master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
62 KiB
62 KiB
Sprint 110 - Ingestion & Evidence
[Ingestion & Evidence] 110.A) AdvisoryAI Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on AdvisoryAI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| AIAI-31-001 | TODO | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-002 | TODO | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-003 | TODO | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-004 | TODO | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-005 | TODO | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-006 | TODO | Expose REST API endpoints (/advisory/ai/*) with RBAC, rate limits, OpenAPI schemas, and batching support. |
Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-007 | TODO | Instrument metrics (advisory_ai_latency, guardrail_blocks, validation_failures, citation_coverage), logs, and traces; publish dashboards/alerts. |
Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Concelier (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-AIAI-31-001 Paragraph anchors |
TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-002 Structured fields |
TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-003 Advisory AI telemetry |
TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-56-002 Bundle catalog linking |
TODO | Persist bundle_id, merkle_root, and time anchor references on observations/linksets for provenance. |
Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-001 Sealed-mode source restrictions |
TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-002 Staleness annotations |
TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-58-001 Portable advisory evidence |
TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-001 ScanResults attestation inputs |
TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-002 Transparency metadata |
TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CONSOLE-23-001 Advisory aggregation views |
TODO | Expose /console/advisories endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-002 Dashboard deltas API |
TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-003 Search fan-out helpers |
TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CORE-AOC-19-004 Remove ingestion normalization |
DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only. 2025-10-29 19:05Z: Audit completed for AdvisoryRawService/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under docs/dev/aoc-normalization-removal-notes.md (pending commit).2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory. 2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in docs/dev/raw-linkset-backfill-plan.md. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Extend Concelier smoke/e2e fixtures to configure requiredTenants and assert cross-tenant rejection with updated Authority tokens. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.II Depends on: Sprint 110.B - Concelier.I Summary: Ingestion & Evidence focus on Concelier (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-GRAPH-21-001 SBOM projection enrichment |
BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-21-002 Change events |
BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-24-101 Advisory summary API |
TODO | Expose /advisories/summary returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-GRAPH-28-102 Evidence batch API |
TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-001 Advisory observation schema |
TODO | Introduce immutable advisory_observations model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. DOCS-LNM-22-001 blocked pending this deliverable. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-002 Linkset builder |
TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces advisory_linksets with confidence + conflict annotations. Docs note: unblock DOCS-LNM-22-001 once builder lands. |
Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-003 Conflict annotator |
TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-004 Merge code removal |
TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-005 Event emission |
TODO | Emit advisory.linkset.updated events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-101 Observations collections |
TODO | Provision advisory_observations and advisory_linksets collections with hashed shard keys, TTL for ingest metadata, and required indexes (aliases, purls, observation_ids). |
Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-102 Migration tooling |
TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-103 Blob/store wiring |
TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-201 Observation APIs |
TODO | Add REST endpoints for advisory observations (GET /advisories/observations) with filters (alias, purl, source), pagination, and tenancy enforcement. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export endpoints (/advisories/linksets/{id}, /advisories/by-purl/{purl}, /advisories/linksets/{id}/export, /evidence) with correlation/conflict payloads and ERR_AGG_* mapping. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-203 Ingest events |
TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.III Depends on: Sprint 110.B - Concelier.II Summary: Ingestion & Evidence focus on Concelier (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-OAS-61-001 Spec coverage |
TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-61-002 Examples library |
TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-62-001 SDK smoke tests |
TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-63-001 Deprecation headers |
TODO | Implement deprecation header support and timeline events for retiring endpoints. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-50-001 Telemetry adoption |
TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-51-001 Metrics & SLOs |
TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-52-001 Timeline events |
TODO | Emit timeline_event records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-53-001 Evidence snapshots |
TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-55-001 Incident mode hooks |
TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-001 Source registry integration |
TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-002 Worker SDK adoption |
TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-33-001 Control hook compliance |
TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-34-001 Backfill + ledger linkage |
TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-001 Policy selection endpoints |
TODO | Add batch advisory lookup APIs (/policy/select/advisories, /policy/select/vex) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.IV Depends on: Sprint 110.B - Concelier.III Summary: Ingestion & Evidence focus on Concelier (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-POLICY-20-002 Linkset enrichment for policy |
TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-003 Selection cursors |
TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-POLICY-23-001 Evidence indexes |
TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-23-002 Event guarantees |
TODO | Ensure advisory.linkset.updated emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-001 CVSS/KEV providers |
TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-002 Fix availability signals |
TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-67-001 Source coverage metrics |
TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-68-001 Policy Studio integration |
TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-69-001 Notification hooks |
TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-SIG-26-001 Vulnerable symbol exposure |
TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-STORE-AOC-19-005 Raw linkset backfill |
TODO (2025-11-04) | Plan and execute advisory_observations rawLinkset backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in docs/dev/raw-linkset-backfill-plan.md. |
Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-TEN-48-001 Tenant-aware linking |
TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting merge=false; update events with tenant context. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-VEXLENS-30-001 Advisory rationale bridges |
TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-001 Advisory key canonicalization |
TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into advisory_key, persist links[], expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. |
Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-002 Evidence retrieval API |
TODO | Provide /vuln/evidence/advisories/{advisory_key} returning raw advisory docs with provenance, filtering by tenant and source. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.V Depends on: Sprint 110.B - Concelier.IV Summary: Ingestion & Evidence focus on Concelier (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-VULN-29-004 Observability enhancements |
TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-001 Mirror import APIs |
TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-002 Airgap status surfaces |
TODO | Add staleness metadata and bundle provenance to advisory APIs (/advisories/observations, /advisories/linksets). |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-57-001 Error remediation |
TODO | Map sealed-mode violations to AIRGAP_EGRESS_BLOCKED responses with user guidance. |
Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-58-001 Import timeline emission |
TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-002 AOC observability |
TODO | Emit ingestion_write_total, aoc_violation_total, latency histograms, and tracing spans (ingest.fetch/transform/write, aoc.guard). Wire structured logging to include tenant, source vendor, upstream id, and content hash. |
Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-003 Schema/guard unit tests |
TODO | Add unit tests covering schema validation failures, forbidden field rejections (ERR_AOC_001/002/006/007), idempotent upserts, and supersedes chains using deterministic fixtures. |
QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-004 End-to-end ingest verification |
TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-001 /.well-known/openapi |
TODO | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-002 Error envelope migration |
TODO | Ensure all API responses use standardized error envelope; update controllers/tests. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-62-001 Examples expansion |
TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-63-001 Deprecation headers |
TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (tenant_id, route, decision_effect), and add correlation IDs to responses. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-51-001 Observability APIs |
TODO | Surface ingest health metrics, queue depth, and SLO status via /obs/concelier/health endpoint for Console widgets, with caching and tenant partitioning. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE stream /obs/concelier/timeline bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VI Depends on: Sprint 110.B - Concelier.V Summary: Ingestion & Evidence focus on Concelier (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-WEB-OBS-53-001 Evidence locker integration |
TODO | Add /evidence/advisories/* routes invoking evidence locker snapshots, verifying tenant scopes (evidence:read), and returning signed manifest metadata. |
Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-54-001 Attestation exposure |
TODO | Provide /attestations/advisories/* read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-55-001 Incident mode toggles |
TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
| FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | TODO (due 2025-10-21) – Map CCCS advisories into the new advisory_observations.affected.versions[] structure, preserving each upstream range with provenance anchors (cccs:{serial}:{index}) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.2025-10-29: docs/dev/normalized-rule-recipes.md now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with UPDATE_CCCS_FIXTURES=1. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md) |
| FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | TODO (due 2025-10-22) – Translate product.Versions phrases (e.g., 2023.1 bis 2024.2, alle) into comparison helpers for advisory_observations.affected.versions[], capturing provenance (certbund:{advisoryId}:{vendor}) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md) |
| FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | TODO (due 2025-10-21) – Emit Cisco SemVer ranges into advisory_observations.affected.versions[] with provenance identifiers (cisco:{productId}) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md) |
| FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | TODO (due 2025-10-23) – Promote existing firmware/semver data into advisory_observations.affected.versions[] entries with deterministic comparison keys and provenance identifiers (ics-cisa:{advisoryId}:{product}). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.2025-10-29: Follow docs/dev/normalized-rule-recipes.md §2 to build observation version entries and log failures without invoking the retired merge helpers. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md) |
| FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | TODO (due 2025-10-24) – Define comparison helpers for Hangul-labelled firmware ranges (XFU 1.0.1.0084 ~ 2.0.1.0034) and map them into advisory_observations.affected.versions[] with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md) |
| FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | DOING (2025-10-19) – Provide a reusable CLI/utility to seed pendingDocuments/pendingMappings for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. Prereqs confirmed none (2025-10-19). |
Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md) |
| FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | TODO (due 2025-10-21) – Confirm Cccs/Cisco version-provenance updates land, capture LinksetVersionCoverage dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.2025-10-29: Observation metrics now surface version_entries_total/missing_version_entries_total; include screenshots for both when closing this task. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | TODO (due 2025-10-23) – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files. 2025-10-29: docs/dev/normalized-rule-recipes.md (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | TODO (due 2025-10-24) – Pair with KISA team on proposed firmware comparison helper (kisa.build or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| Fixture validation sweep | QA | DOING (2025-10-19) – Prereqs confirmed none; continuing RHSA fixture regeneration and diff review alongside mapper provenance updates. 2025-10-29: Added scripts/update-redhat-fixtures.sh to regenerate golden snapshots with UPDATE_GOLDENS=1; run it before reviews to capture CSAF contract deltas. |
None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md) |
| Link-Not-Merge version provenance coordination | BE-Merge | DOING – Coordinate remaining connectors (Acsc, Cccs, CertBund, CertCc, Cve, Ghsa, Ics.Cisa, Kisa, Ru.Bdu, Ru.Nkcki, Vndr.Apple, Vndr.Cisco, Vndr.Msrc) so they emit advisory_observations.affected.versions[] entries with provenance tags and deterministic comparison keys. Track rollout status in docs/dev/normalized-rule-recipes.md (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via LinksetVersionCoverage warnings to replace prior concelier.merge.normalized_rules* alerts. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-001 Migration plan authoring | BE-Merge, Architecture Guild | Draft no-merge migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. |
CONCELIER-LNM-21-101 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VII Depends on: Sprint 110.B - Concelier.VI Summary: Ingestion & Evidence focus on Concelier (phase VII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MERGE-LNM-21-002 Merge service deprecation | BE-Merge | Refactor or retire AdvisoryMergeService and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage. |
MERGE-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Excititor (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-AIAI-31-001 Justification enrichment |
TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-002 VEX chunk API |
TODO | Provide /vex/evidence/chunks endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-003 Telemetry |
TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-56-002 Bundle provenance |
TODO | Persist bundle metadata on VEX observations/linksets with provenance references. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-001 Sealed-mode enforcement |
TODO | Block non-mirror connectors in sealed mode and surface remediation errors. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-002 Staleness annotations |
TODO | Annotate VEX statements with staleness metrics and expose via API. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-58-001 Portable VEX evidence |
TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-ATTEST-01-003 – Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) – Continuing implementation: build IVexAttestationVerifier, wire metrics/logging, and add regression tests. Draft plan in EXCITITOR-ATTEST-01-003-plan.md (2025-10-19) guides scope; updating with worknotes as progress lands.2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. |
EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md) |
EXCITITOR-ATTEST-73-001 VEX attestation payloads |
TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ATTEST-73-002 Chain provenance |
TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints | Team Excititor Connectors – MSRC | TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md) |
| EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment | Team Excititor Connectors – Oracle | TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw VexClaim batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. |
Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.II Depends on: Sprint 110.C - Excititor.I Summary: Ingestion & Evidence focus on Excititor (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md) |
| EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md) |
EXCITITOR-CONSOLE-23-001 VEX aggregation views |
TODO | Expose /console/vex endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. |
Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-002 Dashboard VEX deltas |
TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-003 VEX search helpers |
TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CORE-AOC-19-002 VEX linkset extraction |
TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into linkset, capturing reconciled-from metadata for traceability. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-003 Idempotent VEX raw upsert |
TODO | Enforce (vendor, upstreamId, contentHash, tenant) uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-004 Remove ingestion consensus |
TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-001 Inspector linkouts |
BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-002 Overlay enrichment |
BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-005 Inspector indexes |
BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-GRAPH-24-101 VEX summary API |
TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-GRAPH-24-102 Evidence batch API |
TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-001 VEX observation model |
TODO | Define immutable vex_observations schema capturing raw statements, product PURLs, justification, and AOC metadata. DOCS-LNM-22-002 blocked pending this schema. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.III Depends on: Sprint 110.C - Excititor.II Summary: Ingestion & Evidence focus on Excititor (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-LNM-21-002 Linkset correlator |
TODO | Build correlation pipeline combining alias + product PURL signals to form vex_linksets with confidence metrics. Docs waiting to finalize VEX aggregation guide. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-003 Conflict annotator |
TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for DOCS-LNM-22-002. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-004 Merge removal |
TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-005 Event emission |
TODO | Emit vex.linkset.updated events for downstream consumers with delta descriptions and tenant context. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-101 Observations collections |
TODO | Provision vex_observations/vex_linksets collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-102 Migration/backfill |
TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-201 Observation APIs |
TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to ERR_AGG_*. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-203 Event publishing |
TODO | Publish vex.linkset.updated events, document schema, and ensure idempotent delivery. |
Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-OAS-61-001 Spec coverage |
TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-61-002 Example catalog |
TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-62-001 SDK smoke tests |
TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-63-001 Deprecation headers |
TODO | Add deprecation metadata and notifications for legacy VEX routes. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-50-001 Telemetry adoption |
TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-51-001 Metrics & SLOs |
TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.IV Depends on: Sprint 110.C - Excititor.III Summary: Ingestion & Evidence focus on Excititor (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-OBS-52-001 Timeline events |
TODO | Emit timeline_event entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-53-001 Evidence snapshots |
TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-55-001 Incident mode |
TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ORCH-32-001 Worker SDK adoption |
TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-33-001 Control compliance |
TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-34-001 Backfill & circuit breaker |
TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
| EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals | Team Excititor Policy | BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md) |
EXCITITOR-POLICY-20-001 Policy selection endpoints |
TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-POLICY-20-002 Scope-aware linksets |
TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-20-003 Selection cursors |
TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-POLICY-23-001 Evidence indexes |
TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-23-002 Event guarantees |
TODO | Ensure vex.linkset.updated events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-001 VEX gate provider |
TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-002 Reachability inputs |
TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.V Depends on: Sprint 110.C - Excititor.IV Summary: Ingestion & Evidence focus on Excititor (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-RISK-67-001 Explainability metadata |
TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-68-001 Policy Studio integration |
TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-SIG-26-001 Vendor exploitability hints |
TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-STORE-AOC-19-001 vex_raw schema validator |
TODO | Define Mongo JSON schema for vex_raw enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-002 idempotency unique index |
TODO | Create (source.vendor, upstream.upstream_id, upstream.content_hash, tenant) unique index with backfill checker, updating migrations + bootstrapper for offline installs. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-003 append-only migration plan |
TODO | Migrate legacy consensus collections to _backup_*, seed supersedes chain for raw docs, and document rollback path + dry-run verification. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-004 validator deployment docset |
TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-TEN-48-001 Tenant-aware VEX linking |
TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-VEXLENS-30-001 VEX evidence enrichers |
TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-001 VEX key canonicalization |
TODO | Canonicalize (lossless) VEX advisory/product keys (map to advisory_key, capture product scopes); expose original sources in links[]; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-002 Evidence retrieval |
TODO | Provide /vuln/evidence/vex/{advisory_key} returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-004 Observability |
TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.VI Depends on: Sprint 110.C - Excititor.V Summary: Ingestion & Evidence focus on Excititor (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-001 Raw VEX ingestion APIs |
TODO | Implement POST /ingest/vex, GET /vex/raw*, and POST /aoc/verify endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-002 AOC observability + metrics |
TODO | Export metrics (ingestion_write_total, aoc_violation_total, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. |
Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-003 Guard + schema test harness |
TODO | Add unit/integration tests for schema validation, forbidden field rejection (ERR_AOC_001/006/007), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. |
QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-004 Batch ingest validation |
TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI aoc verify compatibility. Document load test/runbook updates. |
Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-001 | TODO | Implement /.well-known/openapi discovery endpoint with spec version metadata. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-51-001 Observability health endpoints |
TODO | Implement /obs/excititor/health summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-53-001 Evidence APIs |
TODO | Expose /evidence/vex/* endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. |
Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-54-001 Attestation APIs |
TODO | Add /attestations/vex/* endpoints returning DSSE verification state, builder identity, and chain-of-custody links. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-55-001 Incident mode toggles |
TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.D) Mirror Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Mirror).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (root, snapshot, timestamp, targets). |
Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (meta/time-anchor.json) sourced from trusted authority. |
Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | Mirror Creator Guild, CLI Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md