# Sprint 110 - Ingestion & Evidence
[Ingestion & Evidence] 110.A) AdvisoryAI
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on AdvisoryAI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AIAI-31-001 | TODO | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-002 | TODO | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-003 | TODO | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-004 | TODO | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-005 | TODO | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-006 | TODO | Expose REST API endpoints (`/advisory/ai/*`) with RBAC, rate limits, OpenAPI schemas, and batching support. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-007 | TODO | Instrument metrics (`advisory_ai_latency`, `guardrail_blocks`, `validation_failures`, `citation_coverage`), logs, and traces; publish dashboards/alerts. | Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.I
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Concelier (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIAI-31-002 `Structured fields` | TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. | Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | Expose `/console/advisories` endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.
2025-10-29 19:05Z: Audit completed for `AdvisoryRawService`/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under `docs/dev/aoc-normalization-removal-notes.md` (pending commit).
2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory.
2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Extend Concelier smoke/e2e fixtures to configure `requiredTenants` and assert cross-tenant rejection with updated Authority tokens. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.II
Depends on: Sprint 110.B - Concelier.I
Summary: Ingestion & Evidence focus on Concelier (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Introduce immutable `advisory_observations` model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. `DOCS-LNM-22-001` blocked pending this deliverable. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. Docs note: unblock `DOCS-LNM-22-001` once builder lands. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-004 `Merge code removal` | TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.III
Depends on: Sprint 110.B - Concelier.II
Summary: Ingestion & Evidence focus on Concelier (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-61-002 `Examples library` | TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement deprecation header support and timeline events for retiring endpoints. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.IV
Depends on: Sprint 110.B - Concelier.III
Summary: Ingestion & Evidence focus on Concelier (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-VULN-29-001 `Advisory key canonicalization` | TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. | Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.V
Depends on: Sprint 110.B - Concelier.IV
Summary: Ingestion & Evidence focus on Concelier (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. | QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure all API responses use standardized error envelope; update controllers/tests. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.VI
Depends on: Sprint 110.B - Concelier.V
Summary: Ingestion & Evidence focus on Concelier (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | **TODO (due 2025-10-21)** – Map CCCS advisories into the new `advisory_observations.affected.versions[]` structure, preserving each upstream range with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.
2025-10-29: `docs/dev/normalized-rule-recipes.md` now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with `UPDATE_CCCS_FIXTURES=1`. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md)
FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | **TODO (due 2025-10-22)** – Translate `product.Versions` phrases (e.g., `2023.1 bis 2024.2`, `alle`) into comparison helpers for `advisory_observations.affected.versions[]`, capturing provenance (`certbund:{advisoryId}:{vendor}`) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md)
FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | **TODO (due 2025-10-21)** – Emit Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md)
FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | **TODO (due 2025-10-23)** – Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance identifiers (`ics-cisa:{advisoryId}:{product}`). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.
2025-10-29: Follow `docs/dev/normalized-rule-recipes.md` §2 to build observation version entries and log failures without invoking the retired merge helpers. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md)
FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | **TODO (due 2025-10-24)** – Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]` with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md)
FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | **DOING (2025-10-19)** – Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. Prereqs confirmed none (2025-10-19). | Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md)
FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | **TODO (due 2025-10-21)** – Confirm Cccs/Cisco version-provenance updates land, capture `LinksetVersionCoverage` dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.
2025-10-29: Observation metrics now surface `version_entries_total`/`missing_version_entries_total`; include screenshots for both when closing this task. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | **TODO (due 2025-10-23)** – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files.
2025-10-29: `docs/dev/normalized-rule-recipes.md` (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | **TODO (due 2025-10-24)** – Pair with KISA team on proposed firmware comparison helper (`kisa.build` or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
Fixture validation sweep | QA | **DOING (2025-10-19)** – Prereqs confirmed none; continuing RHSA fixture regeneration and diff review alongside mapper provenance updates.
2025-10-29: Added `scripts/update-redhat-fixtures.sh` to regenerate golden snapshots with `UPDATE_GOLDENS=1`; run it before reviews to capture CSAF contract deltas. | None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md)
Link-Not-Merge version provenance coordination | BE-Merge | **DOING** – Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) so they emit `advisory_observations.affected.versions[]` entries with provenance tags and deterministic comparison keys. Track rollout status in `docs/dev/normalized-rule-recipes.md` (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.
2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via `LinksetVersionCoverage` warnings to replace prior `concelier.merge.normalized_rules*` alerts. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
MERGE-LNM-21-001 Migration plan authoring | BE-Merge, Architecture Guild | Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. | CONCELIER-LNM-21-101 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.VII
Depends on: Sprint 110.B - Concelier.VI
Summary: Ingestion & Evidence focus on Concelier (phase VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
MERGE-LNM-21-002 Merge service deprecation | BE-Merge | Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage. | MERGE-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.I
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Excititor (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-AIAI-31-001 `Justification enrichment` | TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Provide `/vex/evidence/chunks` endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIAI-31-003 `Telemetry` | TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-56-002 `Bundle provenance` | TODO | Persist bundle metadata on VEX observations/linksets with provenance references. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Block non-mirror connectors in sealed mode and surface remediation errors. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-57-002 `Staleness annotations` | TODO | Annotate VEX statements with staleness metrics and expose via API. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-58-001 `Portable VEX evidence` | TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ATTEST-01-003 – Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.
2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. | EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md)
EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints | Team Excititor Connectors – MSRC | TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md)
EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment | Team Excititor Connectors – Oracle | TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md)
EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md)
EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.II
Depends on: Sprint 110.C - Excititor.I
Summary: Ingestion & Evidence focus on Excititor (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md)
EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md)
EXCITITOR-CONSOLE-23-001 `VEX aggregation views` | TODO | Expose `/console/vex` endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CONSOLE-23-002 `Dashboard VEX deltas` | TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CONSOLE-23-003 `VEX search helpers` | TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-001 `Inspector linkouts` | BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-002 `Overlay enrichment` | BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-005 `Inspector indexes` | BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-GRAPH-24-101 `VEX summary API` | TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-GRAPH-24-102 `Evidence batch API` | TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-001 `VEX observation model` | TODO | Define immutable `vex_observations` schema capturing raw statements, product PURLs, justification, and AOC metadata. `DOCS-LNM-22-002` blocked pending this schema. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.III
Depends on: Sprint 110.C - Excititor.II
Summary: Ingestion & Evidence focus on Excititor (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-LNM-21-002 `Linkset correlator` | TODO | Build correlation pipeline combining alias + product PURL signals to form `vex_linksets` with confidence metrics. Docs waiting to finalize VEX aggregation guide. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-003 `Conflict annotator` | TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for `DOCS-LNM-22-002`. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-004 `Merge removal` | TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-005 `Event emission` | TODO | Emit `vex.linkset.updated` events for downstream consumers with delta descriptions and tenant context. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-101 `Observations collections` | TODO | Provision `vex_observations`/`vex_linksets` collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-LNM-21-102 `Migration/backfill` | TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-LNM-21-201 `Observation APIs` | TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to `ERR_AGG_*`. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-203 `Event publishing` | TODO | Publish `vex.linkset.updated` events, document schema, and ensure idempotent delivery. | Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-OAS-61-001 `Spec coverage` | TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-61-002 `Example catalog` | TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-63-001 `Deprecation headers` | TODO | Add deprecation metadata and notifications for legacy VEX routes. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-50-001 `Telemetry adoption` | TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-51-001 `Metrics & SLOs` | TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.IV
Depends on: Sprint 110.C - Excititor.III
Summary: Ingestion & Evidence focus on Excititor (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-53-001 `Evidence snapshots` | TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-55-001 `Incident mode` | TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ORCH-32-001 `Worker SDK adoption` | TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-ORCH-33-001 `Control compliance` | TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-ORCH-34-001 `Backfill & circuit breaker` | TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals | Team Excititor Policy | BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md)
EXCITITOR-POLICY-20-001 `Policy selection endpoints` | TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-POLICY-20-002 `Scope-aware linksets` | TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-POLICY-20-003 `Selection cursors` | TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-POLICY-23-001 `Evidence indexes` | TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-POLICY-23-002 `Event guarantees` | TODO | Ensure `vex.linkset.updated` events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-66-001 `VEX gate provider` | TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-66-002 `Reachability inputs` | TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.V
Depends on: Sprint 110.C - Excititor.IV
Summary: Ingestion & Evidence focus on Excititor (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-RISK-67-001 `Explainability metadata` | TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-68-001 `Policy Studio integration` | TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-SIG-26-001 `Vendor exploitability hints` | TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | TODO | Define Mongo JSON schema for `vex_raw` enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-002 `idempotency unique index` | TODO | Create `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` unique index with backfill checker, updating migrations + bootstrapper for offline installs. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-003 `append-only migration plan` | TODO | Migrate legacy consensus collections to `_backup_*`, seed supersedes chain for raw docs, and document rollback path + dry-run verification. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-004 `validator deployment docset` | TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-TEN-48-001 `Tenant-aware VEX linking` | TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-VEXLENS-30-001 `VEX evidence enrichers` | TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-001 `VEX key canonicalization` | TODO | Canonicalize (lossless) VEX advisory/product keys (map to `advisory_key`, capture product scopes); expose original sources in `links[]`; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-002 `Evidence retrieval` | TODO | Provide `/vuln/evidence/vex/{advisory_key}` returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-004 `Observability` | TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.VI
Depends on: Sprint 110.C - Excititor.V
Summary: Ingestion & Evidence focus on Excititor (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-001 `Raw VEX ingestion APIs` | TODO | Implement `POST /ingest/vex`, `GET /vex/raw*`, and `POST /aoc/verify` endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-002 `AOC observability + metrics` | TODO | Export metrics (`ingestion_write_total`, `aoc_violation_total`, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-003 `Guard + schema test harness` | TODO | Add unit/integration tests for schema validation, forbidden field rejection (`ERR_AOC_001/006/007`), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. | QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-004 `Batch ingest validation` | TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI `aoc verify` compatibility. Document load test/runbook updates. | Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-61-001 | TODO | Implement `/.well-known/openapi` discovery endpoint with spec version metadata. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/excititor/health` summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-53-001 `Evidence APIs` | TODO | Expose `/evidence/vex/*` endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. | Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-54-001 `Attestation APIs` | TODO | Add `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, and chain-of-custody links. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-55-001 `Incident mode toggles` | TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
[Ingestion & Evidence] 110.D) Mirror
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Mirror).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (`root`, `snapshot`, `timestamp`, `targets`). | Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (`meta/time-anchor.json`) sourced from trusted authority. | Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | Mirror Creator Guild, CLI Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md