# Sprint 0142_0001_0001 · Runtime & Signals — SBOM Service
## Topic & Scope
- Runtime & Signals stream focusing on SBOM Service projections, APIs, and orchestrator integration to support Advisory AI, Console, Graph overlays, and Vuln Explorer consumers.
- Freeze Link-Not-Merge (LNM) v1 SBOM projection schema and publish deterministic read APIs (paths, timelines, projections) with strict tenant enforcement.
- Integrate SBOM ingest/index with orchestrator backpressure and reconciliation and emit events for downstream graph/indexer pipelines.
- Working directory: `src/SbomService/StellaOps.SbomService`.
## Dependencies & Concurrency
- Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner); Sprint 0131_scanner_surface; Sprint 0132_scanner_surface (renamed).
- Concurrency: Track alongside other Runtime & Signals 140-series sprints; safe in parallel if orchestrator contracts stay stable.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/sbomservice/architecture.md (module dossier).
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D | DONE (2025-11-20) | Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild | SBOM Service Guild; Cartographer Guild | Build/test failing due to missing NuGet feed; need feed/offline cache before wiring storage and validating `/console/sboms`.
Deliverable: offline feed plan + cache in `local-nugets/`; doc at `docs/modules/sbomservice/offline-feed-plan.md`; script `tools/offline/fetch-sbomservice-deps.sh` hydrates required packages. |
| P2 | PREP-SBOM-SERVICE-21-001-WAITING-ON-LNM-V1-FI | DONE (2025-11-22) | Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild | SBOM Service Guild; Cartographer Guild | Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement.
Prep artefacts: `docs/modules/sbomservice/prep/2025-11-20-sbom-service-21-001-prep.md`; fixtures drop path staged at `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`. |
| P3 | PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Planning | Planning | BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache).
Document artefact/deliverable for Build/Infra · SBOM Service Guild and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/sbomservice/prep/2025-11-20-build-infra-prep.md`. |
| 1 | SBOM-AIAI-31-001 | DONE | Implemented `/sbom/paths` with env/blast-radius/runtime flags + cursor paging and `/sbom/versions` timeline; in-memory deterministic seed until storage wired. | SBOM Service Guild (src/SbomService/StellaOps.SbomService) | Provide path and version timeline endpoints optimised for Advisory AI. |
| 2 | SBOM-AIAI-31-002 | DONE | Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
| 3 | SBOM-CONSOLE-23-001 | BLOCKED | PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | BLOCKED | Stub implemented; blocked on storage wiring and console schema approval. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 5 | SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources; embed worker SDK; emit artifact hashes and job metadata. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
| 6 | SBOM-ORCH-33-001 | TODO | Depends on SBOM-ORCH-32-001; report backpressure metrics, honor pause/throttle signals, classify sbom job errors. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
| 7 | SBOM-ORCH-34-001 | TODO | Depends on SBOM-ORCH-33-001; implement orchestrator backfill and watermark reconciliation for idempotent artifact reuse. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
| 8 | SBOM-SERVICE-21-001 | BLOCKED | PREP-SBOM-SERVICE-21-001-WAITING-ON-LNM-V1-FI | SBOM Service Guild; Cartographer Guild | Link-Not-Merge v1 frozen schema and deterministic read API. |
| 9 | SBOM-SERVICE-21-002 | TODO | Depends on SBOM-SERVICE-21-001; emit `sbom.version.created` change events and add replay/backfill tooling. | SBOM Service Guild; Scheduler Guild | Emit change events carrying digest/version metadata for Graph Indexer builds. |
| 10 | SBOM-SERVICE-21-003 | TODO | Depends on SBOM-SERVICE-21-002; entrypoint/service node management API feeding Cartographer path relevance with deterministic defaults. | SBOM Service Guild | Provide entrypoint/service node management API. |
| 11 | SBOM-SERVICE-21-004 | TODO | Depends on SBOM-SERVICE-21-003; wire metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, tenant-annotated logs; set backlog alerts. | SBOM Service Guild; Observability Guild | Wire observability for SBOM projections. |
| 12 | SBOM-SERVICE-23-001 | TODO | Depends on SBOM-SERVICE-21-004; extend projections with asset metadata (criticality, owner, environment, exposure flags); update schema docs. | SBOM Service Guild; Policy Guild | Extend projections to include asset metadata. |
| 13 | SBOM-SERVICE-23-002 | TODO | Depends on SBOM-SERVICE-23-001; emit `sbom.asset.updated` events with idempotent payloads; document envelopes. | SBOM Service Guild; Platform Events Guild | Emit asset metadata change events. |
| 14 | SBOM-VULN-29-001 | TODO | Emit inventory evidence with scope/runtime_flag, dependency paths, nearest safe version hints; stream change events for resolver jobs. | SBOM Service Guild | Emit inventory evidence for vulnerability flows. |
| 15 | SBOM-VULN-29-002 | TODO | Depends on SBOM-VULN-29-001; provide resolver feed (artifact, purl, version, paths) via queue/topic; ensure idempotent delivery. | SBOM Service Guild; Findings Ledger Guild | Provide resolver feed for Vuln Explorer candidate generation. |
## Action Tracker
| Action | Owner(s) | Due | Status |
| --- | --- | --- | --- |
| Provide LNM v1 fixtures for SBOM projections. | Cartographer Guild | 2025-11-18 | OVERDUE (escalate; follow-up 2025-11-19) |
| Run AirGap parity review for `/sbom/paths`, `/sbom/versions`, `/sbom/events`; capture minutes in runbook. | Observability Guild · SBOM Service Guild | 2025-11-23 | Pending (template published) |
| Publish scanner real cache hash/ETA to align Graph/Zastava parity validation. | Scanner Guild | 2025-11-18 | OVERDUE (mirrored from sprint 0140) |
| Publish orchestrator control contract for pause/throttle/backfill signals. | Orchestrator Guild | 2025-11-19 | Pending |
| Create `src/SbomService/AGENTS.md` (roles, prerequisites, determinism/testing rules). | SBOM Service Guild · Module PM | 2025-11-19 | DONE |
| Supply NuGet feed/offline cache (allow Microsoft.IdentityModel.Tokens >=8.14.0, Pkcs11Interop >=4.1.0) so SbomService builds/tests can run. | Build/Infra · SBOM Service Guild | 2025-11-20 | PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-20 | Published SBOM service prep docs (sbom-service-21-001, build/infra) and set P2/P3 to DOING after confirming unowned. | Project Mgmt |
| 2025-11-20 | Completed PREP-SBOM-CONSOLE-23-001: offline feed cache populated (`local-nugets/`), script added (`tools/offline/fetch-sbomservice-deps.sh`), doc published at `docs/modules/sbomservice/offline-feed-plan.md`. | Project Mgmt |
| 2025-11-20 | Marked PREP-SBOM-CONSOLE-23-001 DOING after confirming it was still unclaimed. | Project Mgmt |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-17 | Normalised sprint to standard template and renamed from `SPRINT_142_sbomservice.md`; no scope changes. | Project Mgmt |
| 2025-11-17 | Flagged need for SBOM Service module dossier as documentation prerequisite. | Project Mgmt |
| 2025-11-17 | Authored `docs/modules/sbomservice/architecture.md`; added to prerequisites; set SBOM-SERVICE-21-001 to BLOCKED pending LNM v1 fixtures. | Project Mgmt |
| 2025-11-17 | Delivered Advisory AI path/timeline endpoints (`/sbom/paths`, `/sbom/versions`) with deterministic seed + tests; SBOM-AIAI-31-001 marked DONE. | SBOM Service |
| 2025-11-17 | Added latency/query metrics for Advisory AI endpoints; dashboards + cache-hit tracking to follow. | SBOM Service |
| 2025-11-17 | Implemented stub `/console/sboms` with filters, cursor paging, evaluation metadata; seeded deterministic catalog for UI/Console consumers. | SBOM Service |
| 2025-11-17 | Attempted `dotnet test` for SbomService.Tests; aborted ~45s due to repo-wide build churn. | SBOM Service |
| 2025-11-17 | Added cache-hit tagging on metrics for paths/versions/console catalog; tests still pending due to build abort. | SBOM Service |
| 2025-11-18 | Scoped builds (`dotnet build` on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun. | SBOM Service |
| 2025-11-18 | Additional targeted build of `StellaOps.SbomService.csproj` aborted (~48s) due to repo churn; testing still blocked. | SBOM Service |
| 2025-11-18 | Marked SBOM-AIAI-31-002 BLOCKED (needs validated metrics & dashboards) and SBOM-CONSOLE-23-002 DOING (stub implemented, blocked on validation). | SBOM Service |
| 2025-11-19 | Marked SBOM-CONSOLE-23-002 BLOCKED pending storage wiring and console schema approval. | Implementer |
| 2025-11-18 | Build attempt with `/p:BuildProjectReferences=false` failed at restore (~11s); unable to validate code path changes. | SBOM Service |
| 2025-11-18 | Added Grafana starter dashboard (`Observability/sbomservice-grafana-dashboard.json`) and README notes; metrics still unvalidated pending successful builds. | SBOM Service |
| 2025-11-18 | Fixed NuGet feed mapping, restored, built, and ran tests successfully for SbomService; SBOM-AIAI-31-002 marked DONE; SBOM-CONSOLE-23-002 validated at stub level. | SBOM Service |
| 2025-11-18 | Re-ran restore/build/test (no-build) successfully after fixing module NuGet config; feeds now resolving. | SBOM Service |
| 2025-11-18 | Another targeted `dotnet build` on SbomService failed ~13s into compile (repo churn); no tests executed. | SBOM Service |
| 2025-11-18 | Marked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 BLOCKED due to missing `src/SbomService/AGENTS.md`; implementation paused until charter is published. | Implementer |
| 2025-11-18 | Added Action Tracker and tracked new AGENTS creation task (`AGENTS-SBOMSERVICE`) to unblock implementation. | Implementer |
| 2025-11-18 | Added `src/SbomService/AGENTS.md`; unblocked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 (statuses set to DOING). | Implementer |
| 2025-11-18 | `dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build` failed: missing required NuGet feed URL; tests remain unvalidated pending feed configuration. | Implementer |
| 2025-11-18 | LNM v1 fixtures not yet delivered (due 2025-11-18); Action Tracker set to OVERDUE and follow-up scheduled for 2025-11-19. | Implementer |
| 2025-11-18 | Re-classified SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 as BLOCKED pending NuGet feed/offline cache for builds/tests. | Implementer |
| 2025-11-18 | Added local NuGet.Config and retried restore; still failing with NU1100 (Microsoft.IdentityModel.Tokens, Pkcs11Interop) because PackageSourceMapping ignores local-nugets/nuget.org. Restore blocked until sources are allowed or packages cached. | Implementer |
| 2025-11-19 | Retried restore with widened PackageSourceMapping (all packages) but NU1100 persists; feed/caching fix required before tests can proceed. | Implementer |
| 2025-11-19 | Added root NuGet.Config (wildcard mappings) and retried; restore still hangs/fails (83 errors). Build/test remain blocked pending vetted feed/cache. | Implementer |
| 2025-11-19 | Downloaded packages (Tokens 8.14.0, Pkcs11Interop 4.1.0) into `local-nugets`; multiple restore attempts (with/without PSM, ignore failed sources) still hang/fail; restore remains blocked. | Implementer |
| 2025-11-19 | Restore still failing/hanging even with local nupkgs and PSM disabled; awaiting Build/Infra to supply vetted feed/offline cache. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-22 | Staged LNM v1 fixtures drop path at `docs/modules/sbomservice/fixtures/lnm-v1/` and published AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; SBOM-SERVICE-21-001 remains BLOCKED pending fixtures + review execution. | Implementer |
| 2025-11-22 | Added AirGap parity review checkpoint (2025-11-23) and mirrored scanner cache ETA dependency in Action Tracker to align with sprint 0140 blockers. | Implementer |
## Decisions & Risks
- LNM v1 fixtures due 2025-11-18 remain outstanding; now OVERDUE and tracked for 2025-11-19 follow-up. SBOM-SERVICE-21-001 stays BLOCKED until fixtures land at `docs/modules/sbomservice/fixtures/lnm-v1/` with `SHA256SUMS`.
- Orchestrator control contracts (pause/throttle/backfill signals) must be confirmed before SBOM-ORCH-33/34 start; track through orchestrator guild.
- Keep `docs/modules/sbomservice/architecture.md` aligned with schema/event decisions made during implementation.
- Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
- Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
- Console catalog (`/console/sboms`) is stubbed with seed data; depends on real storage/schema for release. Validation blocked until successful restore/build/test.
- Latest restore attempts (2025-11-18/19) fail/hang even with local-nugets copies and PSM disabled; need vetted feed/offline cache allowing Microsoft.IdentityModel.Tokens ≥8.14.0 and Pkcs11Interop ≥4.1.0.
- Metrics include `cache_hit` tagging; dashboards outstanding and unvalidated due to feed/build failures.
- Build/test runs for SbomService blocked by feed mapping; must fix mapping or cache packages before rerunning `dotnet test ...SbomService.Tests.csproj`.
- Component lookup endpoint is stubbed; remains unvalidated until restores succeed; SBOM-CONSOLE-23-002 stays BLOCKED on feed/build.
- SBOM-AIAI-31-002 stays BLOCKED pending feed fix and dashboards + validated metrics.
- `AGENTS.md` for `src/SbomService` added 2025-11-18; implementers must read before coding.
- AirGap parity review template published at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; review execution pending and required before unblocking SBOM-SERVICE-21-001..004 in air-gapped deployments.
- Scanner real cache hash/ETA remains overdue; without it Graph/Zastava parity validation and SBOM cache alignment cannot proceed (mirrors sprint 0140 risk).
## Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
| --- | --- | --- | --- |
| 2025-11-19 | LNM v1 fixtures follow-up | Secure delivery or revised ETA for Link-Not-Merge v1 fixtures; unblock SBOM-SERVICE-21-001. | Concelier Core · Cartographer · SBOM Service |
| 2025-11-19 | Scanner mock bundle v1 hash | Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches | Scanner Guild |
| 2025-11-20 | NuGet feed remediation | Provide feed URL/credentials or offline package cache so SbomService tests can run. | SBOM Service Guild · Build/Infra |
| 2025-11-23 | AirGap parity review (paths/versions/events) | Execute review per `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; record minutes + fixture hashes and mirror blockers in Decisions & Risks. | Observability Guild · SBOM Service Guild · Cartographer Guild |