisory proposes a structured scanner regression test framework with golden fixtures under a Regression/ directory with standardized metadata and case layouts. Golden/determinism tests exist across scanner sub-modules (SmartDiff, Analyzers), but the specific directory structure (SCN-XXXX-slug with case.metadata.json, case.md, input/, expected/) and dedicated Scanner-Regression CI job were not found. - Modules: `src/Scanner` - [x] **Secret Detection and Credential Leak Guard** - Status: IMPLEMENTED - Secret detection analyzer with leak evidence capture, alert emission, and integration into the scanner worker pipeline. Compatible with Grype credential leak test scenarios. - Modules: `src/Scanner` - [x] **Signed Triage Decisions** - Status: IMPLEMENTED - Triage decisions are tracked with rationale, evidence linkage, and unified evidence composition supporting attestation chains. - Modules: `src/Scanner` - [x] **Smart-Diff Material Risk Change Detection (R1-R4 Rules, Reachability Integration)** - Status: IMPLEMENTED - MaterialRiskChangeDetector implementing rules R1-R4 (Reachability flip, VEX status flip, affected range boundary, intelligence/policy flip) with reachability gate bridge, boundary proofs, predicate schema with JSON serializer and schema validation, and deterministic golden fixture tests. - Modules: `src/Scanner` - [-] **Stack-Trace/Exploit Path View** - Status: PARTIALLY_IMPLEMENTED - Backend has exploit path grouping and path rendering. Frontend triage inbox API exists but a dedicated "Stack-Trace Lens" UX component is not found as a standalone view. - Modules: `src/Scanner, src/Web` - [x] **Symbol Mappers for .NET/JVM/Node/Python** - Status: IMPLEMENTED - Symbol mapping with sink matchers and entrypoint classifiers exists for Java, Python, JavaScript, and Node ecosystems. - Modules: `src/Scanner` - [x] **Tiered Scanner Precision (Imported/Executed/Tainted-Sink Tiers with PR-AUC Metrics)** - Status: IMPLEMENTED - Fidelity-aware analysis with tiered precision is implemented including benchmark corpus management, metrics calculation, fidelity endpoints, and reproducibility verification. - Modules: `src/Scanner` - [x] **Time-to-First-Signal (TTFS) Metrics, Telemetry, and Benchmarks** - Status: IMPLEMENTED - TTFS telemetry services on both frontend and backend. Frontend tracks signal rendering timing, backend has performance benchmarks. Deterministic test fixtures for TTFS validation. - Modules: `src/Scanner, src/Web` - [x] **Triage database schema and API endpoints** - Status: IMPLEMENTED - PostgreSQL triage schema with migration, DbContext, and tested API endpoints for triage status management. - Modules: `src/Scanner` - [x] **Triage lanes (visibility buckets: ACTIVE, BLOCKED, MUTED_REACH, MUTED_VEX, etc.)** - Status: IMPLEMENTED - Triage lane toggle and quiet lane components implement visibility buckets for findings. Scanner Triage module provides the backend data model. - Modules: `src/Scanner, src/Web` - [x] **Trigger Method / Vulnerable Function Extraction** - Status: IMPLEMENTED - Multi-language call graph extraction with guard detection and drift cause explanation. Covers entrypoint-to-sink path analysis. - Modules: `src/Scanner` - [x] **Unified Binary + Source Reachability (Polyglot Call Graph)** - Status: IMPLEMENTED - Multi-language call graph extraction is implemented for binary, Java, Python, Node, Ruby, PHP, and JavaScript ecosystems with native callgraph building. - Modules: `src/Scanner` - [x] **VEX Auto-Generation and Auto-Downgrade (SmartDiff Candidates, Runtime Evidence)** - Status: IMPLEMENTED - Emits VEX candidates (not_affected/under_investigation) from SmartDiff when vulnerable APIs absent in current version. Runtime results can support/contradict static analysis, enabling auto-downgrade of VEX posture based on runtime evidence. - Modules: `src/Scanner, src/__Libraries/StellaOps.Reachability.Core` - [-] **VEX Decision Filter with Reachability** - Status: PARTIALLY_IMPLEMENTED - Triage queries incorporate reachability data and VEX consensus computation exists, but a dedicated reachability-aware VEX decision filter as a distinct component is not fully separated. - Modules: `src/Scanner, src/VexLens` - [x] **VEX Exception Approval Flow** - Status: IMPLEMENTED - Approval endpoints for VEX exception workflows with propose/approve two-step process are implemented. - Modules: `src/Scanner` - [-] **Vulnerability-First Triage UX with Exploit Path Grouping** - Status: PARTIALLY_IMPLEMENTED - Backend triage service with DB context and reachability subgraph extraction exist. Full UI inbox with exploit-path grouping is partially implemented. - Modules: `src/Scanner, src/Web` - [x] **AI Governance Policy Loader for ML-BOM Scanning** - Status: IMPLEMENTED - Configurable AI governance policies for scanner-level enforcement of model card requirements, training data lineage thresholds, and EU AI Act compliance categories during SBOM analysis. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/` - Sprint: SPRINT_20260119_018_Scanner_aiml_supply_chain.md - [x] **AI/ML Supply Chain Security Analysis Module** - Status: IMPLEMENTED - Dedicated scanner module for AI/ML supply chain security including EU AI Act risk classification, model card completeness analysis, training data provenance verification, bias/fairness analysis, and AI governance policy enforcement. Distinct from the existing "AI Authority Classification Engine" which focuses on VEX/advisory AI classification, not ML-BOM supply chain scanning. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/` - Sprint: SPRINT_20260119_018_Scanner_aiml_supply_chain.md - [x] **API Gateway Boundary Extractor (Kong, Envoy/Istio, AWS API Gateway, Traefik)** - Status: IMPLEMENTED - Parses API gateway configurations from Kong, Envoy/Istio, AWS API Gateway, and Traefik to extract route-level boundary information for reachability analysis. Determines which internal services are exposed through gateway routes. - Modules: `src/Scanner/` - Sprint: batch_01/file_11.md - [x] **Binary Intelligence Engine (Function-Level Code Fingerprinting)** - Status: IMPLEMENTED - Function-level binary code fingerprinting with symbol recovery for stripped binaries, vulnerable function matching against a fingerprint corpus, and source-to-binary correlation. Extends existing binary fingerprint capabilities with intelligence-grade analysis for entrypoint-scoped binary reachability. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/` - Sprint: SPRINT_0414_0001_0001_binary_intelligence.md - [x] **Build Provenance Verification Module with SLSA Level Evaluator** - Status: IMPLEMENTED - Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verifies builder identity against trusted builder lists, checks reproducibility claims, and builds provenance chains. Integrates as a dedicated pipeline stage in the scanner worker. The known list has "SLSA provenance predicate validation" but not a scanner-integrated SLSA level evaluator with reproducibility verification. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/`, `src/Scanner/StellaOps.Scanner.Worker/Processing/BuildProvenance/` - Sprint: SPRINT_20260119_019_Scanner_build_provenance.md - [x] **Bun Call Graph Extractor** - Status: IMPLEMENTED - Static call graph extraction for Bun runtime JavaScript/TypeScript codebases, extending the multi-language extractor framework with Bun-specific entrypoint detection and sink matching. - Modules: `src/Scanner/` - Sprint: SPRINT_3610_0005_0001_ruby_php_bun_deno.md - [x] **BYOS (Bring Your Own SBOM) Ingestion Workflow** - Status: IMPLEMENTED - Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata. - Modules: `src/Scanner/` - Sprint: SPRINT_4600_0001_0002_byos_ingestion.md - [x] **Claim ID Generator for Static-Runtime Linkage** - Status: IMPLEMENTED - Deterministic claim ID generator using format `claim::` to link runtime observations to static reachability claims, with ObservationType enum (Static/Runtime/Confirmed). - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/` - Sprint: SPRINT_20260118_015_Scanner_runtime_witness_model.md - [x] **Container Layout Discovery Contract** - Status: IMPLEMENTED - Standardized contract for discovering and mapping container filesystem layouts, enabling analyzers to locate language-specific artifacts across different container image structures. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/` - Sprint: SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md - [x] **Cross-Analyzer Identity Safety Contract** - Status: IMPLEMENTED - Formal contract enforcing PURL vs explicit-key identity rules across all language analyzers, ensuring consistent component identification regardless of analyzer source. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/` - Sprint: SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md - [x] **CycloneDX 1.7 CBOM (Cryptographic Bill of Materials) Support** - Status: IMPLEMENTED - Cryptographic Bill of Materials support with crypto asset extraction for .NET, Java, and Node.js ecosystems. Includes CBOM aggregation service, serializer, and policy crypto risk rules. Distinct from standard SBOM support -- this inventories cryptographic algorithms and primitives across components. - Modules: `src/Scanner/` - Sprint: SPRINT_1227_0013_0001_LB_cyclonedx_cbom.md - [x] **CycloneDX 1.7 Native Evidence Field Population** - Status: IMPLEMENTED - Replaces custom `stellaops:evidence[n]` properties with spec-compliant CycloneDX 1.7 `component.evidence.*` structures (Identity, Occurrences, Licenses, Copyright). Ensures SBOM evidence data uses standard fields instead of vendor extensions. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/` - Sprint: SPRINT_20260107_005_001_LB_cdx17_evidence_models.md - [x] **Delta Layer Scanning Engine** - Status: IMPLEMENTED - Container image delta scanning engine that scans only changed layers between image versions by diffID comparison, reusing cached per-layer SBOMs for unchanged layers. Produces DSSE-wrapped delta evidence with Rekor anchoring. Targets 70%+ CVE churn reduction on minor base image bumps. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Delta/` - Sprint: SPRINT_20260118_026_Scanner_delta_scanning_engine.md - [x] **Entropy Analysis for Binaries** - Status: IMPLEMENTED - Shannon entropy analysis pass integrated into the binary scanning pipeline, detecting packed/encrypted/obfuscated sections in ELF and PE binaries to flag suspicious artifacts. - Modules: `src/Scanner/` - Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md - [x] **EntryTrace Unified Entrypoint Analysis Framework** - Status: IMPLEMENTED - Unified entrypoint detection and analysis framework that orchestrates semantic, temporal, mesh, speculative, binary, and risk analysis into a single EntryTrace pipeline with baseline comparison, caching, and serialization support. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/` - Sprint: SPRINT_0410_0001_0001_entrypoint_detection_reengineering_program.md - [x] **ETW (Event Tracing for Windows) Collector for Runtime Traces** - Status: IMPLEMENTED - ETW-based function tracing collector for Windows using CLR runtime provider and stack walking for call chains, with container-aware process isolation and DbgHelp symbol resolution. - Modules: `src/Scanner/` - Sprint: SPRINT_3840_0001_0001_runtime_trace_merge.md - [x] **Evidence Privacy Controls (Redaction Service)** - Status: IMPLEMENTED - Role-based evidence redaction with three levels: Full (no redaction for security_admin/evidence:full), Standard (redacts source code from reachability paths and call stack arguments/locals, keeps hashes and line ranges), and Minimal (strips reachability paths entirely, removes call stacks, reduces provenance to build ID/digest/verified flag, preserves VEX and EPSS public data). Supports field-level selective redaction (SourceCode, CallArguments flags). Determines redaction level from ClaimsPrinc - Modules: `src/Scanner/` - Sprint: SPRINT_4300_0002_0001_evidence_privacy_controls.md - [x] **Exploit Path Grouping Service (Attack Chain Triage)** - Status: IMPLEMENTED - Groups vulnerability findings into exploit paths based on (artifact, package, vulnerable symbol, entry point) tuples with deterministic SHA-256 path IDs. Correlates reachability evidence, VEX status, and active exceptions per path. Falls back to package-level grouping when no reachability data is available. Sorted by aggregated risk score. - Modules: `src/Scanner/` - Sprint: SPRINT_3900_0003_0001_exploit_path_inbox_proof_bundles.md - [x] **Falsification Conditions Per Finding** - Status: IMPLEMENTED - Each vulnerability finding includes falsification conditions -- specific criteria that would disprove the finding, enabling evidence-based triage and automatic dismissal when conditions are met. - Modules: `src/Scanner/` - Sprint: SPRINT_3850_0001_0001_competitive_gap_closure.md - [x] **Feature Flag Gate Conditions in Reachability Verdicts** - Status: IMPLEMENTED - Detects feature flag gates on reachability paths and marks paths as "conditionally reachable" with specific flag name/condition requirements. Gated paths receive 0.5x confidence multiplier. - Modules: `src/Scanner/` - Sprint: SPRINT_3830_0001_0001_vex_integration_policy_binding.md - [x] **Finding Evidence API Contracts (BoundaryProof, VexEvidence, ScoreExplanation)** - Status: IMPLEMENTED - Unified evidence API data contracts defining FindingEvidenceResponse, BoundaryProof (surface, exposure, auth, controls), VexEvidence (status, justification, source), and ScoreExplanation (additive risk score breakdown with contributions) as immutable record types with JSON serialization. - Modules: `src/Scanner/`, `src/Signals/` - Sprint: SPRINT_3800_0001_0001_evidence_api_models.md - [x] **FindingEvidence Composition API Endpoint** - Status: IMPLEMENTED - REST API endpoint that composes per-finding evidence bundles by aggregating SBOM slices, reachability proofs, VEX documents, and attestation chains into a unified evidence response. EvidenceCompositionService orchestrates multi-source evidence assembly on demand. - Modules: `src/Scanner/` - Sprint: batch_01/file_12.md - [x] **FuncProof Pipeline (Function-Level Proof Generation, DSSE Signing, OCI Publishing)** - Status: IMPLEMENTED - Complete pipeline for generating function-level proof objects from binary analysis. Includes DWARF/symbol/heuristic function boundary detection, BLAKE3/SHA-256 function-range hashing, DSSE envelope signing, Rekor transparency log integration, OCI referrer publishing, CycloneDX 1.6 callflow evidence linking, PostgreSQL storage, and configurable generation options. Goes beyond the known "Function-Range Hashing and Symbol Mapping" by adding the full attestation and publishing pipeline. - Modules: `src/Scanner/`, `src/Attestor/` - Sprint: SPRINT_20251226_009_SCANNER_funcproof.md - [x] **Human Approval Attestation Service (stella.ops/human-approval@v1 predicate)** - Status: IMPLEMENTED - Generates DSSE-signed attestations for human approval decisions with 30-day TTL auto-expiry. Uses stella.ops/human-approval@v1 predicate. Integrates with the Approvals API (POST/GET/DELETE /api/v1/scans/{scanId}/approvals). - Modules: `src/Scanner/`, `src/Attestor/` - Sprint: batch_01/file_17.md - [x] **Kubernetes Boundary Extraction for Reachability and Proof Analysis** - Status: IMPLEMENTED - Extracts network boundary information from Kubernetes Ingress, Service, and NetworkPolicy manifests to determine external exposure, cluster exposure level, and network controls (WAF/rate-limiting). Feeds boundary data into the reachability graph and produces boundary proof for internet-facing vs internal-only path classification. Priority 200 in extractor pipeline. - Modules: `src/Scanner/` - Sprint: batch_01/file_10.md, SPRINT_3800_0002_0002_boundary_k8s.md - [x] **Layer-Aware SBOM Diff Engine** - Status: IMPLEMENTED - Extension of the SBOM diff engine with layer attribution, tracking which container layer (by diffID) introduced each component change. Enables "blame" queries to identify which layer introduced a specific vulnerability. While "SBOM Delta / Component Diffing" exists in known features, layer-attributed diffing with per-layer blame is a distinct capability. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/` - Sprint: SPRINT_20260118_026_Scanner_delta_scanning_engine.md - [x] **Material Changes Orchestrator (Unified Cross-Module Diff Report)** - Status: IMPLEMENTED - Unified orchestration service that chains Scanner SmartDiff, BinaryIndex fingerprint diffs, and Unknowns tracking into a single "material changes" report with compact card-style output (what changed, why it matters, next action). Enables one-stop review of all changes across layers. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/` - Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator.md - [x] **Mesh Entrypoint Graph (Multi-Container Reachability)** - Status: IMPLEMENTED - Cross-container entrypoint reachability analysis that parses Kubernetes and Docker Compose manifests to build a mesh graph of service-to-service connections, enabling vulnerability impact analysis across multi-container deployments. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/` - Sprint: SPRINT_0412_0001_0001_temporal_mesh_entrypoint.md - [x] **Multi-Ecosystem Vulnerability Surface Builder** - Status: IMPLEMENTED - Per-ecosystem method-level vulnerability surface computation with fingerprinters for NuGet (Cecil), npm (Babel), Maven (ASM), and PyPI (Python AST). Includes VulnSurfaceBuilder, MethodDiffEngine, and PostgresVulnSurfaceRepository. 24/24 tasks DONE. - Modules: `src/Scanner/` - Sprint: batch_01/file_03.md - [x] **OCI Artifact Storage for Reachability Slices** - Status: IMPLEMENTED - OCI artifact storage with custom media types (application/vnd.stellaops.slice.v1+json) for reachability slices, supporting push/pull with DSSE signature verification, referrer-based linking, and caching. - Modules: `src/Scanner/` - Sprint: SPRINT_3850_0001_0001_oci_storage_cli.md - [x] **OCI Layer Manifest Infrastructure for Delta Scanning** - Status: IMPLEMENTED - Infrastructure for OCI manifest snapshotting with layer digest resolution and diffID-based layer tracking. Provides layer reuse detection across image versions and a registry client abstraction to support delta scanning workflows. Distinct from generic "OCI Ancestry Extraction" in known features. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Cache/`, `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/` - Sprint: SPRINT_20260118_025_Scanner_layer_manifest_infrastructure.md - [x] **Offline Slice Bundle Export/Import (OCI Layout)** - Status: IMPLEMENTED - Offline distribution of reachability slices via OCI layout tar.gz bundles including all referenced artifacts (graphs, SBOMs), with integrity verification on import. Targets <100MB for typical scans. - Modules: `src/Scanner/`, `src/Cli/` - Sprint: SPRINT_3850_0001_0001_oci_storage_cli.md - [x] **OS Rootfs Fingerprint and Surface Cache** - Status: IMPLEMENTED - Root filesystem fingerprinting to uniquely identify OS layers, paired with a surface cache that avoids re-analyzing unchanged OS layers across scans. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/` - Sprint: SPRINT_0409_0001_0001_scanner_non_language_scanners_quality.md - [x] **Package Name Normalization Service** - Status: IMPLEMENTED - Cross-ecosystem package name normalization service handling aliases between package managers (apt/dpkg, pip eggs/wheels/PyPI, npm scoped/unscoped, Go module/package paths). Uses a JSON alias map with 326 lines of known aliases and provides file-hash fingerprint fallback for unresolvable packages. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Core/Normalization/` - Sprint: SPRINT_20260118_026_Scanner_delta_scanning_engine.md - [x] **Path Explanation Service with Multi-Format Rendering** - Status: IMPLEMENTED - Service that converts raw reachability graph paths (entrypoint-to-sink) into human-readable explanations with gate annotations, supporting text, markdown, and JSON output formats for display in CLI, UI, and API responses. - Modules: `src/Scanner/` - Sprint: SPRINT_3620_0002_0001_path_explanation.md - [x] **Per-Layer SBOM Content-Addressable Storage** - Status: IMPLEMENTED - Content-addressable storage for per-layer SBOMs keyed by diffID with PostgreSQL metadata and gzip-compressed content storage. Supports TTL-based eviction for cold layers and provides cache hit/miss metrics. While "Layer-SBOM Cache with Hash-Based Reuse" exists in known features, this specific CAS implementation with PostgreSQL persistence and TTL eviction is a distinct shipped capability. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Cache/LayerSbomCas/` - Sprint: SPRINT_20260118_026_Scanner_delta_scanning_engine.md - [x] **PLT/IAT Resolution and Dynamic Loading Detection for Binary Analysis** - Status: IMPLEMENTED - Enhanced binary call graph extraction using x86 and ARM64 disassembly to resolve PLT stubs to GOT entries and IAT thunks to actual import targets, plus heuristic detection of dynamic loading patterns (dlopen/LoadLibrary) for more complete binary reachability analysis. - Modules: `src/Scanner/` - Sprint: SPRINT_3800_0001_0001_binary_call_edge_enhancement.md - [x] **Policy Version Binding to Reachability Slices (strict/forward/any)** - Status: IMPLEMENTED - Binds reachability slices to specific policy versions with three validation modes: strict (invalidate on any policy change), forward (valid with newer versions), and any (valid with any version). Production defaults to strict mode. - Modules: `src/Scanner/`, `src/Policy/` - Sprint: SPRINT_3830_0001_0001_vex_integration_policy_binding.md - [x] **Predictive Entrypoint Risk Scoring** - Status: IMPLEMENTED - Multi-dimensional predictive risk scoring that combines semantic, temporal, mesh, and binary intelligence signals into a composite risk score for entrypoints. Provides business-context-aware risk assessment with trend tracking and fleet-level aggregation. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Risk/` - Sprint: SPRINT_0415_0001_0001_predictive_risk_scoring.md - [x] **Proc Snapshot Collectors (Java/DotNet/PHP Runtime Inventory)** - Status: IMPLEMENTED - Runtime process snapshot collection for Java classpath, .NET assemblies, and PHP autoload paths, providing runtime-observed library inventories that feed into SBOM reconciliation. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/` - Sprint: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md - [x] **Progressive Fidelity Scan Mode (Quick/Standard/Deep)** - Status: IMPLEMENTED - Allows users to select scan depth (Quick/Standard/Deep) with a FidelityAwareAnalyzer that adjusts analysis precision and an upgrade endpoint to promote results to higher fidelity. Distinct from "Tiered Scanner Precision" which describes imported/executed/tainted-sink PR-AUC tiers -- this is about user-selectable scan depth modes. - Modules: `src/Scanner/` - Sprint: SPRINT_7000_0004_0001_progressive_fidelity.md - [x] **Proof Bundle API for Exploit Paths** - Status: IMPLEMENTED - REST API (GET /triage/paths/{pathId}/proof) returning complete proof bundles aggregating reachability subgraph (nodes + edges), symbol map with source locations, VEX claims with trust scores, and computed bundle digest for integrity. Export endpoint for JSON file download. - Modules: `src/Scanner/` - Sprint: SPRINT_3900_0003_0001_exploit_path_inbox_proof_bundles.md - [x] **Reachability Mini-Map Visualization API** - Status: IMPLEMENTED - Extracts a compact mini-map from full reachability graphs, providing a simplified topological view (MiniMapNode, MiniMapPath models) for quick visual orientation. Distinct from existing "Reachability Subgraph Extraction" which is about proof-of-exposure, not UI visualization. - Modules: `src/Scanner/` - Sprint: SPRINT_7000_0003_0002_reachability_minimap_api.md - [x] **Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)** - Status: IMPLEMENTED - Defines attestable reachability slices as DSSE predicates (`stellaops.dev/predicates/reachability-slice@v1`) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores). - Modules: `src/Scanner/` - Sprint: SPRINT_3810_0001_0001_cve_symbol_mapping_slice_format.md - [x] **Runtime Observation Record** - Status: IMPLEMENTED - RuntimeObservation record wrapping RuntimeCallEvent with observation count, stack sample hash, container/process context, and source type (tetragon/otel/profiler/tracer), with PostgreSQL persistence. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/` - Sprint: SPRINT_20260118_015_Scanner_runtime_witness_model.md - [x] **Runtime Timeline API** - Status: IMPLEMENTED - Provides a chronological timeline of runtime observations (RuntimeTimeline model, TimelineBuilder, RuntimePosture enum) with an API endpoint. Distinct from "Runtime Reachability Collection" which is about gathering data, not the timeline visualization API. - Modules: `src/Scanner/`, `src/Findings/` - Sprint: SPRINT_7000_0003_0003_runtime_timeline_api.md - [x] **Runtime-Static SBOM Reconciliation** - Status: IMPLEMENTED - Reconciles runtime process snapshots (from /proc filesystem) against static SBOM analysis to identify discrepancies between declared and actually-loaded libraries. Detects ghost libraries (loaded at runtime but missing from SBOM) and phantom libraries (in SBOM but not loaded). - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/` - Sprint: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md - [x] **Runtime-to-Static Graph Merge Algorithm** - Status: IMPLEMENTED - Merges runtime observations with static call graphs, marking existing edges as "observed" with confidence boost to 1.0, and adding new edges for dynamic dispatch paths discovered at runtime. - Modules: `src/Scanner/` - Sprint: SPRINT_3840_0001_0001_runtime_trace_merge.md - [x] **SBOM Dependency Reachability Inference (Scanner-Integrated)** - Status: IMPLEMENTED - Scanner pipeline stage that infers reachability for SBOM components by combining dependency graph analysis with reach-graph call-graph data, producing dependency-level reachability reports with conditional analysis. Distinct from the known "Reachability Core Library" and "Call Graph Construction" features which focus on function-level call graphs; this performs SBOM-component-level dependency reachability inference as a scanner stage. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/`, `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/` - Sprint: SPRINT_20260119_022_Scanner_dependency_reachability.md - [x] **SBOM Source Trigger Dispatch Service (Webhook + Scheduler + Retry)** - Status: IMPLEMENTED - Trigger dispatcher routing events to 4 source-type handlers, webhook endpoints supporting 8+ registry types (Harbor, DockerHub, ACR, ECR, GCR, GHCR, Gitea, Quay), scheduler integration for periodic scans, and retry logic with exponential backoff. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Sources/` - Sprint: SPRINT_1229_002_BE_sbom-sources-triggers.md - [x] **SBOM Sources Manager Backend (Domain + REST API + Persistence)** - Status: IMPLEMENTED - Unified SBOM Sources Manager with domain models (SbomSource, SbomSourceRun), PostgreSQL persistence, 12 REST API endpoints, AuthRef credential management, and 4 source type handlers (Zastava, Docker, CLI, Git) with connection testing. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Sources/` - Sprint: SPRINT_1229_001_BE_sbom-sources-foundation.md - [x] **Semantic Entrypoint Engine** - Status: IMPLEMENTED - Classifies entrypoints with semantic meaning (ApplicationIntent, CapabilityClass flags, ThreatVector, DataFlowBoundary) to enable risk-aware prioritization beyond pure reachability. Includes per-language semantic adapters for Python, Java, Node, .NET, and Go. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/` - Sprint: SPRINT_0411_0001_0001_semantic_entrypoint_engine.md - [x] **Slice Query and Replay REST APIs** - Status: IMPLEMENTED - REST API for on-demand reachability slice generation (POST /api/slices/query), retrieval by digest (GET /api/slices/{digest}), and byte-for-byte replay verification (POST /api/slices/replay) with detailed diff output on mismatch. Includes in-memory slice cache with configurable TTL. - Modules: `src/Scanner/` - Sprint: SPRINT_3820_0001_0001_slice_query_replay_apis.md - [x] **Speculative Execution Engine (Shell Script Symbolic Execution)** - Status: IMPLEMENTED - Symbolic execution engine for shell scripts that enumerates all possible execution paths through entrypoint scripts (Dockerfile CMD/ENTRYPOINT), tracking symbolic variable states and branch conditions to determine all reachable terminal states with confidence scoring. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/` - Sprint: SPRINT_0413_0001_0001_speculative_execution_engine.md - [x] **Suppression Witness Proof Model (DSSE-Signable Not-Affected Evidence)** - Status: IMPLEMENTED - A DSSE-signable proof model documenting why a vulnerability is NOT exploitable (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.). Complements PathWitness which documents why code IS reachable. Includes 10 suppression types and content-addressed witness IDs. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/` - Sprint: SPRINT_20260106_001_002_SCANNER_suppression_proofs.md - [x] **Surface-Aware Reachability Analysis with Confidence Tiers** - Status: IMPLEMENTED - Reachability analysis that factors in attack surface boundaries (HTTP, gRPC, internal) and classifies findings into confidence tiers (Confirmed, Likely, Present, Unreachable), providing structured boundary proof extraction from multiple sources (rich graph, gateway config, K8s network policies, IaC). - Modules: `src/Scanner/` - Sprint: SPRINT_3700_0004_0001_reachability_integration.md - [x] **Threat Vector Inference and Capability Detection** - Status: IMPLEMENTED - Automated inference of threat vectors from entrypoint characteristics, capability detection (network, file system, crypto, IPC), and data flow boundary mapping for security surface assessment. - Modules: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/` - Sprint: SPRINT_0411_0001_0001_semantic_entrypoint_engine.md - [x] **Trace Retention and Pruning Manager** - Status: IMPLEMENTED - Manages runtime trace lifecycle with configurable retention periods (default 30 days), automatic pruning of old traces while preserving those referenced by active slices, trace aggregation, and storage quota enforcement. - Modules: `src/Scanner/` - Sprint: SPRINT_3840_0001_0001_runtime_trace_merge.md - [x] **Version Comparison Explainability UX ("Why Fixed/Vulnerable" Popover)** - Status: IMPLEMENTED - UI explainability for distro version comparisons: "Compared With" badge showing which comparator (RPM EVR, dpkg, APK, SemVer) was used, and "Why Fixed/Vulnerable" popover showing step-by-step comparison proof lines (epoch, upstream, revision). Version comparators emit human-readable proof lines showing each comparison step. - Modules: `src/Scanner/`, `src/Concelier/`, `src/Web/` - Sprint: SPRINT_4000_0002_0001_backport_ux.md - [x] **Third-Party Scanner Output Ingestion (Syft/Grype/Trivy/Clair/Xray Compatibility)** - Status: IMPLEMENTED - CycloneDX, SPDX, and SLSA provenance parsers enable ingesting outputs from third-party scanners. VEX normalization and SBOM comparison/round-trip tests ensure compatibility with standard formats used by Syft, Grype, Trivy, and other tools. - Modules: `src/Attestor, src/VexLens, src/__Tests` - [x] **Zero-Day Window Tracking** - Status: IMPLEMENTED - Tracks the exposure window between vulnerability disclosure and remediation application, providing metrics on mean-time-to-remediate and zero-day exposure duration per artifact. - Modules: `src/` - Sprint: SPRINT_3850_0001_0001_competitive_gap_closure.md - [x] **Bug ID to CVE Mapping in Changelog Parsing** - Status: IMPLEMENTED - Regex-based extraction of bug tracker references (Debian "Closes: #123456", RHBZ#123456, Launchpad "LP: #123456") from changelogs, with cross-reference to CVE IDs for Tier 2 backport evidence. - Sprint: SPRINT_20251230_001_BE_backport_resolver_tiered_evidence.md - [x] **Bun Language Analyzer** - Status: IMPLEMENTED - Full language analyzer for the Bun JavaScript runtime including bun.lockb binary lockfile parser, installed package collector, workspace/monorepo support, scope classification (dev/prod/peer), symlink safety checks, CLI verbs, and WebService endpoints for Worker integration. - Sprint: SPRINT_0139_0001_0001_scanner_bun.md - [x] **Canonical Node-Hash and Path-Hash Recipes for Reachability** - Status: IMPLEMENTED - Canonical node-hash (PURL/symbol normalization + SHA-256) and path-hash (top-K selection + PathFingerprint) recipes for deterministic static/runtime evidence joins. Extended PathWitness, RichGraph, SARIF export with hash fields. - Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash.md - [x] **CBOM Cryptographic Bill of Materials Analysis with Post-Quantum Readiness Assessment** - Status: IMPLEMENTED - Scanner analyzes cryptographic assets declared in CycloneDX CBOM (cryptoProperties), detects weak/deprecated algorithms, enforces crypto compliance policies (FIPS 140-2/3, PCI-DSS, NIST), inventories all crypto assets, and assesses post-quantum readiness with a dedicated PostQuantumAnalyzer. - Sprint: SPRINT_20260119_017_Scanner_cbom_crypto_analysis.md - [x] **Composition Recipe API for SBOM Determinism Verification** - Status: IMPLEMENTED - API endpoint (GET /scans/{id}/composition-recipe) that exposes the SBOM composition recipe with Merkle root and layer digest verification, enabling downstream verification that SBOMs are deterministically composed from layer fragments. - Sprint: SPRINT_20260106_003_001_SCANNER_perlayer_sbom_api.md - [x] **Derivative Distro Mapping for Backport Detection** - Status: IMPLEMENTED - Cross-distro OVAL/CSAF mapping that enables fetching backport rules from derivative distros (RHEL->Alma/Rocky/CentOS, Ubuntu->LinuxMint/Pop!_OS, Debian->Ubuntu) with confidence penalty multipliers (0.95x for same-major, 0.80x for cross-family). - Sprint: SPRINT_20251230_001_BE_backport_resolver_tiered_evidence.md - [x] **Ecosystem-Specific Version Comparator Factory** - Status: IMPLEMENTED - Factory-pattern integration of RPM, DEB, and APK version comparators into BackportStatusService, replacing string.Compare() with proper epoch-aware, tilde-aware version comparison logic. - Sprint: SPRINT_20251230_001_BE_backport_resolver_tiered_evidence.md - [x] **EPSS Change Events for Reanalysis Triggers** - Status: IMPLEMENTED - Deterministic EPSS change events with per-CVE deltas, priority bands, idempotent event IDs, and scan manifests extended with tool versions and evidence digests for policy fingerprinting. - Sprint: SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md - [x] **Gated Triage Contracts (Quiet-by-Design Backend)** - Status: IMPLEMENTED - Backend contracts for Quiet-by-Design Triage that expose why findings are hidden by default (unreachable, policy_dismissed, backported, vex_not_affected) with links to evidence artifacts and gated bucket count summaries in bulk queries. - Sprint: SPRINT_9200_0001_0001_SCANNER_gated_triage_contracts.md - [x] **Java Dependency Scope Classification** - Status: IMPLEMENTED - Classifies Java dependencies into compile, test, provided, runtime, and system scopes from Maven/Gradle declarations, enabling scope-aware SBOM generation and reachability filtering. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java Gradle Build File Parsing (Groovy/Kotlin/TOML)** - Status: IMPLEMENTED - Parses Gradle build files in three DSL formats (Groovy build.gradle, Kotlin build.gradle.kts, TOML version catalogs libs.versions.toml) to extract declared dependencies, plugins, and version constraints. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java License Metadata with SPDX Normalization** - Status: IMPLEMENTED - Extracts license metadata from Maven POM license blocks, Gradle metadata, and JAR META-INF/LICENSE files, normalizing free-text license names to SPDX expression identifiers. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java Lockfile Collector and CLI Validator** - Status: IMPLEMENTED - Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions. - Sprint: SPRINT_0137_0001_0001_scanner_gap_design.md (designed), SPRINT_0140 (implemented) - [x] **Java Maven Parent POM Resolution with Property Interpolation** - Status: IMPLEMENTED - Resolves Maven parent POM inheritance chains and interpolates ${property} placeholders in version, groupId, and artifactId fields across the effective POM hierarchy. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java Multi-Version Conflict Detection** - Status: IMPLEMENTED - Detects version conflicts where multiple versions of the same groupId:artifactId appear in the resolved dependency tree, flagging Maven nearest-wins and Gradle forced-version resolutions. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java OSGi Bundle Manifest Parsing** - Status: IMPLEMENTED - Parses OSGi bundle MANIFEST.MF headers (Bundle-SymbolicName, Import-Package, Export-Package, Require-Bundle) to discover embedded dependencies and version ranges in Eclipse/Karaf/Felix deployments. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **Java Shaded/Shadow JAR Detection** - Status: IMPLEMENTED - Detects Maven Shade plugin and Gradle Shadow plugin fat/uber JARs by analyzing relocated packages, service-provider rewrites, and embedded dependency manifests to attribute inner components. - Sprint: SPRINT_0140_0001_0001_scanner_java_enhancement.md - [x] **macOS Bundle Inspector with Capability Overlays** - Status: IMPLEMENTED - Inspects macOS .app/.framework bundles, parsing Info.plist for metadata and entitlements for security capability analysis (sandbox, hardened runtime, network access flags). - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **macOS Homebrew Package Analyzer** - Status: IMPLEMENTED - OS-level analyzer that discovers Homebrew-installed packages by parsing Cellar receipts, producing SBOM components with version, tap source, and installed-on-request metadata. - Sprint: SPRINT_0132_0001_0001_scanner_surface.md (phase III scope, but realized in Sprint 0136 tasks) - [x] **macOS pkgutil Receipt Analyzer** - Status: IMPLEMENTED - Parses macOS pkgutil receipt database and BOM files to discover Apple installer packages, producing SBOM components with package identifier, version, and installed volume. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **OCI Image Inspector Service (IOciImageInspector)** - Status: IMPLEMENTED - Service for inspecting OCI images including multi-arch manifest resolution, layer enumeration, platform detection, and digest extraction without pulling full image content. - Sprint: SPRINT_20260113_002_001_SCANNER_image_inspector_service.md - [x] **Per-Layer SBOM Export API** - Status: IMPLEMENTED - Per-layer SBOMs stored as individual CAS artifacts with API endpoints to retrieve layer-specific SBOMs (GET /scans/{id}/layers, GET /scans/{id}/layers/{digest}/sbom with format param), content negotiation, immutable caching (ETag, Cache-Control), and CLI commands (stella scan layer-sbom, stella scan recipe). - Sprint: SPRINT_20260106_003_001_SCANNER_perlayer_sbom_api.md - [x] **Python egg-info and Editable Install Support** - Status: IMPLEMENTED - Extends Python analyzer to discover packages installed via legacy egg-info metadata format and pip editable installs (pip install -e), which lack standard dist-info directories. - Sprint: SPRINT_0146_0001_0001_scanner_analyzer_gap_close.md - [x] **Reachability Trace Export Endpoint with Runtime Evidence Overlays** - Status: IMPLEMENTED - New trace export endpoint (GET /scans/{scanId}/reachability/traces/export) that exports reachability graphs in JSON-Lines or GraphSON format. Includes runtime-confirmed edge flags, reachability scores (0-1), evidence URIs, and SARIF relatedLocations references. Uses StellaOps.Canonical.Json for deterministic content digests. Runtime annotations are overlays only, preserving lattice semantics. - Sprint: SPRINT_20260112_004_SCANNER_reachability_trace_runtime_evidence.md - [x] **Remediation PR Generator (Deterministic PR/MR Creation)** - Status: IMPLEMENTED - Deterministic PR/MR generation with template sections (summary, steps, SBOM changes, test requirements, rollback steps, VEX claim, evidence), actual SCM branch creation and file updates, and remediation apply endpoint returning PR metadata. - Sprint: SPRINT_20260112_007_BE_remediation_pr_generator.md - [x] **Reproducible Rebuild Service (reproduce.debian.net Integration)** - Status: IMPLEMENTED - Integration with reproduce.debian.net for reproducible rebuild verification, with local rebuild backend and determinism validator. Enables binary identity verification by comparing rebuilt binaries against published ones. Distinct from the known "Reproducible build verification" which is a high-level concept - this is the concrete service implementation. - Sprint: batch_37/file_16.md - [x] **RPM Legacy BDB Packages Database Fallback** - Status: IMPLEMENTED - Adds fallback support for legacy Berkeley DB (BDB) format RPM package databases alongside the modern SQLite format, enabling package discovery on older RHEL/CentOS images. - Sprint: SPRINT_0146_0001_0001_scanner_analyzer_gap_close.md - [x] **Scanner PR/MR Evidence Annotations (Webhook-Driven)** - Status: IMPLEMENTED - Webhook-driven PR/MR annotation generation with evidence anchors (attestation digest, policy verdict, verify command), ASCII-only output, and posting via SCM annotation clients with retry/backoff. - Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations.md - [x] **Secret Detection Tenant Configuration API** - Status: IMPLEMENTED - Per-tenant secret detection configuration with SecretRevelationPolicy (FullMask/PartialReveal/AuditOnly), exception allowlist patterns, enabled rule categories, and CRUD API endpoints with OpenAPI specs. Includes EF Core/Dapper persistence. - Sprint: SPRINT_20260104_006_BE_secret_detection_config_api.md - [x] **Service Endpoint Security Analysis (Scanner)** - Status: IMPLEMENTED - Scanner analyzes service endpoints declared in CycloneDX 1.7 SBOMs for security issues including missing authentication, trust boundary violations, and unsafe data flows. Produces ServiceSecurityReport with findings and dependency chains. - Sprint: SPRINT_20260119_016_Scanner_service_endpoint_security.md - [x] **Signed SBOM Archive Format (SignedSbomArchiveBuilder)** - Status: IMPLEMENTED - Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification. - Sprint: SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md - [x] **Surface.Env Strongly-Typed Environment Accessors** - Status: IMPLEMENTED - Strongly-typed environment variable accessor layer for scanner surfaces, replacing raw Environment.GetEnvironmentVariable calls with validated, documented, and testable environment bindings. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Surface.FS File Manifest Store** - Status: IMPLEMENTED - Persistent manifest store for scanner surface state, providing content-addressed caching of file system facets (layers, mounts, rootfs entries) with seal extraction for deterministic replay. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Surface.Secrets Provider Chain** - Status: IMPLEMENTED - Pluggable secret provider chain with backends for Kubernetes mounted secrets, file-based secrets, and offline credential stores. Provides typed handles for attestation signing keys, CAS tokens, and registry credentials. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Surface.Validation Framework** - Status: IMPLEMENTED - Preflight validation framework for scanner surfaces, allowing validators to check secrets availability, environment correctness, and required capabilities before scan execution. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Unified Evidence Endpoint (Single API for Complete Evidence Panel)** - Status: IMPLEMENTED - Single API endpoint that returns all evidence tabs for a finding in one call (replacing 6 separate API calls). Includes manifest hashes for determinism verification, green/red verification status, and evidence bundle download as ZIP/TAR. - Sprint: SPRINT_9200_0001_0002_SCANNER_unified_evidence_endpoint.md - [x] **VEX-First Gating Service (Pre-Triage Filter)** - Status: IMPLEMENTED - Pre-triage VEX gating service that filters vulnerability findings before reaching triage queue. Gate decisions (Pass/Warn/Block) with 4 default rules (block-exploitable-reachable, warn-high-not-reachable, pass-vendor-not-affected, pass-backport-confirmed). Includes caching observation provider, performance benchmarks, scan pipeline stage integration, bypass for emergency scans, and audit logging. - Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service.md - [x] **Windows Chocolatey Package Analyzer** - Status: IMPLEMENTED - Discovers Chocolatey-installed packages by parsing .nuspec files in the Chocolatey lib directory, producing SBOM components with id, version, license URL, and dependency chains. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Windows WinSxS Manifest Analyzer** - Status: IMPLEMENTED - Parses Windows Side-by-Side (WinSxS) assembly manifests to discover shared system components, extracting assembly identity, version, processor architecture, and public key token. - Sprint: SPRINT_0136_0001_0001_scanner_surface.md - [x] **Yarn PnP Cache Package Parsing** - Status: IMPLEMENTED - Parses Yarn Plug'n'Play cache files (.pnp.cjs, .pnp.data.json) to discover installed packages in zero-install Yarn workspaces where traditional node_modules directories do not exist. - Sprint: SPRINT_0146_0001_0001_scanner_analyzer_gap_close.md - [x] **Scanner Multi-Language License Detection Framework** - Status: IMPLEMENTED - Comprehensive license detection framework with SPDX expression categorization service, license text extraction from source files, copyright notice extraction, per-language detectors (Python, Java, Go, Rust, JavaScript, .NET), and an aggregation service that merges results across analyzers. No direct match in known features list. - Sprint: batch_37/file_24.md ### Scheduler (3 features) - [x] **Scheduler Exception Lifecycle Worker** - Status: IMPLEMENTED - Background worker that monitors exception expiries and triggers policy re-evaluation when exceptions lapse, enforcing time-bounded risk acceptance. - Modules: `src/Scheduler/` - Sprint: SPRINT_0155_0001_0001_scheduler_i.md - [x] **Scheduler ImpactIndex and Surface.FS Pointers** - Status: IMPLEMENTED - ImpactIndex computation for prioritizing scheduled vulnerability evaluations, with Surface.FS pointers linking scheduler jobs to filesystem-level SBOM surface data for efficient incremental rescans. - Modules: `src/Scheduler/` - Sprint: SPRINT_0155_0001_0001_scheduler_i.md - [x] **Scheduler Graph Job DTOs (GraphBuildJob/GraphOverlayJob)** - Status: IMPLEMENTED - New graph-specific job contracts (GraphBuildJob, GraphOverlayJob) with state machine enforcement, metadata fields, and event schemas for graph build/overlay operations coordination between Scheduler and Cartographer/Graph services. - Sprint: 2025-10-26-scheduler-graph-jobs.md ### Sdk (1 features) - [x] **SDK Generator Toolchain (Multi-Language)** - Status: IMPLEMENTED - Multi-language SDK generator toolchain producing typed API clients in TypeScript, Python, Go, and Java from OpenAPI specifications, with postprocessing, release pipelines, and offline bundle support. - Modules: `src/Sdk/` - Sprint: SPRINT_0208_0001_0001_sdk.md ### Signals (18 features) - [x] **Binary-level call-graph extraction and symbol graph construction** - Status: IMPLEMENTED - Call-graph ingestion, normalization, and parsing services exist for processing binary call targets into normalized graph structures. - Modules: `src/Signals` - [-] **eBPF Runtime Signal Integration** - Status: PARTIALLY_IMPLEMENTED - eBPF signals library project exists with probe, parser, and enrichment infrastructure. Runtime signal ingestion is connected to the Unknowns module. The advisory flagged this as optional/LOW priority and the structure suggests it is in progress but may not be fully production-ready. - Modules: `src/Signals, src/Unknowns` - [-] **Evidence TTL and staleness policy** - Status: PARTIALLY_IMPLEMENTED - Retention options and lifecycle services exist for evidence expiry, but the advisory noted TTL strategy at 50% coverage. - Modules: `src/Signals, src/Unknowns` - [x] **Relational Call-Graph PostgreSQL Schema** - Status: IMPLEMENTED - PostgreSQL migration scripts define relational tables for call-graph data storage. - Modules: `src/Signals` - [x] **Runtime Agent Framework** - Status: IMPLEMENTED - Full runtime agent framework with IRuntimeAgent interface, .NET EventPipe agent, CLR method resolution, agent registration, health/heartbeat, runtime method events, and facts ingestion is implemented. - Modules: `src/Signals` - [x] **Runtime Reachability Collection** - Status: IMPLEMENTED - Runtime collection via .NET EventPipe agent with method-level tracing and facts ingestion is implemented. - Modules: `src/Signals` - [-] **Runtime trace merge (eBPF/ETW observed edges)** - Status: PARTIALLY_IMPLEMENTED - Runtime facts ingestion and provenance normalization exist, but full eBPF/ETW trace integration appears to be at the synthetic probe level rather than production-grade runtime tracing. - Modules: `src/Signals` - [x] **SBOM-to-symbol component reachability mapping** - Status: IMPLEMENTED - SBOM correlation and function-level proof linking services map symbols to SBOM components and generate reachability facts. - Modules: `src/Signals` - [x] **Additive Score Explanation Service** - Status: IMPLEMENTED - Service that generates human-readable additive risk score breakdowns showing exactly how CVSS base score, reachability bucket, exposure surface type, and auth gate discounts contribute to a finding's total 0-100 risk score, with configurable weights. - Modules: `src/Signals/` - Sprint: SPRINT_3800_0001_0002_score_explanation_service.md - [x] **Nightly Unknowns Decay Batch Worker** - Status: IMPLEMENTED - Scheduled background worker that runs nightly to apply exponential confidence decay to unknown/unresolved findings, automatically reducing their priority scores over time based on configurable decay curves and age thresholds. - Modules: `src/Signals/` - Sprint: SPRINT_3601_0001_0001_unknowns_decay_algorithm.md - [x] **SCM/CI Webhook Connector Service (Signals Module)** - Status: IMPLEMENTED - Complete SCM/CI webhook connector subsystem in the Signals module with provider-specific webhook signature validators (GitHub HMAC-SHA256, GitLab token, Gitea HMAC), event mappers normalizing repo/pipeline/artifact events into NormalizedScmEvent, and trigger service dispatching scan/SBOM triggers to Orchestrator. Supports GitHub, GitLab, and Gitea with extensible IWebhookSignatureValidator and IScmEventMapper interfaces. - Modules: `src/Signals/` - Sprint: SPRINT_20251229_013_SIGNALS_scm_ci_connectors.md - [-] **Tier 5 Runtime Trace Evidence (eBPF Production-Grade)** - Status: PARTIALLY_IMPLEMENTED - Explicitly listed as future work in the advisory. eBPF-based function call tracing for runtime backport detection was not implemented at production-grade. eBPF probe infrastructure exists in `src/Signals/__Libraries/StellaOps.Signals.Ebpf/` and `src/Zastava/` but is early-stage/experimental, not the production-grade Tier 5 described. eBPF Runtime Signal Integration exists but is not production-ready. - Modules: `src/Signals, src/Unknowns, src/Zastava` - [x] **Runtime Node-Hash Evidence in Signals** - Status: IMPLEMENTED - Runtime signal schemas extended with node-hash inputs, call-stack digests, and path hashes for deterministic joins with static reachability evidence. - Sprint: SPRINT_20260112_005_SIGNALS_runtime_nodehash.md - [x] **Signal State Attachment for CVE Observations (Feedser/VexLens/Graph/Findings Integration)** - Status: IMPLEMENTED - Backend integration wiring the Determinization subsystem: Feedser attaches SignalState with query status, VexLens emits SignalUpdatedEvent on VEX changes, Graph nodes carry ObservationState/UncertaintyScore/GuardRails, and Findings persists observation lifecycle with state transitions. - Sprint: SPRINT_20260106_001_004_BE_determinization_integration.md - [x] **Signals Callgraph Ingestion with Content-Addressed Storage** - Status: IMPLEMENTED - Callgraph normalization pipeline accepting Java/Node/Python/Go call-graph formats, normalizing to canonical symbol representation, and storing with content-addressed identifiers for deterministic replay. - Sprint: SPRINT_0143_0001_0001_signals.md - [x] **Signals Reachability Scoring Service** - Status: IMPLEMENTED - Reachability scoring service that computes evidence-weighted scores from callgraph facts, runtime observations, and AOC provenance data, with lattice-based merge logic and unified score facade. - Sprint: SPRINT_0143_0001_0001_signals.md - [x] **Signals Router Transport** - Status: IMPLEMENTED - Event routing transport layer for signals enabling alternative message delivery paths beyond Redis, supporting pluggable transport backends for fact propagation. - Sprint: SPRINT_0143_0001_0001_signals.md - [ ] **Tier 5 Runtime Trace Evidence (eBPF)** - Status: NOT_FOUND - Explicitly listed as future work in the advisory. eBPF-based function call tracing for runtime backport detection was not implemented. ### Signer (6 features) - [x] **Fulcio/Sigstore Keyless Signing Client** - Status: IMPLEMENTED - Fulcio-based keyless signing using OIDC tokens from CI runners, ephemeral key pairs, short-lived X.509 certificates, DSSE signing, and certificate chain validation. Tests exist for all components. - Modules: `src/Signer` - [x] **Key Rotation Service with Temporal Validity** - Status: IMPLEMENTED - Automated key rotation service with temporal key validity windows, key history tracking (key_history and key_audit_log tables), trust anchor management with PURL pattern matching, and CLI commands for key lifecycle operations. Ensures proof verification uses the correct key for the attestation timestamp. - Modules: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/` - Sprint: SPRINT_0501_0008_0001_proof_chain_key_rotation.md - [x] **CI/CD Keyless Signing Workflow Templates (GitHub/GitLab/Gitea)** - Status: IMPLEMENTED - Production-ready reusable CI/CD workflow templates for keyless signing integration across GitHub Actions (stellaops-sign.yml, stellaops-verify.yml), GitLab CI (.gitlab-ci-stellaops.yml), and Gitea. Enables zero-configuration OIDC-based keyless signing with identity verification gates and cross-platform signature verification. - Sprint: SPRINT_20251226_004_BE_cicd_signing_templates.md - [x] **Dual-Control Signing Ceremonies (M-of-N Threshold)** - Status: IMPLEMENTED - Orchestrator for M-of-N threshold signing ceremonies requiring multiple authorized participants to approve key operations, with API endpoints for ceremony initiation, participant enrollment, share submission, and ceremony completion. - Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md - [x] **Shamir Secret Sharing Key Escrow** - Status: IMPLEMENTED - Key escrow system using Shamir's Secret Sharing over GF(256) to split signing keys into M-of-N shares distributed to escrow agents, with ceremony-authorized recovery requiring quorum approval. - Sprint: SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md - [x] **TUF Client for Trust Root Management** - Status: IMPLEMENTED - Full TUF (The Update Framework) client implementation for secure trust root management, including root rotation, timestamp verification, target hash validation, cached state management, and offline mode support. Provides the foundation for Sigstore trust root bootstrapping. - Sprint: batch_38/file_08.md ### SmRemote (1 features) - [x] **SM Remote Crypto Service** - Status: IMPLEMENTED - Dedicated remote service for Chinese SM2/SM3/SM4 cryptographic operations, running as an independent microservice. - Modules: `src/SmRemote` ### TaskRunner (7 features) - [x] **Pack Run Approval Gates** - Status: IMPLEMENTED - Approval gate system for task packs with coordinator, decision service, state tracking, and gate state updating. - Modules: `src/TaskRunner` - [x] **Pack Run Evidence and Provenance** - Status: IMPLEMENTED - Evidence capture and provenance writing for pack runs, including attestation service for DSSE-signed provenance records. - Modules: `src/TaskRunner` - [x] **Pack Run Execution Engine** - Status: IMPLEMENTED - Full execution engine with graph-based execution planning, step state machine, and processor for running task packs. - Modules: `src/TaskRunner` - [x] **Sealed-Mode Install Enforcer (Air-Gap Support)** - Status: IMPLEMENTED - Enforcer for sealed/air-gap mode that ensures task pack installations comply with offline constraints and logs all install actions for audit. - Modules: `src/TaskRunner` - [x] **TaskPack Manifest and Planning** - Status: IMPLEMENTED - Full task pack manifest system with loading, validation, planning, and plan hashing for deterministic execution verification. - Modules: `src/TaskRunner` - [x] **TaskRunner Loop and Conditional Step Kinds** - Status: IMPLEMENTED - Extended TaskRunner execution engine with loop and conditional step types, enabling iterative and branching task execution patterns beyond simple sequential flows. - Modules: `src/TaskRunner/` - Sprint: SPRINT_0157_0001_0001_taskrunner_i.md - [x] **TaskRunner SDK Client with OpenAPI** - Status: IMPLEMENTED - Auto-generated SDK client for TaskRunner APIs with OpenAPI spec, deprecation middleware, and versioned endpoint support for external integrators. - Modules: `src/TaskRunner/` - Sprint: SPRINT_0157_0001_0001_taskrunner_i.md ### Telemetry (9 features) - [x] **Incident/Forensic Mode (High-Fidelity Sampling)** - Status: IMPLEMENTED - Incident/forensic mode service that enables high-fidelity (100%) sampling during security incidents for detailed investigation. - Modules: `src/Telemetry` - [x] **Metric Label Analyzer (Static Analysis)** - Status: IMPLEMENTED - Roslyn-based analyzer that validates metric label usage at compile time to prevent telemetry cardinality issues. - Modules: `src/Telemetry` - [x] **OpenTelemetry Integration** - Status: IMPLEMENTED - OpenTelemetry-based telemetry infrastructure with configurable options and custom exporters including TTE percentile exporter. - Modules: `src/Telemetry` - [x] **Redacting Log Processor** - Status: IMPLEMENTED - Log processor that redacts sensitive data from telemetry output before export. - Modules: `src/Telemetry` - [x] **Sealed-Mode Telemetry (Offline/Air-Gap)** - Status: IMPLEMENTED - Sealed-mode telemetry that writes to local files instead of external endpoints, supporting air-gapped environments. - Modules: `src/Telemetry` - [x] **Telemetry Exporter Guard** - Status: IMPLEMENTED - Guard that prevents telemetry export to unauthorized endpoints, enforcing sealed-mode restrictions. - Modules: `src/Telemetry` - [x] **Time-to-Evidence (TTE) metric instrumentation and percentile export** - Status: IMPLEMENTED - TTE metrics capture and percentile export are implemented in the Telemetry.Core library with DI registration support. - Modules: `src/Telemetry` - [x] **P0 Product-Level Metrics and Dashboard** - Status: IMPLEMENTED - Four P0 product-level metrics instrumented: time-to-first-verified-release, mean-time-to-answer-why-blocked, support-minutes-per-customer, and determinism-regressions-total, with Prometheus alerting rules and install timestamp tracking service. - Modules: `src/Telemetry/`, `devops/telemetry/` - Sprint: SPRINT_20260117_028_Telemetry - [x] **Telemetry Context Propagation Library** - Status: IMPLEMENTED - Shared telemetry context propagation library providing standardized trace/span ID injection, tenant context threading, and PII scrubbing across all platform services. - Modules: `src/Telemetry/` - Sprint: SPRINT_0174_0001_0001_telemetry.md ### Timeline (5 features) - [x] **Immutable Audit Log (Timeline)** - Status: IMPLEMENTED - Immutable timeline audit log with a dedicated web service and indexer for recording all scan, attestation, and verdict events. - Modules: `src/Timeline, src/TimelineIndexer` - [x] **Timeline Indexer Service** - Status: IMPLEMENTED - Dedicated service for ingesting, indexing, and querying timeline events across all platform modules, with Postgres-backed storage (RLS), REST APIs for event retrieval, and evidence linkage to correlate events with attestation artifacts. - Modules: `src/TimelineIndexer/` - Sprint: SPRINT_0165_0001_0001_timelineindexer.md - [x] **Hybrid Logical Clock (HLC) Audit-Safe Job Queue Ordering** - Status: IMPLEMENTED - HLC-based global job ordering for distributed deployments, replacing wall-clock timestamps. Includes HLC core library (PhysicalTime+NodeId+LogicalCounter), Scheduler queue chain integration with chain-linked audit logs, offline merge protocol for air-gapped job synchronization with deterministic merge and conflict resolution, and cross-module integration tests. - Sprint: SPRINT_20260105_002_000_INDEX_hlc_audit_safe_ordering.md - [x] **Timeline Replay API** - Status: IMPLEMENTED - REST API endpoints for querying and replaying HLC-ordered events: GET /timeline/{correlationId} with service/kind/HLC-range/pagination filters, critical path analysis endpoint, and integration with StellaOps.Replay.Core for deterministic replay at a specific HLC timestamp. - Sprint: SPRINT_20260107_003_002_BE_timeline_replay_api.md - [x] **Unified Event Timeline Service** - Status: IMPLEMENTED - Cross-service event timeline with HLC-ordered events, deterministic event IDs (SHA-256 of correlation_id+t_hlc+service+kind), W3C Trace Context integration, PostgreSQL append-only storage with materialized critical-path views. Provides event SDK for Scheduler/AirGap/Attestor/Policy/VexLens integration, timeline query API with HLC range filtering, causal latency measurement, and forensic event export with DSSE attestation. - Sprint: SPRINT_20260107_003_000_INDEX_unified_event_timeline.md ### Tools (4 features) - [x] **CI/CD Workflow Generator (Multi-Platform Pipeline Templates)** - Status: IMPLEMENTED - Generates CI/CD pipeline templates for GitHub Actions, GitLab CI, and Azure DevOps that integrate StellaOps scanning with automatic SARIF upload to code scanning platforms. Supports configurable triggers, scan options, and upload configurations. - Modules: `src/Tools/StellaOps.Tools.WorkflowGenerator/` - Sprint: SPRINT_20260109_010_003_AG_cicd_workflow_templates.md - [x] **Golden Pairs Mirror and Diff Pipeline** - Status: IMPLEMENTED - Package mirror service to download pre/post-patch binary pairs from distro repos, and a diff pipeline service that runs section-hash diffing to produce golden diff reports for backport detection validation. - Modules: `src/Tools/GoldenPairs/` - Sprint: SPRINT_20260113_004_002 - [x] **Golden Pairs Validation Infrastructure** - Status: IMPLEMENTED - Data model for golden pair metadata, binary artifacts, and diff reports used to validate binary diff detection against known-good CVE fix pairs. - Modules: `src/Tools/GoldenPairs/` - Sprint: SPRINT_20260113_004_001 - [x] **Fixture Harvester Tool** - Status: IMPLEMENTED - CLI tool (harvest/validate/regen commands) for deterministic test fixture management. Supports tiered fixtures (Synthetic, Spec Examples, Real Samples, Regression), SHA-256 hash pinning, YAML manifests with schema versioning, and configurable refresh policies. - Sprint: SPRINT_COMPLETION_SUMMARY_20251229.md ### Uncategorized (6 features) - [ ] **Outcome Analytics / Attribution** - Status: NOT_FOUND - The advisory's vision for outcome analytics with MTTR/MTTA attribution, cohort analysis, and executive reporting is not yet implemented. - [ ] **Point-in-Time Vulnerability Query (As-Of Date)** - Status: NOT_FOUND - The ability to evaluate vulnerabilities against advisory data as of a specific historical date is not implemented. The replay system tracks inputs but does not provide temporal advisory queries. - [ ] **CI Lint Hook for Implementor Guidelines** - Status: NOT_FOUND - The advisory called for a CI lint hook stub to enforce guidelines (e.g., docs-touched tagging, schema/versioning control). No automated enforcement tooling was found. - [ ] **CLI and Web UI for Proof Inspection** - Status: NOT_FOUND - The advisory explicitly listed CLI commands (stellaops proof generate/verify) and web UI proof visualization panel as deferred to Sprint 7100.0004 (not started). - [ ] **DORA Metrics** - Status: NOT_FOUND - No DORA metrics implementation found in the frontend or backend source code. - [ ] **Proof-Market Ledger and Adaptive Trust Economics** - Status: NOT_FOUND - No implementation of a proof marketplace or adaptive trust economics model was found in the source code. ### Unknowns (3 features) - [-] **Metrics for attestation coverage and time-to-evidence** - Status: PARTIALLY_IMPLEMENTED - Some metrics services exist but the advisory noted metrics coverage at only 30%. - Modules: `src/Unknowns, src/VexLens` - [x] **Unknowns SLA Monitoring** - Status: IMPLEMENTED - SLA monitoring for unknowns tracking resolution timelines and health checks for unknown queue items. - Modules: `src/Unknowns` - [x] **Structured Provenance Hints for Unknowns** - Status: IMPLEMENTED - Structured provenance hint system for unknown binaries/components with typed hints (BuildIdMatch, DebugLink, ImportTableFingerprint, ExportTableFingerprint, SectionLayout, CompilerSignature, DistroPattern, VersionString, SymbolPattern), confidence scoring, and hypothesis generation for resolution (e.g., "Binary matches distro build-ID, likely backport"). - Sprint: SPRINT_20260106_001_005_UNKNOWNS_provenance_hints.md ### VexLens (7 features) - [x] **Deterministic VEX Resolver with Lattice Merge** - Status: IMPLEMENTED - Full VEX consensus engine with lattice merge semantics, trust weight computation, and conflict resolution. Supports deterministic, commutative, idempotent, and associative merge operations. - Modules: `src/VexLens` - [x] **Trust Decay / Freshness F(e) with Configurable Tau Values** - Status: IMPLEMENTED - Freshness decay with configurable tau values per source class, implementing the F(e) = exp(-delta_days/tau) formula described in the advisory. - Modules: `src/VexLens` - [x] **Trust Weight Engine with Patch Verification** - Status: IMPLEMENTED - Trust weight engine with configurable weights and patch verification integration for elevated trust in backport-confirmed VEX statements. - Modules: `src/VexLens` - [x] **VEX Consensus Engine** - Status: IMPLEMENTED - A multi-mode VEX consensus engine is implemented with trust-weighted scoring, conflict resolution, and persistence via dual-write consensus projection stores. - Modules: `src/VexLens` - [x] **VEX merge explanation** - Status: IMPLEMENTED - Consensus rationale models and service expose the reasoning behind VEX merge decisions from the consensus engine. - Modules: `src/VexLens` - [x] **VEX Source Trust Scoring (Confidence C(e) with Multi-Factor Scoring)** - Status: IMPLEMENTED - Multi-dimensional trust scoring with Authority, Accuracy, Timeliness, Coverage, and Verification component scores. Implements the Confidence C(e) factor from the advisory with source reputation, signature strength, and evidence quality dimensions. - Modules: `src/VexLens` - [ ] **VexLens Truth Table Tests** - Status: NOT_FOUND - Systematic truth table tests for VEX lattice merge correctness. The VexLens engine exists but comprehensive truth table test coverage is missing. - Modules: `src/VexLens` ### VulnExplorer (1 features) - [x] **VulnExplorer Triage API** - Status: IMPLEMENTED - Backend API for the vulnerability triage workspace providing VEX decision endpoints, audit bundle creation, SPDX 3.0.1 data model integration, and triage workflow state management with evidence-linked decisions. - Modules: `src/VulnExplorer/` - Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md ### Web (188 features) - [ ] **Advisory Lens UI (Lens Panel, Inline Hints, Playbook Drawer)** - Status: NOT_FOUND - UI components for advisory suggestions including "Top 3 Suggestions Today" panel, inline hints, and playbook application with dry-run preview. Not yet implemented. - Modules: `(planned for src/Web)` - [-] **"Can I Ship?" Case Header (Verdict Display)** - Status: PARTIALLY_IMPLEMENTED - Verdict display components exist (detail panel, actions, evidence graph, policy breadcrumb) but no exact "CaseHeader" or "AttestationViewer" component names found. Verdict feature is present with related subcomponents. - Modules: `src/Web` - [x] **"Explain Like I'm New" / Plain Language Toggle** - Status: IMPLEMENTED - Toggle between technical and plain language modes with Alt+P shortcut, glossary tooltip directive for jargon expansion, and dedicated service for managing the state. Originally marked TODO in advisory but now implemented. - Modules: `src/Web` - [x] **AI Chat Panel UI** - Status: IMPLEMENTED - Full Advisory AI chat panel with message rendering, action buttons, object link chips, evidence drilldown, and explanation panels is implemented in the Angular frontend. - Modules: `src/Web` - [-] **AI Chip Components (Progressive Disclosure UX)** - Status: PARTIALLY_IMPLEMENTED - UX pattern for AI results surfacing with compact chips, 3-line doctrine, progressive disclosure. Existing chip components for reachability and VEX status exist; dedicated AI-specific chips are sprint-planned. - Modules: `src/Web` - [x] **AI Recommendation Panel for Triage** - Status: IMPLEMENTED - AI-powered recommendation panel for vulnerability triage with advisory AI service integration. - Modules: `src/Web` - [x] **Audit Bundle Export** - Status: IMPLEMENTED - Export actions component and audit pack dialog for exporting delta evidence as audit bundles. - Modules: `src/Web` - [-] **Audit Trail "Why am I seeing this?" (Reason Capsule)** - Status: PARTIALLY_IMPLEMENTED - The advisory proposed a ReasonCapsuleComponent with per-row expandable explanations showing policy name, rule ID, graph revision ID, and inputs digest. Instead, verdict explanation is implemented via VerdictWhySummaryComponent (3-5 bullet driver explanations with evidence drill-down links) and WhySafePanels in the lineage feature. The exact ReasonCapsuleComponent name and API contract (/api/audit/reasons/:verdictId) were not found, but the concept is substantially realized under different component names. - Modules: `src/Web` - [ ] **Contextual Command Bar ("Ask Stella")** - Status: NOT_FOUND - Proposed scoped command bar that auto-scopes to current context with suggested prompts. Not yet implemented. - Modules: `src/Web` - [x] **Decision Drawer for VEX Decisions** - Status: IMPLEMENTED - Enhanced decision drawer component for making VEX triage decisions from the evidence view. - Modules: `src/Web` - [x] **Delta Summary Strip** - Status: IMPLEMENTED - Delta summary strip component shows before/after comparison statistics in the compare view header. - Modules: `src/Web` - [x] **Delta Table (Risk Decay per Release)** - Status: IMPLEMENTED - Side-by-side diff component in the risk feature comparing before/after states per release, integrated into the risk dashboard. - Modules: `src/Web` - [x] **Delta Verdict / Compare View UI** - Status: IMPLEMENTED - Full compare/delta view UI with dedicated feature area including components, services, and implementation summary. Deploy-diff feature for release-level comparison. Verdicts feature for verdict display and management. - Modules: `src/Web` - [x] **Evidence Presentation UX (Panels, Drawers, Rail, Export Center)** - Status: IMPLEMENTED - Comprehensive evidence presentation: tabbed panels across triage/findings/SBOM/policy views with reachability, binary diff, provenance, policy, and attestation chain tabs. Per-finding evidence drawer, right-rail proof pane with witness path call traces, DSSE badges, confidence meters. Evidence export center with audit bundle creation. TTE metrics tracking. - Modules: `src/Web` - [x] **Exception and Waiver UX (Wizard, Ledger, Simulation)** - Status: IMPLEMENTED - Exception wizard component, policy exception component with simulation integration, dedicated API client, and exception ledger showing history with status changes, expiry dates, owner info, and create capability. - Modules: `src/Web` - [x] **FirstSignalCard Component (Prefetch, SSE Updates, Storybook)** - Status: IMPLEMENTED - FirstSignalCard Angular component with prefetch service for fast initial signal delivery, signal store, API client, SSE updates showing summary + next action buttons, Storybook stories, and unit tests. - Modules: `src/Web` - [x] **Graph Export (SVG/PNG)** - Status: IMPLEMENTED - Graph export service supporting SVG and PNG formats with options for scale, legend inclusion, metadata embedding, and custom background colors. Originally marked TODO in advisory but now implemented. - Modules: `src/Web` - [x] **Keyboard Shortcuts for Triage (J, Y, R, S, A/N/U)** - Status: IMPLEMENTED - Keyboard shortcuts for triage workflow including help overlay, graph hotkeys, and shared keyboard shortcut infrastructure with e2e test coverage. - Modules: `src/Web` - [x] **MI1 - Motion Tokens Catalogue (Durations, Easings, Distance Scales)** - Status: IMPLEMENTED - Complete motion token catalogue implemented in both SCSS custom properties and TypeScript with exact durations (80-320ms), easing curves, translate/scale values, and a Storybook story page for visual verification. - Modules: `src/Web` - [-] **MI10 - Theme/Contrast Guidance (Light/Dark/HC Tokens)** - Status: PARTIALLY_IMPLEMENTED - Color tokens and focus ring styles exist. Theme transition utilities are implemented. However, the specific theming doc `docs/modules/ui/micro-theme.md` and explicit HC (high-contrast) mode tokens with 4.5:1/3:1 contrast validation were not found as standalone artifacts. - Modules: `src/Web` - [x] **MI2 - Reduced-Motion Rules** - Status: IMPLEMENTED - Comprehensive reduced-motion support via both CSS `prefers-reduced-motion` media query and `data-reduce-motion` attribute. Durations clamp to 0ms, parallax/auto-animations disabled, focus/hover states preserved. - Modules: `src/Web` - [x] **MI3 - Latency/Idle/Load Patterns (Skeletons, Progress, Offline Banners)** - Status: IMPLEMENTED - Skeleton loading placeholders with multiple variants, offline banner with retry button and connection status, and offline mode service for detecting/managing connectivity state. - Modules: `src/Web` - [-] **MI4 - Error/Cancel/Undo Patterns (Snackbar/Toast with Undo)** - Status: PARTIALLY_IMPLEMENTED - i18n keys for toast/undo/undoCountdown patterns exist and snackbar usage is present across components. However, a dedicated centralized snackbar/toast service with the specific 8s undo window and aria-live=polite pattern was not found as a standalone component. - Modules: `src/Web` - [-] **MI5 - Performance Budgets (Interaction Response, Animation Frame, LCP)** - Status: PARTIALLY_IMPLEMENTED - Lighthouse CI config exists for performance monitoring. Specific interaction response <=100ms, frame budget 16ms, and layout shift <0.05 budgets were not found as explicitly configured thresholds in test fixtures. - Modules: `src/Web` - [ ] **MI7 - Telemetry Schema for ui.micro.* Events** - Status: NOT_FOUND - The ui.micro telemetry JSON schema and associated unit test validator were not found. Triage-specific telemetry exists but the generic micro-interaction telemetry schema is missing. - Modules: `src/Web` - [-] **MI8 - Deterministic Seeds/Snapshots (Fixed RNG, Frozen Timestamps)** - Status: PARTIALLY_IMPLEMENTED - Deterministic fixture files exist for testing. Storybook preview is configured. However, specific chromatic.disableAnimation parameters and fixed seed exports from a `micro-fixtures.ts` file were not verified. - Modules: `src/Web` - [x] **MI9 - Micro-Copy Localisation (i18n Keys and ICU Messages)** - Status: IMPLEMENTED - Full micro-interaction localisation file with EN defaults covering all interaction states (loading/skeleton/progress, error types, offline banners, toast/undo, actions, validation, accessibility labels, motion preferences). i18n service exists for key resolution. - Modules: `src/Web` - [x] **Motion and Animation Tokens (Duration, Easing, Reduced-Motion)** - Status: IMPLEMENTED - Motion token system in SCSS and TypeScript with duration scales (xs through xl), easing functions, and reduced-motion overrides. Storybook stories for visual documentation. - Modules: `src/Web` - [x] **Operator/Auditor mode toggle** - Status: IMPLEMENTED - View mode service, toggle component, and operator-only/auditor-only directives implement two-mode UI with different default levels of detail. - Modules: `src/Web` - [-] **Pipeline/Run-Centric View** - Status: PARTIALLY_IMPLEMENTED - Runs feature exists in the frontend with first-signal card components and prefetch services, but a full pipeline-centric view as described in the advisory is only partially present. - Modules: `src/Web` - [-] **Progressive Disclosure UX** - Status: PARTIALLY_IMPLEMENTED - Triage workspace and finding detail layout suggest progressive disclosure patterns, but there is no explicit "progressive disclosure" framework component -- it is implemented as a UX pattern across existing components. - Modules: `src/Web` - [x] **Proof chain verification UI** - Status: IMPLEMENTED - 13 Angular standalone components implement proof-driven UX with evidence chains, including tabbed panels, static evidence cards, and E2E tests. - Modules: `src/Web` - [x] **Proof Graph UX (Unified Evidence View)** - Status: IMPLEMENTED - Evidence page, panel, and list components with analytics metrics for evidence panel interactions, integrated across triage, findings, SBOM, and release orchestrator views. - Modules: `src/Web` - [x] **Proof Spine UI component (segmented visualization with badges)** - Status: IMPLEMENTED - Angular proof-spine component suite with segment visualization, badge rows, detail modals, and e2e tests. - Modules: `src/Web` - [x] **Proof-linked VEX UI (Evidence drawer, Proof Spine component)** - Status: IMPLEMENTED - Angular UI components for proof spine visualization (segments, badges, detail modal) and evidence drawer are implemented with e2e test coverage. - Modules: `src/Web, src/Web (expected)` - [x] **Risk Budget Burn-Up Chart** - Status: IMPLEMENTED - SVG-based burn-up chart displaying risk budget consumption over time (X: calendar days, Y: risk points) with budget limit line, actual consumption, grid lines, and headroom visualization. - Modules: `src/Web` - [x] **Risk Budget Configuration UI** - Status: IMPLEMENTED - Risk budget configuration component in policy governance module, along with a dedicated risk budget dashboard for managing budget parameters. - Modules: `src/Web` - [x] **Risk Budget KPI Dashboard with Badges** - Status: IMPLEMENTED - KPI tiles showing Headroom, Unknowns delta (24h), Risk retired (7d), and Exceptions expiring -- matching the advisory's "copy-paste labels for the board" concept precisely. - Modules: `src/Web` - [x] **Risk Dashboard UI (Side-by-Side View)** - Status: IMPLEMENTED - Angular-based risk dashboard with side-by-side SBOM diff viewer, graph split view for reachability comparison, and witness comparison components. - Modules: `src/Web/StellaOps.Web` - [x] **Role-Based Views (Dev/Security/Audit)** - Status: IMPLEMENTED - Compare view supports role-based viewing with user preference persistence for different personas (Developer, Security, Audit). - Modules: `src/Web` - [-] **SBOM Lineage Lane View (Git-like UI)** - Status: PARTIALLY_IMPLEMENTED - Git-like lineage lane visualization with hover-to-proof micro-interactions. Components built but not wired to backend APIs. - Modules: `src/Web` - [-] **Score UI Display Enhancement** - Status: PARTIALLY_IMPLEMENTED - A score comparison component exists in the UI, but the full unified score display with unknowns bands and delta-if-present was marked TODO (TSF-008). - Modules: `src/Web` - [x] **Smart-Diff UI Components (Visual Diffs)** - Status: IMPLEMENTED - Full visual diff UI with three-pane layout (categories, items, proof), delta summary strip, compare view, VEX merge explanation visualization, proof pane, export actions, and smart-diff badges. Matches the advisory's specified UI patterns. - Modules: `src/Web` - [x] **Three-Pane Layout (Categories/Items/Proof)** - Status: IMPLEMENTED - The compare feature implements a three-pane layout with categories, items, and proof panes for side-by-side comparison of scans/policies. - Modules: `src/Web` - [ ] **Time-to-Evidence (TTE) Metric** - Status: NOT_FOUND - The TTE metric (measuring time from finding open to first proof rendered) is not implemented in the frontend or backend. - Modules: `src/Web (expected)` - [x] **TinyFailureEvent / First Signal Event Pattern** - Status: IMPLEMENTED - First signal events are implemented with a dedicated store, typed models, and UI components for display in run views and console status. - Modules: `src/Web` - [x] **Triage Workspace with Proof Tree** - Status: IMPLEMENTED - Triage workspace component for vulnerability triage with an associated proof tree visualization component. Includes Storybook stories for the proof tree. - Modules: `src/Web` - [x] **Unified Triage Canvas with Rich Evidence** - Status: IMPLEMENTED - A full triage workspace combining reachability evidence graphs, witness call paths, and proof tree visualizations in a single canvas for evidence-rich triage decisions. - Modules: `src/Web` - [-] **UX Guidelines for StellaOps Console** - Status: PARTIALLY_IMPLEMENTED - The advisory included a v0.1 UX Guidelines document covering core principles (explainability, evidence-in-one-hop, noise-is-a-bug, deterministic-not-magical). Several of these principles are reflected in implemented components (evidence ribbon, verdict-why-summary, verdict-proof-panel, provenance chips), but no formal UX guidelines document was found in the codebase. - Modules: `src/Web` - [x] **Verdict Chip / Status Display (Allowed/Blocked/Warn)** - Status: IMPLEMENTED - Verdict display through the verdicts feature and shared status badge UI component. - Modules: `src/Web` - [x] **VEX Decision Modal (Triage Workspace)** - Status: IMPLEMENTED - Full VEX decision modal with triage workspace, decision service, and API client for making VEX decisions on vulnerabilities. - Modules: `src/Web` - [-] **VEX Gate (Inline Gated Action with Evidence Tiers)** - Status: PARTIALLY_IMPLEMENTED - The advisory proposed a VexGateButtonDirective that morphs primary action buttons into Green/Amber/Red gated actions with evidence sheets. VEX evidence and decision infrastructure exists (vex-evidence client, vex-decision-modal, evidence-ribbon). However, the specific VexGateButtonDirective and VexEvidenceSheetComponent with inline button morphing and tier-based gating were not found. The pattern is partially realized through separate VEX decision modals and evidence display components. - Modules: `src/Web` - [x] **VEX History Tracking** - Status: IMPLEMENTED - VEX decision history component showing the timeline of VEX decisions for each vulnerability. - Modules: `src/Web` - [x] **VEX Merge Explanations** - Status: IMPLEMENTED - Component that explains how VEX statements were merged and their impact on verdicts. - Modules: `src/Web` - [x] **Visual Graph Diff with Change Highlights** - Status: IMPLEMENTED - Full graph diff component with change type highlighting (added/removed/changed), layout engine, split-view, connected element detection, and Storybook stories. Originally marked TODO in advisory but now implemented. - Modules: `src/Web` - [x] **Witness Viewer UI** - Status: IMPLEMENTED - Witness viewer UI component in the shared UI library, plus a witness page within the reachability feature area. - Modules: `src/Web` - [x] **"Why Safe?" Evidence Explanation Panel** - Status: IMPLEMENTED - Dedicated panel answering "Why is this component considered safe?" by aggregating and displaying all contributing evidence: VEX statements, reachability analysis results, attestation chains, and policy evaluation outcomes in a user-friendly breakdown. - Modules: `src/Web/` - Sprint: SPRINT_20251228_008_FE_sbom_lineage_graph_ii.md - [x] **Agent Fleet Dashboard UI** - Status: IMPLEMENTED - Full agent fleet management UI with fleet dashboard overview, agent detail pages with health and tasks tabs, capacity heatmap visualization, fleet comparison views, agent action modals, and an onboarding wizard for new agent registration. The known features list has "Runtime Agent Framework" but not the fleet dashboard UI. - Modules: `src/Web/StellaOps.Web/src/app/features/agents/` - Sprint: SPRINT_20260118_023_FE_agent_fleet_visualization.md - [x] **AI Preferences and Verbosity Settings UI** - Status: IMPLEMENTED - User-facing settings page for configuring AI explanation verbosity levels, preferred explanation types, and AI feature visibility toggles. Persists preferences per user session. - Modules: `src/Web/` - Sprint: SPRINT_20251226_020_FE_ai_ux_patterns.md - [x] **AI Summary 3-Line Component** - Status: IMPLEMENTED - Compact 3-line AI summary component providing at-a-glance severity assessment, key finding highlights, and recommended action for each vulnerability finding. Designed for progressive disclosure in list views. - Modules: `src/Web/` - Sprint: SPRINT_20251226_020_FE_ai_ux_patterns.md - [x] **Approval Detail with Reachability Witness Panel** - Status: IMPLEMENTED - Split-pane approval detail with diff + gates on left and decision + comments on right, featuring the reachability witness panel ("The Moat") showing reachability evidence for each finding. - Modules: `src/Web/StellaOps.Web/src/app/features/approvals/` - Sprint: SPRINT_20260118_005_FE_approvals_feature.md - [x] **Approvals Inbox with Diff-First Presentation** - Status: IMPLEMENTED - Approvals inbox showing pending approval requests with diff-first card design highlighting what changed, enabling quick triage of release promotion requests. - Modules: `src/Web/StellaOps.Web/src/app/features/approvals/` - Sprint: SPRINT_20260118_005_FE_approvals_feature.md - [x] **Audit Bundle Create Modal (3-Step Wizard)** - Status: IMPLEMENTED - Three-step wizard for creating audit bundles: select scope (release/environment/date range), choose evidence types, and configure signing/export options. - Modules: `src/Web/StellaOps.Web/src/app/features/evidence/modals/` - Sprint: SPRINT_20260118_006_FE_evidence_unification.md - [x] **Backport Resolution UI with Function Diff Viewer** - Status: IMPLEMENTED - Frontend UI for browsing binary backport resolution results. Includes a ResolutionChipComponent (showing resolved/unresolved status), an EvidenceDrawerComponent (side panel with proof artifacts), and a FunctionDiffComponent (displaying function-level binary diffs between patched and unpatched versions). Integrates into the vulnerability detail view with e2e test coverage. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/`, `src/Web/StellaOps.Web/src/app/features/vulnerabilities/` - Sprint: SPRINT_1227_0003_0001_FE_backport_ui.md - [x] **Binary-Diff Panel UI Component** - Status: IMPLEMENTED - Angular component providing side-by-side binary diff visualization with scope selector (file/section/function level), hex view toggle, and integration with the binary diff backend service for patch detection review. - Modules: `src/Web/` - Sprint: SPRINT_20260117_018_FE - [x] **CGS Badge Component (Copy and Replay Hash)** - Status: IMPLEMENTED - UI badge component displaying Canonical Graph Signature (CGS) hash with one-click copy-to-clipboard and replay verification trigger. Shows truncated hash with tooltip for full value and confidence score indicator. - Modules: `src/Web/` - Sprint: SPRINT_20251229_001_003_FE_lineage_graph.md - [x] **Confidence Breakdown Visualization (Factor Bar Chart)** - Status: IMPLEMENTED - Visual bar chart breakdown showing how each evidence factor (SBOM, VEX, reachability, binary analysis, attestation) contributes to the overall confidence score. Includes per-factor chip components with drill-down capability. - Modules: `src/Web/` - Sprint: SPRINT_20251229_001_004_FE_proof_studio.md - [x] **Context Status Chips (Offline/Feed/Policy/Evidence)** - Status: IMPLEMENTED - Status indicator chips in the topbar showing offline mode, active feed snapshot, policy baseline, and evidence mode state at a glance. - Modules: `src/Web/StellaOps.Web/src/app/layout/context-chips/` - Sprint: SPRINT_20260118_001_FE_shell_navigation_redesign.md - [x] **Control Plane Dashboard (Release-Centric Landing Page)** - Status: IMPLEMENTED - New landing page replacing security-centric home with release control plane view including environment pipeline visualization, action inbox, drift & risk changes, and pending promotions table. - Modules: `src/Web/StellaOps.Web/src/app/features/control-plane/` - Sprint: SPRINT_20260118_003_FE_control_plane_home.md - [x] **Deployment Detail with Workflow DAG Visualization** - Status: IMPLEMENTED - Deployment detail page with workflow DAG visualization showing deployment step execution, artifact promotion flow, and gate evaluation results. - Modules: `src/Web/StellaOps.Web/src/app/features/deployments/` - Sprint: SPRINT_20260118_008_FE_environments_deployments.md - [x] **Domain Widget Library (DigestChip, GateBadge, ReachabilityStateChip, WitnessPathPreview, EvidenceLink, GateSummaryPanel)** - Status: IMPLEMENTED - Six reusable domain-specific widgets: DigestChip (truncated digest with copy), GateBadge (gate level display), ReachabilityStateChip (R0-R3 state), WitnessPathPreview (call path snippet), EvidenceLink (attestation link), GateSummaryPanel (gate overview). - Modules: `src/Web/StellaOps.Web/src/app/shared/domain/` - Sprint: SPRINT_20260118_009_FE_route_migration_shared_components.md - [x] **Evidence Center Hub** - Status: IMPLEMENTED - Unified evidence center replacing scattered evidence views, providing a single hub for browsing, filtering, and verifying all attestation evidence across releases. - Modules: `src/Web/StellaOps.Web/src/app/features/evidence/` - Sprint: SPRINT_20260118_006_FE_evidence_unification.md - [x] **Evidence Packet Drawer (Slide-In)** - Status: IMPLEMENTED - Contextual slide-in drawer for viewing evidence packet details from any page without navigation, showing attestation contents and verification status. - Modules: `src/Web/StellaOps.Web/src/app/shared/overlays/evidence-packet-drawer/` - Sprint: SPRINT_20260118_006_FE_evidence_unification.md - [x] **Evidence Provenance Visualization Component** - Status: IMPLEMENTED - Interactive evidence provenance chain visualization showing the path: finding -> advisory -> VEX -> policy -> attestation. Part of the evidence-export feature module with routing integration. - Modules: `src/Web/StellaOps.Web/src/app/features/evidence-export/` - Sprint: SPRINT_20251229_016_FE_evidence_export_replay_ui.md - [x] **Explainer Timeline UI Component (Step-by-Step Verdict Explanation)** - Status: IMPLEMENTED - Interactive step-by-step verdict explanation visualization with expand/collapse behavior. ExplainerStepComponent renders individual reasoning steps; ExplainerService provides data from backend; supports progressive disclosure of decision rationale for lineage views. - Modules: `src/Web/StellaOps.Web/src/app/features/lineage/` - Sprint: SPRINT_20251229_001_005_FE_explainer_timeline.md - [x] **Finding Detail Drawer** - Status: IMPLEMENTED - Shared slide-in drawer for viewing finding details from any context, displaying reachability evidence, VEX status, and available actions without full-page navigation. - Modules: `src/Web/StellaOps.Web/src/app/shared/overlays/finding-detail-drawer/` - Sprint: SPRINT_20260118_007_FE_security_consolidation.md - [x] **Gate Explain Drawer** - Status: IMPLEMENTED - Slide-in drawer explaining why a policy gate passed or failed, showing each rule evaluation, evidence inputs, and what would need to change for a different outcome. - Modules: `src/Web/StellaOps.Web/src/app/shared/overlays/gate-explain-drawer/` - Sprint: SPRINT_20260118_009_FE_route_migration_shared_components.md - [x] **Global Search Component (Cmd+K)** - Status: IMPLEMENTED - Command-palette-style global search (Cmd+K / Ctrl+K) for quick navigation to releases, findings, environments, and settings across the entire application. - Modules: `src/Web/StellaOps.Web/src/app/layout/global-search/` - Sprint: SPRINT_20260118_001_FE_shell_navigation_redesign.md - [x] **Impact-First Vulnerability Detail (EPSS/KEV)** - Status: IMPLEMENTED - Vulnerability detail page redesigned with impact-first layout showing EPSS probability, KEV catalog status, reachability state, and blast radius before technical details. - Modules: `src/Web/StellaOps.Web/src/app/features/security/` - Sprint: SPRINT_20260118_007_FE_security_consolidation.md - [x] **Integration Hub UI (List + Detail + Connection Test)** - Status: IMPLEMENTED - Integration Hub frontend with list view showing integration status/health, detail view with configuration and activity log, and connection test UI for verifying integration connectivity. - Modules: `src/Web/StellaOps.Web/src/app/features/integrations/` - Sprint: SPRINT_20251229_011_FE_integration_hub_ui.md - [x] **Integration Onboarding Wizard (Multi-Type Setup Flows)** - Status: IMPLEMENTED - Multi-step integration onboarding wizard supporting registry, SCM, CI, and host integration types. Includes preflight checks, copy-safe instructions, and template generation for Helm/systemd deployments. - Modules: `src/Web/StellaOps.Web/src/app/features/integrations/` - Sprint: SPRINT_20251229_014_FE_integration_wizards.md - [x] **Left Rail Navigation Shell** - Status: IMPLEMENTED - CSS Grid-based application shell with persistent left sidebar navigation (7 nav sections), replacing the previous mega-menu navigation pattern. - Modules: `src/Web/StellaOps.Web/src/app/layout/` - Sprint: SPRINT_20260118_001_FE_shell_navigation_redesign.md - [x] **Lineage Compare Panel (Side-by-Side SBOM/VEX Diff)** - Status: IMPLEMENTED - Interactive side-by-side comparison panel for SBOM lineage graph with dedicated SBOM diff view (added/removed/updated components), VEX diff view (status transitions), and URL-addressable compare state for sharing comparison links. - Modules: `src/Web/` - Sprint: SPRINT_20251228_008_FE_sbom_lineage_graph_ii.md - [x] **Lineage Timeline Slider** - Status: IMPLEMENTED - Interactive timeline slider for navigating SBOM lineage graph history. Allows scrubbing through release versions chronologically with visual markers for significant security state changes. - Modules: `src/Web/` - Sprint: SPRINT_20251228_008_FE_sbom_lineage_graph_ii.md - [x] **Lineage UI API Wiring with Angular Signals** - Status: IMPLEMENTED - Frontend API client wiring for SBOM lineage graph with Angular signals-based state management. Connects graph visualization, diff/compare panels, and hover card overlays to the backend LineageGraphService API, including Valkey cache integration for compare operations. - Modules: `src/Web/StellaOps.Web/src/app/features/lineage/` - Sprint: SPRINT_20251229_005_FE_lineage_ui_wiring.md - [x] **Metrics Dashboard Component (Attestation Coverage, Approval Velocity, Gap Analysis)** - Status: IMPLEMENTED - Angular standalone component providing a dashboard view of attestation coverage metrics, approval velocity trends, and evidence gap analysis. Visualizes operational health of the attestation pipeline. - Modules: `src/Web/` - Sprint: batch_02/file_00.md - [x] **Node Diff Table Component (Tabular SBOM Change Comparison)** - Status: IMPLEMENTED - Tabular component-change diff view with filter chips (added/removed/modified/unchanged), debounced search, multi-column sorting, row selection with bulk actions, pagination, and CSV export capability for SBOM lineage comparison. - Modules: `src/Web/StellaOps.Web/src/app/features/lineage/` - Sprint: SPRINT_20251229_001_006_FE_node_diff_table.md - [x] **Overlay Host Component** - Status: IMPLEMENTED - Centralized overlay/drawer management system with signal-based store for coordinating slide-in panels, modals, and drawers across the application. - Modules: `src/Web/StellaOps.Web/src/app/layout/overlay-host/` - Sprint: SPRINT_20260118_001_FE_shell_navigation_redesign.md - [x] **Pinned Explanations Panel (Copy-Safe Ticket Creation)** - Status: IMPLEMENTED - Floating panel for pinning AI explanations and evidence summaries with multi-format export (Markdown, Plain Text, JSON, HTML, Jira). Supports session persistence, drag reordering, and one-click copy-to-clipboard for creating evidence-backed tickets in external issue trackers. - Modules: `src/Web/` - Sprint: SPRINT_20251229_001_007_FE_pinned_explanations.md - [x] **Policy Breadcrumb UI Component** - Status: IMPLEMENTED - Angular component that visualizes the policy evaluation chain as an interactive breadcrumb trail, showing which policy rules fired, their order, and individual pass/fail status. Provides drill-down from verdict summary to specific rule decisions. - Modules: `src/Web/` - Sprint: SPRINT_1227_0014_0002_FE_verdict_ui.md - [x] **Policy Studio UI (Monaco Editor, Simulation, Approvals)** - Status: IMPLEMENTED - Full Policy Studio authoring environment with Monaco-based DSL editor (stella-dsl@1 syntax highlighting, IntelliSense), policy simulation panel with deterministic diff rendering, guided rule builder, YAML editor with schema validation, submit/review/approve workflow with two-person approval, run viewer dashboards, and explain view with evidence overlay exports. - Modules: `src/Web/` - Sprint: SPRINT_0210_0001_0002_ui_ii.md - [-] **Reachability Center UI View** - Status: PARTIALLY_IMPLEMENTED - Reachability Center view showing asset coverage, missing sensors, and stale reachability facts. Implemented with deterministic fixture data; pending official fixture bundle swap from Signals guild. - Modules: `src/Web/` - Sprint: SPRINT_0211_0001_0003_ui_iii.md - [x] **Release-Aware Security Findings** - Status: IMPLEMENTED - Security findings list with release context showing which release each finding impacts, with delta indicators showing new/resolved findings between releases. - Modules: `src/Web/StellaOps.Web/src/app/features/security/` - Sprint: SPRINT_20260118_007_FE_security_consolidation.md - [x] **Releases List and Detail Pages (7-Tab Detail)** - Status: IMPLEMENTED - Full releases feature with filterable list view and detail page with 7 tabs (Overview, Components, Gates, Promotions, Deployments, Evidence, Proof Chain) using signal-based state management. - Modules: `src/Web/StellaOps.Web/src/app/features/releases/` - Sprint: SPRINT_20260118_004_FE_releases_feature.md - [x] **Request Exception Modal with Drag-and-Drop** - Status: IMPLEMENTED - Modal for requesting policy exceptions during approvals with drag-and-drop evidence attachment, justification fields, and expiry date selection. - Modules: `src/Web/StellaOps.Web/src/app/features/approvals/modals/` - Sprint: SPRINT_20260118_005_FE_approvals_feature.md - [x] **SBOM Analytics Console UI** - Status: IMPLEMENTED - Angular UI for SBOM analytics with dashboard panels showing component counts, vulnerability trends, supplier distribution, and attestation coverage. Includes drilldown views, trend charts, and CSV export capabilities. Not present in the known features list. - Modules: `src/Web/StellaOps.Web/src/app/features/analytics/` - Sprint: SPRINT_20260120_031_FE_sbom_analytics_console.md - [-] **SBOM Graph Reachability Overlay with Time Slider** - Status: PARTIALLY_IMPLEMENTED - Reachability halo overlay on SBOM graph visualization with time slider for temporal reachability exploration and state legend. Uses deterministic stub data pending fixture bundle. - Modules: `src/Web/` - Sprint: SPRINT_0211_0001_0003_ui_iii.md - [x] **SBOM Sources Manager UI (List + Detail + 6-Step Wizard)** - Status: IMPLEMENTED - Full SBOM Sources management UI with sources list page (status badges, last-run times, filtering), source detail page (run history, configuration), and 6-step add/edit wizard (type selection, basic info, type-specific config, credentials, schedule, review+test). - Modules: `src/Web/StellaOps.Web/src/app/features/sbom-sources/` - Sprint: SPRINT_20251229_003_FE_sbom_sources_ui.md - [x] **Security Overview Dashboard** - Status: IMPLEMENTED - Consolidated security overview merging Analyze and Triage sections into a single security hub with release-aware finding counts and risk summaries. - Modules: `src/Web/StellaOps.Web/src/app/features/security/` - Sprint: SPRINT_20260118_007_FE_security_consolidation.md - [x] **Triage Inbox Angular Component (3-Pane Layout)** - Status: IMPLEMENTED - 3-pane Angular UI for exploit-path-based triage: left pane (path list with risk badges, quiet/active toggle, search), center pane (CVE list, package/symbol info, entry point, exceptions), right pane (collapsible reach graph, symbol map, VEX claims, export). Uses Cytoscape.js for graph visualization. - Modules: `src/Web/` - Sprint: SPRINT_3900_0003_0001_exploit_path_inbox_proof_bundles.md - [x] **Trust Algebra Panel Angular Components** - Status: IMPLEMENTED - Angular component suite for visualizing the VEX trust lattice: TrustAlgebraComponent (main panel), ConfidenceMeterComponent, ClaimTableComponent, PolicyChipsComponent, plus models and service. Distinct from existing features like "Proof Studio UX" or "Evidence Panel UI" -- this is specifically the trust algebra visualization with claim table and policy chip views. - Modules: `src/Web/` - Sprint: SPRINT_7100_0003_0001_ui_trust_algebra.md - [x] **UI-Driven Vulnerability Annotation and State Management** - Status: IMPLEMENTED - UI workflow for vulnerability lifecycle state management (open -> in_review -> mitigated -> closed, plus false_positive and deferred branches), VEX candidate review and approval with auto-generated justifications from Smart-Diff, and cryptographically auditable decision trails. Includes triage dashboard with severity filters and state transition modals. - Modules: `src/Web/` - Sprint: SPRINT_4000_0100_0002_vuln_annotation.md - [x] **Unified Settings Page (10 Categories)** - Status: IMPLEMENTED - Consolidated settings hub with 10 category panes (Integrations, Trust, Admin, Notifications, Security Data, Policy, Release Control, Branding, Usage, System) replacing scattered admin pages. - Modules: `src/Web/StellaOps.Web/src/app/features/settings/` - Sprint: SPRINT_20260118_002_FE_settings_consolidation.md - [x] **Verdict Detail Panel UI** - Status: IMPLEMENTED - Verdict-scoped detail panel combining an evidence graph visualization (D3.js force-directed) with policy breadcrumbs and score breakdown. Distinct from the known "Evidence Subgraph UI Visualization" which is graph-centric -- this is a verdict-centric composite panel integrating evidence graph, policy trace, and scoring into a unified decision view. - Modules: `src/Web/` - Sprint: SPRINT_1227_0014_0002_FE_verdict_ui.md - [x] **Verdict Replay Controls UI (Trigger + Status + Compare)** - Status: IMPLEMENTED - UI controls for triggering verdict replays, monitoring replay status, and comparing replay results against original verdicts. Includes offline verification workflow (upload bundle, verify, show chain) and checksum verification UI with SHA-256 display. - Modules: `src/Web/StellaOps.Web/src/app/features/evidence-export/` - Sprint: SPRINT_20251229_016_FE_evidence_export_replay_ui.md - [x] **VEX Trust Column in Findings and Triage Lists** - Status: IMPLEMENTED - New sortable Trust column added to findings-list and triage-list grids. Shows a VexTrustChipComponent with color-coded confidence level (high/medium/low/unknown) and a VexTrustPopoverComponent on hover with detailed breakdown of issuer trust, statement quality, and coverage scores. Includes Storybook stories for design documentation. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/`, `src/Web/StellaOps.Web/src/app/features/findings/`, `src/Web/StellaOps.Web/src/app/features/triage/` - Sprint: SPRINT_1227_0004_0002_FE_trust_column.md - [x] **Web Gateway Export Center Client (Profiles, Runs, SSE Streaming, Distributions)** - Status: IMPLEMENTED - Web gateway client for Export Center APIs with profile/run management, SSE progress streaming, signed URL distribution, retention/encryption parameter support, and tenant-scoped RBAC enforcement. - Modules: `src/Web/` - Sprint: SPRINT_0213_0001_0002_web_ii.md - [x] **Web Gateway Graph Platform Client (Tiles, Search, Paths, Exports)** - Status: IMPLEMENTED - Web gateway client for Graph Platform APIs with tile streaming, search, path queries, export (GraphML/NDJSON/CSV/PNG/SVG), asset snapshots, adjacency queries, and AOC overlay pass-through, all with tenant scoping and RBAC. - Modules: `src/Web/` - Sprint: SPRINT_0213_0001_0002_web_ii.md - [x] **Web Gateway Observability Surfaces (Health, SLO, Traces, Logs, Incident Mode)** - Status: IMPLEMENTED - Web gateway observability client providing health aggregation, SLO burn-rate metrics with exemplar links, distributed trace inspection, structured log queries, evidence/attestation pass-through, incident mode toggle, and sealed-mode status APIs. - Modules: `src/Web/` - Sprint: SPRINT_0214_0001_0001_web_iii.md - [x] **Web Gateway OpenAPI Discovery with Deprecation and Idempotency** - Status: IMPLEMENTED - Gateway OpenAPI discovery endpoint with ETag caching, standard error envelope migration, cursor pagination normalization, Idempotency-Key support, and deprecation header middleware with Sunset link emission. - Modules: `src/Web/` - Sprint: SPRINT_0214_0001_0001_web_iii.md - [x] **Web Gateway Signals and Reachability Proxy** - Status: IMPLEMENTED - Gateway proxy for reachability signals providing call-graph queries, reachability state lookups, and runtime evidence retrieval through the web API layer for UI consumption. - Modules: `src/Web/` - Sprint: SPRINT_0216_0001_0001_web_v.md - [x] **Web Gateway VEX Consensus Proxy** - Status: IMPLEMENTED - Gateway proxy for VEX consensus engine providing multi-source consensus queries, trust scoring, and quorum verification through the web API layer with tenant and ABAC enforcement. - Modules: `src/Web/` - Sprint: SPRINT_0216_0001_0001_web_v.md - [x] **Witness Drawer (Slide-In)** - Status: IMPLEMENTED - Contextual slide-in drawer for viewing reachability witness details including call paths, observation type, and claim verification status. - Modules: `src/Web/StellaOps.Web/src/app/shared/overlays/witness-drawer/` - Sprint: SPRINT_20260118_009_FE_route_migration_shared_components.md - [x] **AI Autofix Button with Remediation Plan Preview and PR Tracker** - Status: IMPLEMENTED - Three-component AI remediation workflow: (1) Autofix button that triggers AI-assisted remediation planning per finding, (2) Remediation plan preview showing 3-line summary, step-by-step instructions with code diffs, impact assessment, and Approve/Create PR actions, (3) PR tracker monitoring remediation pull requests with CI check statuses, review status, and merge/close actions across multi-SCM providers. - Modules: `src/Web/StellaOps.Web/src/app/features/advisory-ai/` - [x] **AOC Verification Action with CLI Parity Guidance** - Status: IMPLEMENTED - AOC compliance verification action component that triggers tenant-scoped document verification with configurable time windows. Includes violation drilldown with by-violation and by-document view modes, raw document viewer, and CLI parity guidance showing equivalent CLI commands with flags and examples. - Modules: `src/Web/StellaOps.Web/src/app/features/aoc/` - [x] **Auditor Workspace (Compliance-Focused Triage View)** - Status: IMPLEMENTED - Auditor-focused workspace with a review ribbon showing policy/attestation/coverage summary, export Audit-Pack CTA with configurable options, and a Quiet-Triage lane with signed audit action buttons (accept, reject, flag) including attestation-backed verdicts. - Modules: `src/Web/StellaOps.Web/src/app/features/workspaces/auditor/` - [x] **Causal Timeline with Critical Path and Event Detail** - Status: IMPLEMENTED - Full-featured causal timeline view with lane-based event visualization (D3.js, one lane per service), critical path highlighting, event detail panel, evidence links, timeline export, filtering, HLC range picker, and forensic export button. Supports correlation ID-based navigation for tracing release pipeline events. (Merged with Timeline UI Component from Phase 2 (none) section.) - Modules: `src/Web/StellaOps.Web/src/app/features/timeline/` - [x] **Configuration Pane (Integration Status Dashboard)** - Status: IMPLEMENTED - Console-level configuration pane showing integration status grouped by sections with connection health, detail views per integration, and a state management service for tracking configuration changes. - Modules: `src/Web/StellaOps.Web/src/app/features/configuration-pane/` - [x] **CycloneDX Evidence Panel with Pedigree Timeline** - Status: IMPLEMENTED - Component detail page with CycloneDX 1.7 evidence panel showing identity evidence with detection methods, occurrence file paths, license evidence with acknowledgement status, and copyright information. Includes a D3.js horizontal pedigree timeline visualization showing ancestor-variant-current component lineage, a patch list viewer with diff rendering, and commit info display. - Modules: `src/Web/StellaOps.Web/src/app/features/sbom/` - [x] **Developer Workspace (Role-Based Findings View)** - Status: IMPLEMENTED - Developer-focused workspace assembling Evidence Ribbon, Quick-Verify CTA with streaming progress, a sortable findings rail with severity/reachability/runtime indicators, and action stubs for creating GitHub issues or Jira tickets from findings. - Modules: `src/Web/StellaOps.Web/src/app/features/workspaces/developer/` - [x] **Entropy Analysis Panel and Policy Banner** - Status: IMPLEMENTED - Shared UI components for displaying entropy analysis results on container images. The Entropy Panel shows layer-level entropy scores, high-entropy file details, and detector hints. The Entropy Policy Banner displays policy thresholds (warn/block) with the current entropy score and mitigation steps. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/` - [x] **Evidence Thread Browser (Artifact Evidence Lineage)** - Status: IMPLEMENTED - Browse and inspect evidence threads per artifact digest. List view shows all evidence threads; detail view shows the full thread of evidence for a specific artifact including all linked attestations, proofs, and verification results. - Modules: `src/Web/StellaOps.Web/src/app/features/evidence-thread/` - [x] **Exception Center with Kanban View** - Status: IMPLEMENTED - Comprehensive exception management center with list and kanban board views, workflow transitions (draft/pending/approved/rejected/expired), an approval queue with batch operations, a multi-step exception creation wizard, detail view with audit log, and inline exception drafting. - Modules: `src/Web/StellaOps.Web/src/app/features/exceptions/` - [x] **Frontend Plugin System (Discovery, Sandbox, Extension Slots)** - Status: IMPLEMENTED - Frontend plugin architecture with plugin discovery service, dynamic module loader, sandboxed execution, a registry for managing plugin lifecycle, tenant-scoped plugin configuration, navigation integration for plugin-contributed menu items, and an extension slot component allowing plugins to inject UI at designated extension points. - Modules: `src/Web/StellaOps.Web/src/app/core/plugins/` - [x] **Function Map Management UI (Runtime Behavior Verification)** - Status: IMPLEMENTED - Manage function maps that define expected runtime behavior for services. Includes a list view with verification status and coverage metrics, a multi-step wizard (SBOM source, hot function patterns, coverage thresholds, review) for creating maps, a detail view with verification history, and an observation timeline chart showing matched vs unmatched observations over time. - Modules: `src/Web/StellaOps.Web/src/app/features/function-maps/` - [x] **Graph Split View with Diff Engine** - Status: IMPLEMENTED - Visual graph diff engine with split-view component for comparing two dependency/SBOM graphs side by side with change highlighting, diff computation, and synchronized navigation. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/graph-diff/` - [x] **Identity Watchlist Management UI** - Status: IMPLEMENTED - Full CRUD UI for managing identity watchlist entries (issuer, SAN, keyId) with match modes (Exact, Prefix, Glob, Regex), severity levels, scope (Tenant/Global/System), alert viewing, pattern testing, and duplicate suppression configuration. Users can create, edit, delete, enable/disable watchlist entries and view resulting alerts. - Modules: `src/Web/StellaOps.Web/src/app/features/watchlist/` - [x] **Legacy Route Migration Framework** - Status: IMPLEMENTED - Comprehensive route migration framework with 70+ redirect rules mapping legacy URLs to new consolidated navigation structure. Ensures bookmark and deep-link preservation during the UI restructuring from flat routes to hierarchical navigation (Security, Policy, Operations, Settings, Evidence). - Modules: `src/Web/StellaOps.Web/src/app/routes/` - [x] **Mermaid.js and GraphViz Diagram Renderers** - Status: IMPLEMENTED - Reusable diagram rendering components - Mermaid.js renderer for flowcharts/sequence diagrams with theme support, and GraphViz DOT renderer using WASM (@viz-js/viz) for graph visualizations with multiple engine support (dot, neato, fdp, etc.). - Modules: `src/Web/StellaOps.Web/src/app/shared/components/visualization/` - [x] **Playbook Suggestion Service (OpsMemory Integration)** - Status: IMPLEMENTED - Frontend service for fetching contextual playbook suggestions from OpsMemory API. Queries by CVE ID, severity, reachability status, component type, and context tags. Includes 5-minute response caching, retry logic for transient errors, and an evidence card component for displaying playbook-linked evidence. - Modules: `src/Web/StellaOps.Web/src/app/features/opsmemory/` - [x] **Policy Gates Preview with Air-Gap Mode and Feed Freshness** - Status: IMPLEMENTED - Policy gates preview panel with air-gap mode toggle (sealed/connected with offline verification status), feed freshness status badges (fresh/warning/stale counts), bundle simulation for promotions, gate simulation results display, and policy profile selection. - Modules: `src/Web/StellaOps.Web/src/app/features/policy-gates/` - [x] **Proof Ledger View (Merkle Tree Scan History)** - Status: IMPLEMENTED - Interactive proof ledger displaying scan proof history with Merkle tree visualization, proof bundle download, and a Score Replay Dashboard for triggering and monitoring deterministic score replay operations with before/after comparison. - Modules: `src/Web/StellaOps.Web/src/app/features/proof/` - [x] **Proof Studio with What-If Slider and Confidence Factors** - Status: IMPLEMENTED - Interactive proof studio for exploring confidence scores with a "what-if" slider for simulating evidence changes, confidence breakdown visualization showing contributing factors as bar charts, and confidence factor chips for individual factor display. - Modules: `src/Web/StellaOps.Web/src/app/features/proof-studio/` - [x] **Reproduce Button with Deterministic Replay Progress** - Status: IMPLEMENTED - Reusable button component that triggers deterministic replay verification of verdicts/scores. Shows inline progress during replay execution and displays results including pass/fail status and drift detection. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/reproduce/` - [x] **SARIF Download from Export Center** - Status: IMPLEMENTED - Dedicated SARIF 2.1.0 download component within the Export Center that generates and downloads vulnerability findings in SARIF format for integration with IDEs, GitHub Code Scanning, and other SARIF-consuming tools. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/export-center/` - [x] **Score Comparison View (Side-by-Side Scan Score Analysis)** - Status: IMPLEMENTED - Side-by-side comparison of vulnerability scan scores between two scans with severity bar charts, delta table showing metric changes, VEX impact visualization (suppressed counts by severity), new/resolved vulnerability lists, and a time-series SVG chart view showing risk score trends over 30 days. - Modules: `src/Web/StellaOps.Web/src/app/features/scores/` - [x] **Secret Detection Revelation Policy UI** - Status: IMPLEMENTED - Configuration UI for controlling how detected secrets are displayed (masked vs revealed). Includes a revelation policy selector with permission-gated full reveal, a masked value display component with copy-to-clipboard, rule category selection, and alert channel testing capabilities. - Modules: `src/Web/StellaOps.Web/src/app/features/secret-detection/` - [x] **Snapshot Merge Preview with K4 Lattice Visualization and Determinism Verification** - Status: IMPLEMENTED - Snapshot management UI with merge preview showing per-CVE source contributions with trust scores, K4 lattice visualization, merge traces, missing evidence indicators, REPLAY.yaml format for deterministic replay, and verify-determinism component. (Merged with Snapshot Merge Preview from Phase 2 AirGap section.) - Modules: `src/Web/StellaOps.Web/src/app/features/snapshot/`, `src/AirGap/` - [x] **Unknowns Grey Queue Panel** - Status: IMPLEMENTED - Grey queue panel for managing unknown findings with conflict detection and reanalysis fingerprints. Includes a budget widget showing unknowns consumption against policy thresholds and a queue component for prioritized triage of unknown-state findings. - Modules: `src/Web/StellaOps.Web/src/app/features/unknowns/` - [x] **Unwitnessed Advisory Panel (Missing Runtime Witness Alerts)** - Status: IMPLEMENTED - Advisory panel displayed during release promotion when reachability paths lack runtime witnesses. Shows unwitnessed paths by severity with entrypoint-to-sink details, confidence scores, and whether the advisory is blocking promotion. - Modules: `src/Web/StellaOps.Web/src/app/shared/components/unwitnessed-advisory/` - [x] **VEX Conflict Studio (Visual VEX Conflict Resolution)** - Status: IMPLEMENTED - Interactive studio for resolving VEX statement conflicts from multiple sources. Displays conflicting statements with trust weights, merge traces, and K4 lattice visualization. Users can filter/sort conflicts, view merge explanations (trust_weight, freshness, lattice_position), apply manual overrides via a dialog, and remove overrides. - Modules: `src/Web/StellaOps.Web/src/app/features/vex-studio/` - [x] **Vuln Explorer with Evidence Tree and Citation Links** - Status: IMPLEMENTED - Enriched vulnerability explorer with evidence tree (hierarchical proof navigation), citation link component for linking evidence to external sources, evidence subgraph visualization, triage cards with sortable attributes, and verdict explanation rendering. - Modules: `src/Web/StellaOps.Web/src/app/features/vuln-explorer/` - [x] **Workflow Visualization with Time-Travel Controls** - Status: IMPLEMENTED - DAG-based workflow visualizer with time-travel debugging controls. Users can step forward/backward through workflow execution states, inspect step details at each point in time, view execution logs, and interactively debug release workflows. The time-travel service manages historical state snapshots. (Merged with Workflow Visualization UI Module from Phase 2 Web section.) - Modules: `src/Web/StellaOps.Web/src/app/features/workflow-visualization/` - [x] **Triage Queue for High-Impact Unknowns** - Status: IMPLEMENTED - Triage queue UI component (`triage-queue.component.ts`) with prioritized vulnerability queue, priority scoring, sort modes (priority/severity/age/epss), queue item lifecycle, and auto-advance after triage decision. Backend scoring primitives in the Determinization library feed queue ranking. - Modules: `src/Web/StellaOps.Web/src/app/features/triage/components/triage-queue/` - [x] **A/B Deploy Diff Panel** - Status: IMPLEMENTED - Full deployment diff panel comparing security state between two image versions (A/B) with SBOM side-by-side view, component diff rows, policy hit annotations, override dialog, and deploy action bar. Enables visual security review before promotion. - Sprint: batch_38/file_18.md - [x] **Attested Score UI (Reduction Profile, Hard-Fail, Proof Anchors)** - Status: IMPLEMENTED - UI surfaces for attested-reduction scoring including reduction profile metadata, hard-fail status display, proof anchor details (DSSE digest, Rekor log index), and new score badges for anchored/hard-fail states. - Sprint: SPRINT_20260112_004_FE_attested_score_ui.md - [x] **B2R2 LowUIR IR Lifting for Semantic Binary Analysis** - Status: IMPLEMENTED - B2R2 LowUIR adapter for intermediate representation lifting, bounded lifter pool with ISA warm preload, and Valkey-backed function-level IR cache with PostgreSQL persistence for deterministic semantic fingerprints. - Sprint: SPRINT_20260112_004_BINIDX_b2r2_lowuir_perf_cache.md - [x] **BinaryIndex Ops UI (Lifter Warmness, Bench, Cache Stats, Config View)** - Status: IMPLEMENTED - BinaryIndex ops page with tabbed interface showing lifter warmness, bench latency summary, Valkey function cache stats, and read-only effective configuration with auto-refresh. - Sprint: SPRINT_20260112_005_FE_binaryindex_ops_ui.md - [x] **Dead-Letter Queue Management UI** - Status: IMPLEMENTED - Dead-letter queue browser with message inspection, replay workflows (single/batch/all), error diagnostics panel, and bulk actions for queue management. - Sprint: SPRINT_20251229_030_FE_deadletter_management_ui - [x] **Deployment Monitoring UI (Live Logs, Rollback)** - Status: IMPLEMENTED - Real-time deployment monitoring with per-target progress tracking, live log streaming, deployment actions (pause/resume/cancel), and rollback capabilities. - Sprint: SPRINT_20260110_111_006_FE_deployment_monitoring_ui.md - [x] **Determinization Config Pane UI** - Status: IMPLEMENTED - Dedicated settings pane for configuring determinization parameters (reanalysis interval, confidence thresholds, auto-promote rules) with form validation and live preview of policy effects on grey-queue items. - Sprint: SPRINT_20260112_013_FE_determinization_config_pane.md - [x] **Determinization UI Components (Observation State Chip + Uncertainty Indicator)** - Status: IMPLEMENTED - Angular UI components for CVE observation state management: "Unknown (auto-tracking)" chip with next review ETA, uncertainty tier visualization, guardrails status/monitoring badges, decay progress indicator, observation details panel, and observation review queue for pending items. - Sprint: SPRINT_20260106_001_005_FE_determinization_ui.md - [x] **Display Preferences Service (User Setting Toggles)** - Status: IMPLEMENTED - Configurable display settings (showRuntimeOverlays, enableTraceExport, showRiskLine, showSignedOverrideIndicators, graph settings) persisted to localStorage with auto-sync. - Sprint: SPRINT_20260112_004_FE_risk_line_runtime_trace_ui.md - [x] **Environment Management UI (CRUD + Freeze Windows + Targets)** - Status: IMPLEMENTED - Environment management UI with list/detail views, target health monitoring, freeze window editor, and environment settings configuration. - Sprint: SPRINT_20260110_111_002_FE_environment_management_ui.md - [x] **Evidence Card UI Export** - Status: IMPLEMENTED - Evidence card export buttons in evidence pack viewer allowing single-file receipt download in standard and compact formats. - Sprint: SPRINT_20260112_006_FE_evidence_card_ui.md - [x] **Evidence Ribbon UI Component** - Status: IMPLEMENTED - Horizontal evidence ribbon component that displays a compact summary strip of evidence types (SBOM, VEX, attestation, provenance) with color-coded badges and drill-down capability. Integrated into developer and auditor workspace views. - Sprint: batch_38/file_11.md - [x] **Feed Mirror & AirGap Ops UI** - Status: IMPLEMENTED - Feed mirror ops UI with mirror registry list, snapshot management, AirGap import/export with bundle validation, feed version lock for deterministic scans, offline sync status, and bundle freshness warnings. - Sprint: SPRINT_20251229_020_FE_feed_mirror_airgap_ops_ui - [x] **Filter Preset Pills with URL Synchronization** - Status: IMPLEMENTED - Always-visible horizontal-scrolling filter chips (7 presets: actionable, prod-runtime, backport-verified, critical-only, needs-review, vex-applied, all-findings) with bidirectional URL synchronization for shareable filter states and copy-URL support. - Sprint: SPRINT_20260103_001_FE_preset_pills_patch_map.md - [x] **Issuer Trust Management UI** - Status: IMPLEMENTED - Issuer directory trust management UI with issuer list, issuer detail view showing keys and trust bundles, key rotation wizard with confirmation, and issuer lifecycle management under Admin > Trust > Issuers. - Sprint: SPRINT_20251229_024_FE_issuer_trust_ui - [x] **Notification Rule Simulation & Escalation Policies** - Status: IMPLEMENTED - Notification rule management with test simulation before activation, escalation policies with multi-level chains, quiet hours configuration, channel management, and delivery history with retry tracking. - Sprint: SPRINT_20251229_045_FE_notification_delivery_audit - [x] **Offline Kit UI Integration** - Status: IMPLEMENTED - Offline Kit UI with OfflineModeService, ManifestValidator, BundleFreshness widget, ReadOnlyGuard, and offline verification workflow for air-gapped environments. - Sprint: SPRINT_20251229_026_PLATFORM_offline_kit_integration - [x] **Operator Quota Dashboard** - Status: IMPLEMENTED - Operator quota dashboard with KPI summary, tenant drill-down, throttle context panel, quota forecasting, and alert configuration. - Sprint: SPRINT_20251229_029_FE_operator_quota_dashboard - [-] **Pack Registry Browser** - Status: PARTIALLY_IMPLEMENTED - TaskRunner pack discovery and management with install/upgrade flows, compatibility checking, version history with changelogs, signature verification, and dependency graph. API client and models exist but dedicated feature module not found. - Sprint: SPRINT_20251229_036_FE_pack_registry_browser - [x] **Patch Map Explorer (Heatmap UI)** - Status: IMPLEMENTED - Interactive CSS Grid heatmap showing vendor backport patch coverage across fleet with drill-down to function-level breakdown and paginated affected images. Three API endpoints: aggregated coverage, function-level details, and matching images. - Sprint: SPRINT_20260103_001_FE_preset_pills_patch_map.md - [x] **Platform Health Dashboard** - Status: IMPLEMENTED - Platform health dashboard showing service health grid for 13 services, dependency graph visualization, incident timeline with auto-root-cause suggestions, and aggregate metrics. - Sprint: SPRINT_20251229_032_FE_platform_health_dashboard - [x] **Policy Governance Controls UI** - Status: IMPLEMENTED - Policy governance controls with risk budget dashboard, trust weighting with impact preview, risk profiles CRUD, sealed mode toggle, and policy conflict dashboard with resolution wizard. - Sprint: SPRINT_20251229_047_FE_policy_governance_controls - [x] **Promotion and Approval Queue UI** - Status: IMPLEMENTED - Promotion request form with gate preview, approval queue with filtering, approval detail with gate results display, approve/reject with comments, and batch approval support. - Sprint: SPRINT_20260110_111_005_FE_promotion_approval_ui.md - [x] **Quick-Verify Drawer UI Component** - Status: IMPLEMENTED - Slide-out drawer component for one-click verification of attestation chains, DSSE signatures, and Rekor inclusion proofs directly from any evidence chip or finding row. - Sprint: batch_38/file_13.md - [x] **Quiet-by-Default Triage UX (Lane Toggle + Provenance Breadcrumbs)** - Status: IMPLEMENTED - Default view shows only actionable findings (Quiet lane) with Q/R keyboard shortcuts for lane toggle. Gated bucket summary chips with one-click filters. Five-level provenance breadcrumb navigation (image->layer->package->symbol->call-path) with inline attestation badges and SBOM/ReachGraph navigation links. - Sprint: SPRINT_20260106_004_001_FE_quiet_triage_ux_integration.md - [x] **Registry Admin UI** - Status: IMPLEMENTED - Admin UI for registry token service plans with plan list, plan editor for repo scope and action rules, dry-run validation, publish actions, and audit log panel. - Sprint: SPRINT_20251229_023_FE_registry_admin_ui - [x] **Release Management UI (Catalog, Detail, Creation Wizard)** - Status: IMPLEMENTED - Release catalog with filtering/search, release detail view, and multi-step release creation wizard with component selector and bundle comparison. - Sprint: SPRINT_20260110_111_003_FE_release_management_ui.md - [x] **Release Orchestrator Dashboard UI** - Status: IMPLEMENTED - Full dashboard UI for Release Orchestrator showing pipeline overview, pending approvals, active deployments, and recent releases with real-time SignalR updates. - Sprint: SPRINT_20260110_111_001_FE_dashboard_overview.md - [x] **Remediation PR UI Wiring (Open PR from AI Remediate Panel)** - Status: IMPLEMENTED - UI wiring allowing users to open remediation pull requests directly from the AI Remediate panel in the VEX Hub, with a dedicated settings component for configuring SCM integration (repo URL, branch prefix, reviewer groups). - Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md - [x] **SBOM Diff Side-by-Side Panel** - Status: IMPLEMENTED - Side-by-side visual comparison panel showing packages added/removed/changed between two SBOM versions, with highlighted risk changes for before/after risk state comparison. - Sprint: SPRINT_20251226_004_FE_risk_dashboard.md - [x] **Scanner Ops Settings UI** - Status: IMPLEMENTED - Scanner ops UI with offline kit management (upload/download/verify), baseline list with compare and promote flows, determinism/replay settings, analyzer plugin health dashboard, cache metrics, and scan performance baseline comparison. - Sprint: SPRINT_20251229_025_FE_scanner_ops_settings_ui - [x] **Scheduler & Orchestrator Ops UI** - Status: IMPLEMENTED - Ops UI for scheduler runs, worker fleet dashboard with fair-share visualization, backpressure warnings, and DAG visualization for task dependencies. - Sprint: SPRINT_20251229_017_FE_scheduler_orchestrator_ops_ui - [x] **Secret Detection UI (Settings, Findings, Exceptions, Alerts)** - Status: IMPLEMENTED - Angular UI for secret detection management: settings page with enable/disable toggle and revelation policy selector, findings list with masked value display, exception manager with validation forms, and alert destination configuration with channel test functionality. - Sprint: SPRINT_20260104_008_FE_secret_detection_ui.md - [x] **Setup Wizard Live API Wiring (Replacing Mocks)** - Status: IMPLEMENTED - Replaced mocked setup wizard calls with real HttpClient calls to Platform setup endpoints including Problem+JSON error handling, retry state tracking, data freshness banners, and deterministic unit tests. - Sprint: SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md - [-] **Signals & Runtime Dashboard** - Status: PARTIALLY_IMPLEMENTED - eBPF/ETW/dyld probe status monitoring, signal collection metrics, anomaly alerts, host coverage map, and real-time event stream. API client and models exist but dedicated feature UI module not found as standalone directory. - Sprint: SPRINT_20251229_037_FE_signals_runtime_dashboard - [x] **Signed VEX Override Badge (DSSE Status Display)** - Status: IMPLEMENTED - SignedOverrideBadgeComponent displaying DSSE badge with verification status, optional expanded details (digest, signer, timestamp, Rekor link), and ASCII-only indicators. - Sprint: SPRINT_20260112_004_FE_risk_line_runtime_trace_ui.md - [x] **SLO Burn Rate Monitoring UI** - Status: IMPLEMENTED - SLO health dashboard with multi-window burn rate calculation (1h/6h/24h/72h Google SRE methodology), alert lifecycle management (fire/ack/resolve/snooze), error budget forecasting, and SLO CRUD. - Sprint: SPRINT_20251229_031_FE_slo_burn_rate_monitoring - [x] **StellaBundle Export Button Component** - Status: IMPLEMENTED - One-click StellaBundle export call-to-action button that packages SBOM + VEX + attestations + provenance + Rekor receipts into a single downloadable evidence bundle. Placed contextually in finding details, evidence panels, and export center. - Sprint: batch_38/file_17.md - [x] **Trust Scoring Dashboard UI** - Status: IMPLEMENTED - Trust administration dashboard with signing key management including rotation wizard, issuer trust scores, air-gap audit feed, incident audit, and mTLS certificate inventory. - Sprint: SPRINT_20251229_046_FE_trust_scoring_dashboard - [x] **Unified Audit Log Viewer** - Status: IMPLEMENTED - Cross-module unified audit log viewer with config diff viewer (Monaco-based), event correlation timeline, anomaly detection highlights, and timeline search. - Sprint: SPRINT_20251229_028_FE_unified_audit_log_viewer - [x] **Unknowns Tracking UI** - Status: IMPLEMENTED - Unknowns tracking UI with component list showing confidence scores, identification candidates, manual resolution workflow, fingerprint matching, and SBOM completeness impact analysis. - Sprint: SPRINT_20251229_033_FE_unknowns_tracking_ui - [x] **Verdict "Why" Summary Bullets Component** - Status: IMPLEMENTED - Component displaying 3-5 bullet-point explanations of verdict drivers for a given delta verdict, enabling quick PM understanding of why a release was marked Routine/Review/Block. - Sprint: SPRINT_20251226_004_FE_risk_dashboard.md - [x] **VEX Merge Panel Three-Column Layout** - Status: IMPLEMENTED - Three-column VEX merge panel (source A / merged result / source B) with inline conflict resolution, lattice-based merge visualization, and trust provenance annotations. Enhances the existing VEX merge workflow with side-by-side comparison. - Sprint: batch_38/file_16.md - [x] **Visual Workflow Editor (DAG-Based)** - Status: IMPLEMENTED - Visual DAG-based workflow editor with drag-and-drop step palette, step configuration panel, connection validation, and YAML view with syntax highlighting. - Sprint: SPRINT_20260110_111_004_FE_workflow_editor.md ### Zastava (10 features) - [-] **eBPF Probe Manager** - Status: PARTIALLY_IMPLEMENTED - eBPF probe manager exists as a single file, suggesting early-stage implementation of kernel-level container observation. - Modules: `src/Zastava` - [x] **ELF Build-ID Correlation and DSO Tracking** - Status: IMPLEMENTED - ELF Build-ID reader for correlating runtime binaries with SBOM entries and collecting runtime process facts including DSO information. - Modules: `src/Zastava` - [x] **Runtime Posture Evaluation** - Status: IMPLEMENTED - Runtime posture evaluator that assesses the security posture of running containers with caching support. - Modules: `src/Zastava` - [x] **Verdict Observer/Validator/Ledger** - Status: IMPLEMENTED - Verdict subsystem with observer, validator, and ledger interfaces for tracking security verdicts at runtime. - Modules: `src/Zastava` - [x] **Zastava Admission Webhook** - Status: IMPLEMENTED - Full admission webhook with policy-based container admission control, facet validation, image digest resolution, and admission review parsing. - Modules: `src/Zastava` - [x] **Zastava Runtime Observer (CRI Container Lifecycle Tracking)** - Status: IMPLEMENTED - Full CRI-based container runtime observer with lifecycle tracking, state tracking, and polling. Supports both CRI (Linux) and Docker Windows runtimes. - Modules: `src/Zastava` - [x] **Windows Container Runtime Support** - Status: IMPLEMENTED - Windows container runtime monitoring with ETW event source integration, PE format library hashing, and Windows-specific container lifecycle tracking within the Zastava Observer. - Modules: `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/` - Sprint: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md - [x] **Zastava Agent (VM/Bare-Metal Docker Socket Deployment)** - Status: IMPLEMENTED - Standalone agent for VM and bare-metal hosts that monitors Docker socket events for container lifecycle tracking. Alternative to the CRI-based Observer for non-Kubernetes environments, with systemd service deployment and Ansible provisioning support. - Modules: `src/Zastava/StellaOps.Zastava.Agent/` - Sprint: SPRINT_0420_0001_0001_zastava_hybrid_gaps.md - [x] **Zastava Contract Validators** - Status: IMPLEMENTED - Runtime and admission contract validators enforcing tenant-scoped binding rules, configuration schema compliance, and threshold-based verdicts for Zastava observer and webhook components. - Sprint: SPRINT_0144_0001_0001_zastava_runtime_signals.md - [x] **Zastava Verdict Hashing and Security** - Status: IMPLEMENTED - Deterministic verdict hashing for Zastava decisions with security-hardened serialization, supporting DSSE-signed observer and admission schemas and zastava-kit bundle verification. - Sprint: SPRINT_0144_0001_0001_zastava_runtime_signals.md ### __Analyzers (1 features) - [x] **Roslyn Analyzer for Canonicalization Enforcement (STELLA0100)** - Status: IMPLEMENTED - Custom Roslyn static analyzer (diagnostic STELLA0100) that enforces canonicalization boundaries at compile time. Detects code paths that cross resolver boundaries without proper canonicalization, preventing non-deterministic serialization from leaking into deterministic evaluation pipelines. Includes ResolverBoundaryAttribute for marking boundary methods. - Modules: `src/__Analyzers/`, `src/__Libraries/` - Sprint: SPRINT_20251226_007_BE_determinism_gaps.md ### __Libraries (27 features) - [x] **Determinism Gate Testing Infrastructure** - Status: IMPLEMENTED - Dedicated determinism testing library and TestKit deterministic helpers for CI-gated canonical output verification. - Modules: `src/__Libraries/StellaOps.TestKit, src/__Libraries/StellaOps.Testing.Determinism` - [x] **Deterministic Replay Contract (Feed/Tool/Rule Pinning)** - Status: IMPLEMENTED - Replay manifests pin feed snapshots, tool versions, rule packs, and scoring inputs with content-addressed hashes. Validation ensures CAS integrity and deterministic sorting. - Modules: `src/__Libraries/StellaOps.DeltaVerdict, src/__Libraries/StellaOps.Replay.Core` - [x] **Distro-Specific Version Comparators** - Status: IMPLEMENTED - All three major distro version comparators implemented: dpkg EVR (Debian/Ubuntu), RPMVERCMP (RHEL/Fedora/SUSE), and APK version models. - Modules: `src/__Libraries/StellaOps.VersionComparison` - [x] **Doctor Health Check Plugins (Attestation + Verification + Integration)** - Status: IMPLEMENTED - Doctor plugin system with attestation checks, verification checks, integration checks (registry referrers API, push/pull authorization, credentials), service graph plugin, security plugin, observability plugin, and notification plugin. The advisory itself states "IMPLEMENTED on 2026-01-16". - Modules: `src/__Libraries/StellaOps.Doctor.Plugins.Attestation, src/__Libraries/StellaOps.Doctor.Plugins.Verification, src/__Libraries/__Tests/StellaOps.Doctor.Plugins.Integration.Tests` - [x] **eIDAS Qualified Timestamp Support** - Status: IMPLEMENTED - Full eIDAS qualified timestamp signing and verification provider with TSP client integration. - Modules: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS` - [x] **Evidence Graph with Validation** - Status: IMPLEMENTED - Evidence graph model with pre-traversal validation, cycle detection, and policy integration. - Modules: `src/__Libraries/StellaOps.Resolver` - [x] **OCSP/CRL Certificate Status Provider** - Status: IMPLEMENTED - Full OCSP client and CRL fetcher for certificate revocation checking, as specified in the advisory. - Modules: `src/__Libraries/StellaOps.Cryptography.CertificateStatus` - [x] **Replay Manifest (Deterministic Replay)** - Status: IMPLEMENTED - Complete replay manifest system with versioning, export, validation, CAS (content-addressed storage) integration, and reachability-specific replay writers. Enables deterministic re-computation of verdicts. - Modules: `src/__Libraries/StellaOps.Replay.Core` - [x] **Replayable evidence packs (time-stamped queryable bundles for audits)** - Status: IMPLEMENTED - Replay executor with drift tracking, verdict attestation, and E2E tests implement time-travel replay of evidence bundles for audit use cases. - Modules: `src/__Libraries/StellaOps.AuditPack, src/__Libraries/StellaOps.Replay.Core, src/__Tests` - [x] **Risk Scoring Rubric with Gate Verdicts (Routine/Review/Block)** - Status: IMPLEMENTED - Complete gate evaluator with configurable rules, scoring rubric, EPSS/exploit maturity integration, VEX-aware scoring, and gate decisions (allow/warn/block). Gate configuration supports per-environment thresholds. - Modules: `src/__Libraries/StellaOps.DeltaVerdict` - [x] **Runtime Purity Enforcement** - Status: IMPLEMENTED - Runtime purity enforcement beyond static analysis, addressing the advisory's purity gap. - Modules: `src/__Libraries/StellaOps.Resolver` - [x] **Shared TestKit Library with Deterministic Infrastructure** - Status: IMPLEMENTED - Comprehensive shared test kit with test categories, deterministic helpers, assertion utilities, fixture support, and observability test infrastructure. - Modules: `src/__Libraries/StellaOps.TestKit, src/__Libraries/StellaOps.Testing.Determinism` - [x] **Unified Deterministic Resolver (DeterministicResolver)** - Status: IMPLEMENTED - Full deterministic resolver with resolution result, verification, and integration with trust lattice engine. - Modules: `src/__Libraries/StellaOps.Resolver` - [x] **Verdict Bundle Builder (Scoring + Signing + Rekor Anchoring)** - Status: IMPLEMENTED - End-to-end verdict bundle pipeline: scoring, normalization, manifest binding, DSSE signing, and Rekor transparency log anchoring with inclusion proof verification. - Modules: `src/__Libraries/StellaOps.DeltaVerdict` - [x] **Canonicalization Version Markers for Content-Addressed Hashing** - Status: IMPLEMENTED - Embeds a `_canonVersion` field (e.g., "stella:canon:v1") in all content-addressed canonical JSON, enabling version-aware hash verification and graceful migration when canonicalization algorithms change. Includes CanonicalizeVersioned, HashVersioned APIs, and backward compatibility with unversioned hashes. Distinct from "Canonical JSON Serialization (RFC 8785)" which is the base serializer; this adds version tracking to it. - Modules: `src/__Libraries/StellaOps.Canonical.Json/` - Sprint: SPRINT_8100_0012_0001_canonicalizer_versioning.md - [x] **Edge Explanation Types for ReachGraph (EdgeExplanationType Vocabulary)** - Status: IMPLEMENTED - Typed edge explanation vocabulary (EdgeExplanationType enum) for ReachGraph edges, enabling structured "why is this edge present" annotations. Includes guard detection, call-site attribution, and deduplication. Enables the "Why Reachable?" UI panel to display human-readable explanations for each hop in a reachability path. - Modules: `src/__Libraries/StellaOps.ReachGraph/` - Sprint: SPRINT_1227_0012_0001_LB_reachgraph_core.md - [x] **Evidence Size Budgets with Retention Tiers** - Status: IMPLEMENTED - Implements evidence storage budgets with tiered retention (Hot/Warm/Cold/Archive), auto-pruning policies, and usage tracking. Distinct from "Evidence TTL and staleness policy" (expiration) and "DSSE Envelope Size Management" (single envelope sizing). This is a full lifecycle budget management system with compression tiers. - Modules: `src/__Libraries/StellaOps.Evidence/` - Sprint: SPRINT_7000_0004_0002_evidence_size_budgets.md - [x] **IGuidProvider Determinism Abstraction Library** - Status: IMPLEMENTED - New `StellaOps.Determinism.Abstractions` library providing `IGuidProvider` and `SystemGuidProvider`/`SequentialGuidProvider` for deterministic GUID generation. Includes DI extensions and `ResolverBoundaryAttribute`. Sprint completed systematic refactoring across 21 tasks injecting `TimeProvider` and `IGuidProvider` into all modules (~1526+ instances replaced). - Modules: `src/__Libraries/StellaOps.Determinism.Abstractions/`, `src/__Libraries/StellaOps.Testing.Determinism/` - Sprint: batch_51/file_13.md - [x] **Policy Lock Generator (Verdict Reproducibility)** - Status: IMPLEMENTED - Generates deterministic policy lock files that pin the exact policy rules, versions, and evaluation parameters used to produce a verdict. Ensures verdicts can be reproduced identically by capturing the full policy context alongside the CGS hash. - Modules: `src/__Libraries/StellaOps.Verdict/` - Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure.md - [-] **Provcache Signer-Aware Invalidation and Evidence Chunk Paging with Air-Gap Export** - Status: PARTIALLY_IMPLEMENTED - Large multi-wave sprint: evidence chunk storage (64KB chunks with Merkle verification), paged evidence API, minimal proof bundle export (lite/standard/strict density), signer-aware cache invalidation (SignerSetInvalidator), feed epoch invalidation, lazy evidence fetch (HTTP + sneakernet), revocation ledger, and CLI commands (stella prov export/import). Most waves DONE, but messaging bus subscription tasks (5, 12) and CLI e2e tests (43) are BLOCKED pending service integration. Distinct from "Dete - Modules: `src/__Libraries/StellaOps.Provcache/` - Sprint: SPRINT_8200_0001_0002_provcache_invalidation_airgap.md - [x] **Provenance Cache (Provcache) with VeriKey Composite Hash** - Status: IMPLEMENTED - Provenance Cache (Provcache) backend with VeriKey composite hash (source + SBOM + VEX + policy + signer + time window), DecisionDigest canonicalized evaluation output, Valkey read-through with Postgres write-behind, and Policy Engine integration for cache-accelerated decisions. - Modules: `src/__Libraries/StellaOps.Provcache/` - Sprint: SPRINT_8200_0001_0001_provcache_core_backend.md - [x] **StellaVerdict Unified Artifact with JSON-LD Context** - Status: IMPLEMENTED - Consolidates multiple verdict-related artifacts (score, evidence, attestation, policy trace) into a single unified StellaVerdict schema with JSON-LD context. Includes VerdictAssemblyService for composing verdicts, signing service, PostgreSQL persistence, OCI attestation publisher, and bundle exporter. Distinct from the known "Verdict Bundle Builder" which covers scoring+signing -- this adds the unified schema design and JSON-LD semantic context. - Modules: `src/__Libraries/StellaOps.Verdict/`, `src/Scanner/` - Sprint: SPRINT_1227_0014_0001_BE_stellaverdict_consolidation.md - [x] **Triage Quality KPI Collector Infrastructure** - Status: IMPLEMENTED - KpiCollector service for collecting triage quality metrics (false-positive rate, reachability coverage, explainability score, etc.) with a dashboard API. Distinct from existing TTE/TTFS metrics which measure timing; this measures triage quality outcomes. - Modules: `src/__Libraries/StellaOps.Metrics/` - Sprint: SPRINT_7000_0005_0001_quality_kpis_tracking.md - [x] **Unified IEvidence Interface with Cross-Module Adapters** - Status: IMPLEMENTED - Defines a unified IEvidence interface (SubjectNodeId, EvidenceType, EvidenceId, Payload, Signatures, Provenance) with EvidenceRecord implementation and cross-module adapters (EvidenceBundleAdapter, EvidenceStatementAdapter, ProofSegmentAdapter, VexObservationAdapter). Enables "get evidence for node X" queries across all modules. Distinct from existing "Evidence types" and "Evidence Bundles" which are format-specific; this is the cross-module unification contract. - Modules: `src/__Libraries/StellaOps.Evidence.Core/` - Sprint: SPRINT_8100_0012_0002_unified_evidence_model.md - [ ] **Advisory Lens (Core Library and UI)** - Status: NOT_FOUND - Proposed contextual copilot that learns from organizational data to surface explainable suggestions. Includes core library (semantic case matching), UI components (Lens Panel, inline hints, playbook drawer with dry-run preview). Not yet created; sprint tasks all at TODO status. - Modules: `(planned for src/__Libraries/StellaOps.AdvisoryLens, src/Web)` - [-] **Provcache Invalidation and Evidence Chunk Paging** - Status: PARTIALLY_IMPLEMENTED - Provcache module exists with Valkey-backed store, write-behind queue, verification key builder. Evidence chunk storage and paged evidence API, signer-aware cache invalidation (SignerSetInvalidator), feed epoch invalidation, lazy evidence fetch, and air-gap export are in various stages. Multiple sprint waves describe this work, with ~90% completion noted. - Modules: `src/__Libraries/StellaOps.Provcache/, src/Provenance/, src/Attestor/` - [x] **RPM EVR Version Comparison** - Status: IMPLEMENTED - The advisory recommends implementing RPM Epoch:Version-Release parsing and rpmvercmp-equivalent comparison for RHEL/Fedora/SUSE packages. No dedicated implementation was found in the codebase. ### __Tests (13 features) - [x] **Acceptance Test Packs with Guardrails** - Status: IMPLEMENTED - Acceptance test packs with guardrail definitions exist under the test fixtures with expected output validation. - Modules: `src/__Tests` - [x] **Air-Gap (No-Egress) Test Enforcement** - Status: IMPLEMENTED - Network-isolated test base classes and docker container builders that enforce no-egress in CI, with dedicated offline E2E tests. - Modules: `src/__Tests/__Libraries/StellaOps.Testing.AirGap, src/__Tests/offline` - [x] **Chaos/Failure Testing Infrastructure** - Status: IMPLEMENTED - A chaos testing library exists for failure choreography and integration testing scenarios. - Modules: `src/__Tests` - [x] **Determinism Property-Based Testing** - Status: IMPLEMENTED - Comprehensive determinism property-based tests covering unicode normalization, SBOM/VEX ordering, floating-point stability, digest computation, and canonical JSON to ensure reproducible verdicts. - Modules: `src/__Tests` - [x] **Deterministic Run Manifest (Replay Key)** - Status: IMPLEMENTED - Run manifest as a first-class test artifact capturing all inputs (artifact digests, feed snapshots, policy versions, tool versions) needed for byte-identical verdict replay. - Modules: `src/__Tests/__Libraries/StellaOps.Testing.Manifests` - [x] **Expanded Reachability Benchmark Fixtures** - Status: IMPLEMENTED - Expanded benchmark corpus with real CVE cases (WordPress, Rust/Axum, runc, Redis) and cross-platform test runners. - Modules: `src/__Tests/reachability` - [x] **Golden Corpus (Pinned Test Fixtures)** - Status: IMPLEMENTED - Versioned golden corpus with curated artifacts including container images, SBOMs, VEX examples, vulnerability feed snapshots, expected verdicts, and golden backport fixtures. - Modules: `src/__Tests` - [x] **Ground-Truth Reachability Test Corpus** - Status: IMPLEMENTED - Multi-language ground-truth corpus exists with schema, manifest, labeled samples (PHP, JS, C#), and reproduction scripts for benchmarking scanner accuracy. - Modules: `src/__Tests/reachability` - [x] **Public Reachability Benchmark Dataset** - Status: IMPLEMENTED - Complete reachability benchmark dataset with JSON/YAML schemas for ground truth, traces, submissions, cases, coverage, and entrypoints. Includes website, submission guide, and legal notices (LICENSE/NOTICE). - Modules: `src/__Tests/__Benchmarks/reachability-benchmark` - [x] **Schema Evolution Testing** - Status: IMPLEMENTED - Schema evolution test base for verifying database migration forward/backward compatibility in CI. - Modules: `src/__Tests` - [x] **Testcontainers Integration (.NET xUnit)** - Status: IMPLEMENTED - Testcontainers used for Postgres integration fixtures, router chaos testing, and OCI registry testing with multiple container types. - Modules: `src/__Tests` - [ ] **Multi-Runtime Reachability Corpus (Go, .NET, Python, Rust)** - Status: NOT_FOUND - The multi-runtime reachability validation corpus with minimal apps per runtime, EXPECT.yaml ground truth, and runtime trace capture scripts is not implemented as a standalone test corpus. - [ ] **Golden Benchmark Fixtures (Core-10)** - Status: NOT_FOUND - The advisory describes 10 golden reachability benchmark fixtures (C, Java, .NET, Python, container), but no pre-built fixture datasets were found in the source tree. The ReachGraph service infrastructure exists but the specific Core-10 fixture data files are not present. ### devops (2 features) - [x] **PostgreSQL Backend for Rekor Metadata** - Status: IMPLEMENTED - PostgreSQL-based Rekor backend with checkpoint storage, submission queue tables, and VEX-Rekor linkage migration. - Modules: `devops, src/Attestor` - [x] **VEX-Rekor Linkage** - Status: IMPLEMENTED - Database migration linking VEX observations to Rekor entries for transparent VEX decision tracking. - Modules: `devops, src/Attestor, src/Excititor` ### docs (4 features) - [x] **Developer Onboarding / Quick Start Documentation** - Status: IMPLEMENTED - Quick start guide and development documentation exist covering setup, testing, and local CI workflows. - Modules: `docs` - [x] **Implementor Guidelines Document** - Status: IMPLEMENTED - The implementor guidelines document exists at the declared path covering operational checklists for code and doc changes. - Modules: `docs` - [ ] **MI6 - Component-to-Interaction Token Mapping Document** - Status: NOT_FOUND - The advisory specifies a mapping document linking components to interaction types and token usage. This document was not found in the docs directory. - Modules: `docs` - [ ] **Unified Triage Specification Document** - Status: NOT_FOUND - The consolidation README references a unified triage specification document that merges all three advisory concepts. The actual features described in that spec are implemented in code (see features from files 00-02 above). - Modules: `docs/modules/web`