stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs-archived/implplan/SPRINT_3500_9999_0000_summary.md
Codex Assistant 8f0320edd5 product advisories add change contiang folder
2026-01-08 09:06:03 +02:00

12 KiB
Raw Permalink Blame History

Sprint 3500.9999.0000 - Summary (All Sprints Quick Reference)

Epic: Deeper Moat Beyond Reachability Total Duration: 20 weeks (10 sprints) Status: DONE

Topic & Scope

  • Summary index for Epic 3500 planning and delivery status.
  • Provides a quick reference to sprints, dependencies, and deliverables.
  • Working directory: docs/implplan.

Dependencies & Concurrency

  • See the "Dependencies" section and sprint dependency graph below.
  • No independent execution tasks; summary mirrors sprint state.

Documentation Prerequisites

  • docs/implplan/archived/SPRINT_3500_0001_0001_deeper_moat_master.md
  • docs/product/advisories/archived/17-Dec-2025/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md

Delivery Tracker

# Task ID Status Key dependency / next step Owners Task Definition
1 SUMMARY-3500 DONE Archive sprint records Planning Maintain the Epic 3500 quick reference.

Wave Coordination

  • Epic A (3500.0002.x), Epic B (3500.0003.x), CLI/UI/Tests/Docs (3500.0004.x).

Wave Detail Snapshots

  • See "Sprint Overview" table.

Interlocks

  • None listed beyond sprint dependencies.

Upcoming Checkpoints

  • None listed.

Action Tracker

  • None listed.

Decisions & Risks

Item Type Owner Notes
Summary status mirror Decision Planning Summary stays aligned with sprint completion state.
Cross-doc link updates Decision Planning Updated product advisories and benchmarks to point at archived sprint paths.
No new risks Risk Planning Track risks in individual sprint files.

Execution Log

Date (UTC) Update Owner
2025-12-22 Normalized summary to sprint template; renamed from SPRINT_3500_SUMMARY.md and archived. Agent

Sprint Overview

Sprint ID Topic Duration Status Key Deliverables
3500.0001.0001 Master Plan DONE Overall planning, prerequisites, risk assessment
3500.0002.0001 Score Proofs Foundations 2 weeks DONE Canonical JSON, DSSE, ProofLedger, DB schema
3500.0002.0002 Unknowns Registry v1 2 weeks DONE (7/7) 2-factor ranking, band assignment, escalation API, Scheduler integration
3500.0002.0003 Proof Replay + API 2 weeks DONE All 7 tasks complete (manifest, proofs, idempotency, rate limiting, OpenAPI, tests)
3500.0003.0001 Reachability .NET Foundations 2 weeks DONE Implemented via SPRINT_3600_0002_0001 (DotNetCallGraphExtractor, ReachabilityAnalyzer)
3500.0003.0002 Reachability Java Integration 2 weeks DONE Implemented via SPRINT_3610_0001_0001 (JavaCallGraphExtractor, Spring Boot)
3500.0003.0003 Graph Attestations + Rekor 2 weeks DONE RichGraphAttestationService, Rekor via Attestor module, budget policy documented
3500.0004.0001 CLI Verbs + Offline Bundles 2 weeks DONE stella score, stella graph, stella unknowns, offline kit, corpus — 8/8 tasks, 183 tests pass
3500.0004.0002 UI Components + Visualization 2 weeks DONE All 8 components: Proof Ledger, Unknowns Queue, Reachability Explain, Score Comparison, Proof Replay, API Services, Accessibility, Tests
3500.0004.0003 Integration Tests + Corpus 2 weeks DONE Golden corpus (12 cases), 6 test projects (74 test methods), CI gates, perf baselines
3500.0004.0004 Documentation + Handoff 2 weeks DONE Runbooks (5), training (6 docs), release notes, OpenAPI, handoff checklist — 8/8 tasks

Epic A: Score Proofs (Sprints 3500.0002.00010003)

Sprint 3500.0002.0001: Foundations

Owner: Scanner Team + Policy Team Deliverables:

  • Canonical JSON library (StellaOps.Canonical.Json)
  • Scan Manifest model (ScanManifest.cs)
  • DSSE envelope implementation (StellaOps.Attestor.Dsse)
  • ProofLedger with node hashing (StellaOps.Policy.Scoring)
  • Database schema: scanner.scan_manifest, scanner.proof_bundle
  • Proof Bundle Writer

Tests: Unit tests ≥85% coverage, integration test for full pipeline

Documentation: See SPRINT_3500_0002_0001_score_proofs_foundations.md (DETAILED)

Sprint 3500.0002.0002: Unknowns Registry

Owner: Policy Team Status: DONE (7/7 tasks complete) Deliverables:

  • policy.unknowns table (2-factor ranking model)
  • UnknownRanker.Rank(...) — Deterministic ranking function
  • Band assignment (HOT/WARM/COLD)
  • API: GET /unknowns, POST /unknowns/{id}/escalate, POST /unknowns/{id}/resolve
  • Scheduler integration: rescan on escalation (via ISchedulerJobClient abstraction)

Tests: Ranking determinism tests (29 tests pass), band threshold tests

Documentation:

  • docs/db/schemas/policy_schema_specification.md
  • docs/api/scanner-score-proofs-api.md (Unknowns endpoints)

Sprint 3500.0002.0003: Replay + API

Owner: Scanner Team Deliverables:

  • API: POST /api/v1/scanner/scans
  • API: GET /api/v1/scanner/scans/{id}/manifest
  • API: POST /api/v1/scanner/scans/{id}/score/replay
  • API: GET /api/v1/scanner/scans/{id}/proofs/{rootHash}
  • Idempotency via Content-Digest headers
  • Rate limiting (100 req/hr per tenant for POST endpoints)

Tests: API integration tests, idempotency tests, error handling tests

Documentation:

  • docs/api/scanner-score-proofs-api.md (COMPREHENSIVE)
  • OpenAPI spec update: src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml

Epic B: Reachability (Sprints 3500.0003.00010003)

Sprint 3500.0003.0001: .NET Reachability

Owner: Scanner Team Deliverables:

  • Roslyn-based call-graph extractor (DotNetCallGraphExtractor.cs)
  • IL-based node ID computation
  • ASP.NET Core entrypoint discovery (controllers, minimal APIs, hosted services)
  • CallGraph.v1.json schema implementation
  • BFS reachability algorithm (ReachabilityAnalyzer.cs)
  • Database schema: scanner.cg_node, scanner.cg_edge, scanner.entrypoint

Tests: Call-graph extraction tests, BFS tests, entrypoint detection tests

Documentation:

  • src/Scanner/AGENTS_SCORE_PROOFS.md (Task 3.1, 3.2) (DETAILED)
  • docs/db/schemas/scanner_schema_specification.md
  • docs/product/advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md

Sprint 3500.0003.0002: Java Reachability

Owner: Scanner Team Deliverables:

  • Soot/WALA-based call-graph extractor (JavaCallGraphExtractor.cs)
  • Spring Boot entrypoint discovery (@RestController, @RequestMapping)
  • JAR node ID computation (class file hash + method signature)
  • Integration with CallGraph.v1.json schema
  • Reachability analysis for Java artifacts

Tests: Java call-graph extraction tests, Spring Boot entrypoint tests

Prerequisite: Java worker POC with Soot/WALA (must complete before sprint starts)

Documentation:

  • docs/dev/java-call-graph-extractor-spec.md (to be created)
  • src/Scanner/AGENTS_JAVA_REACHABILITY.md (to be created)

Sprint 3500.0003.0003: Graph Attestations

Owner: Attestor Team + Scanner Team Deliverables:

  • Graph-level DSSE attestation (one per scan)
  • Rekor integration: POST /rekor/entries
  • Rekor budget policy: graph-only by default, edge bundles on escalation
  • API: POST /api/v1/scanner/scans/{id}/callgraphs (upload)
  • API: POST /api/v1/scanner/scans/{id}/reachability/compute
  • API: GET /api/v1/scanner/scans/{id}/reachability/findings
  • API: GET /api/v1/scanner/scans/{id}/reachability/explain

Tests: DSSE signing tests, Rekor integration tests, API tests

Documentation:

  • docs/operations/rekor-policy.md (budget policy)
  • docs/api/scanner-score-proofs-api.md (reachability endpoints)

CLI & UI (Sprints 3500.0004.00010002)

Sprint 3500.0004.0001: CLI Verbs

Owner: CLI Team Deliverables:

  • stella score replay --scan <id>
  • stella proof verify --bundle <path>
  • stella scan graph --lang dotnet|java --sln <path>
  • stella reachability explain --scan <id> --cve <cve>
  • stella unknowns list --band HOT
  • Offline bundle extensions: /offline/reachability/, /offline/corpus/

Tests: CLI E2E tests, offline bundle verification tests

Documentation:

  • docs/09_API_CLI_REFERENCE.md (update with new verbs)
  • docs/24_OFFLINE_KIT.md (reachability bundle format)

Sprint 3500.0004.0002: UI Components

Owner: UI Team Deliverables:

  • Proof ledger view (timeline visualization)
  • Unknowns queue (filterable, sortable)
  • Reachability explain widget (call-path visualization)
  • Score delta badges
  • "View Proof" button on finding cards

Tests: UI component tests (Jest/Cypress)

Prerequisite: UX wireframes delivered by Product team

Documentation:

  • docs/dev/ui-proof-visualization-spec.md (to be created)

Testing & Handoff (Sprints 3500.0004.00030004)

Sprint 3500.0004.0003: Integration Tests + Corpus

Owner: QA + Scanner Team Deliverables:

  • Golden corpus: 10 .NET + 10 Java test cases
  • End-to-end tests: SBOM → scan → proof → replay → verify
  • CI gates: precision/recall ≥80%, deterministic replay 100%
  • Load tests: 10k scans/day without degradation
  • Air-gap verification tests

Tests: All integration tests passing, corpus CI green

Documentation:

  • docs/testing/golden-corpus-spec.md (to be created)
  • docs/testing/integration-test-plan.md

Sprint 3500.0004.0004: Documentation + Handoff

Owner: Docs Guild + All Teams Deliverables:

  • Runbooks: docs/operations/score-proofs-runbook.md
  • Runbooks: docs/operations/reachability-troubleshooting.md
  • API documentation published
  • Training materials for support team
  • Competitive battlecard updated
  • Claims index updated: DET-004, REACH-003, PROOF-001, UNKNOWNS-001

Tests: Documentation review by 3+ stakeholders

Documentation:

  • All docs in docs/ reviewed and published

Dependencies

graph TD
    A[3500.0001.0001 Master Plan] --> B[3500.0002.0001 Foundations]
    B --> C[3500.0002.0002 Unknowns]
    C --> D[3500.0002.0003 Replay API]
    D --> E[3500.0003.0001 .NET Reachability]
    E --> F[3500.0003.0002 Java Reachability]
    F --> G[3500.0003.0003 Attestations]
    G --> H[3500.0004.0001 CLI]
    G --> I[3500.0004.0002 UI]
    H --> J[3500.0004.0003 Tests]
    I --> J
    J --> K[3500.0004.0004 Docs]

Success Metrics

Technical Metrics

  • Determinism: 100% bit-identical replay on golden corpus
  • Performance: TTFRP <30s for 100k LOC (p95)
  • Accuracy: Precision/recall ≥80% on ground-truth corpus
  • Scalability: 10k scans/day without Postgres degradation
  • Air-gap: 100% offline bundle verification success

Business Metrics

  • Competitive wins: ≥3 deals citing deterministic replay (6 months) 🎯
  • Customer adoption: ≥20% of enterprise customers enable score proofs (12 months) 🎯
  • Support escalations: <5 Rekor/attestation issues per month 🎯

Quick Links

Sprint Files:

Documentation:

Source Advisory:

Last Updated: 2025-12-17 Next Review: Weekly during sprint execution