master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
31 KiB
31 KiB
Sprint 130 - Scanner & Surface
[Scanner & Surface] 130.A) Scanner.I Depends on: Sprint 110.A - AdvisoryAI Summary: Scanner & Surface focus on Scanner (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| 5 | SCANNER-ANALYZERS-LANG-10-308R | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) |
| 6 | SCANNER-ANALYZERS-LANG-10-309R | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) |
| ENTRYTRACE-SURFACE-01 | TODO | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) |
| ENTRYTRACE-SURFACE-02 | TODO | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) |
| LANG-SURFACE-01 | TODO | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) |
| LANG-SURFACE-02 | TODO | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) |
| LANG-SURFACE-03 | TODO | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-001 | TODO | Build input normalizer & VFS for Deno projects: merge deno.json(c), import maps, lockfiles, vendor dirs, $DENO_DIR caches, and container layers. Detect runtime/toolchain hints deterministically. |
Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-002 | TODO | Module graph builder: resolve static/dynamic imports using import map, deno.lock, vendor/, cache, npm bridge, node: builtins, WASM/JSON assertions. Annotate edges with resolution source and form. |
Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-003 | TODO | NPM/Node compat adapter: map npm: specifiers to cached packages or compat node_modules, evaluate package exports/conditions, record node: builtin usage. |
Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-004 | TODO | Static analyzer for permission/capability signals (FS, net, env, process, crypto, FFI, workers). Detect dynamic-import patterns, literal fetch URLs, tasks vs declared permissions. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-005 | TODO | Bundle/binary inspector: parse eszip bundles and deno compile executables (embedded eszip + snapshot) to recover module graph, config, embedded resources. |
Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-006 | TODO | Container adapter: traverse OCI layers for deno, caches, vendor directories, compiled binaries; merge module provenance with layer info. |
Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-007 | TODO | Produce AOC-compliant observations: entrypoints, modules, edges, permissions, workers, warnings, binaries with reason codes and contexts. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-008 | TODO | Fixture suite + performance benchmarks (vendor, npm, FFI, workers, dynamic import, bundle/binary, cache-only, container). | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.II Depends on: Sprint 130.A - Scanner.I Summary: Scanner & Surface focus on Scanner (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ANALYZERS-DENO-26-009 | TODO | Optional runtime evidence hooks (loader/require shim) capturing module loads + permissions during harnessed execution with path hashing. | Deno Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-010 | TODO | Package analyzer plug-in, add CLI (`stella deno inspect | Deno Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-DENO-26-011 | TODO | Policy signal emitter: net/fs/env/ffi/process/crypto capabilities, remote origin list, npm usage, wasm modules, dynamic-import warnings. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-005 | TODO | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml & fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-006 | TODO | JNI/native hint scanner: detect native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit jni-load edges for native analyzer correlation. |
Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-007 | TODO | Signature and manifest metadata collector: verify JAR signature structure, capture signers, manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | Implement resolver + AOC writer: produce entrypoints (env profiles, warnings), components (jar_id + semantic ids), edges (jpms, cp, spi, reflect, jni) with reason codes/confidence. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-009 | TODO | Author comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. | Java Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-010 | TODO | Optional runtime ingestion: Java agent + JFR reader capturing class load, ServiceLoader, and System.load events with path scrubbing. Emit append-only runtime edges runtime-class/runtime-spi/runtime-load. |
Java Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-JAVA-21-011 | TODO | Package analyzer as restart-time plug-in (manifest/DI), update Offline Kit docs, add CLI/worker hooks for Java inspection commands. | Java Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) |
| SCANNER-ANALYZERS-LANG-11-001 | TODO | Build entrypoint resolver that maps project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles (publish mode, host kind, probing paths). Output normalized entrypoints[] records with deterministic IDs. |
StellaOps.Scanner EPDR Guild, Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
| SCANNER-ANALYZERS-LANG-11-002 | TODO | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. | StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
| SCANNER-ANALYZERS-LANG-11-003 | TODO | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. | StellaOps.Scanner EPDR Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
| SCANNER-ANALYZERS-LANG-11-004 | TODO | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. | StellaOps.Scanner EPDR Guild, SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
| SCANNER-ANALYZERS-LANG-11-005 | TODO | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. | StellaOps.Scanner EPDR Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.III Depends on: Sprint 130.A - Scanner.II Summary: Scanner & Surface focus on Scanner (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ANALYZERS-NATIVE-20-001 | TODO | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-002 | TODO | Parse ELF dynamic sections: DT_NEEDED, DT_RPATH, DT_RUNPATH, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason elf-dtneeded and attach version needs. |
Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons pe-import and pe-delayimport, plus SxS policy metadata. |
Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Parse Mach-O load commands (LC_LOAD_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_UUID, fat headers). Handle @rpath/@loader_path placeholders and slice separation. |
Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (@rpath expansion). Works against virtual image roots, producing explain traces. |
Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-006 | TODO | Build heuristic scanner for dlopen/LoadLibrary strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with reason_code (string-dlopen, config-plugin, ecosystem-heuristic) and confidence levels. |
Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-007 | TODO | Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. | Native Analyzer Guild, SBOM Service Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). | Native Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Provide optional runtime capture adapters (Linux eBPF dlopen, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. |
Native Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. | Native Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-001 | TODO | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (.nvmrc, .node-version, Dockerfile) and workspace roots deterministically. |
Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-002 | TODO | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-003 | TODO | Parse JS/TS sources for static import, require, import() and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. |
Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-004 | TODO | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-005 | TODO | Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.IV Depends on: Sprint 130.A - Scanner.III Summary: Scanner & Surface focus on Scanner (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ANALYZERS-NODE-22-006 | TODO | Detect bundles + source maps, reconstruct module specifiers, and correlate to original paths; support dual CJS/ESM graphs with conditions. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-007 | TODO | Scan for native addons (.node), WASM modules, and core capability signals (child_process, vm, worker_threads); emit hint edges and native metadata. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-008 | TODO | Produce AOC-compliant observations: entrypoints, components (pkg/native/wasm), edges (esm-import, cjs-require, exports, json, native-addon, wasm, worker) with reason codes/confidence and resolver traces. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-009 | TODO | Author fixture suite + performance benchmarks (npm, pnpm, PnP, bundle, electron, worker) with golden outputs and latency budgets. | Node Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-010 | TODO | Implement optional runtime evidence hooks (ESM loader, CJS require hook) with path scrubbing and loader ID hashing; emit runtime-* edges. | Node Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-011 | TODO | Package updated analyzer as restart-time plug-in, expose Scanner CLI (stella node *) commands, refresh Offline Kit documentation. |
Node Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-NODE-22-012 | TODO | Integrate container filesystem adapter (OCI layers, Dockerfile hints) and record NODE_OPTIONS/env warnings. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-001 | TODO | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, .htaccess, FPM configs, container layers. Detect framework/CMS fingerprints deterministically. |
PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-002 | TODO | Composer/Autoload analyzer: parse composer.json/lock/installed.json, generate package nodes, autoload edges (psr-4/0/classmap/files), bin entrypoints, composer plugins. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-003 | TODO | Include/require graph builder: resolve static includes, capture dynamic include patterns, bootstrap chains, merge with autoload edges. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-004 | TODO | Runtime capability scanner: detect exec/fs/net/env/serialization/crypto/database usage, stream wrappers, uploads; record evidence snippets. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-005 | TODO | PHAR/Archive inspector: parse phar manifests/stubs, hash files, detect embedded vendor trees and phar:// usage. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-006 | TODO | Framework/CMS surface mapper: extract routes, controllers, middleware, CLI/cron entrypoints for Laravel/Symfony/Slim/WordPress/Drupal/Magento. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-007 | TODO | Container & extension detector: parse php.ini/conf.d, map extensions to .so/.dll, collect web server/FPM settings, upload limits, disable_functions. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, extensions, modules, edges (require/autoload), capabilities, routes, configs. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.V Depends on: Sprint 130.A - Scanner.IV Summary: Scanner & Surface focus on Scanner (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ANALYZERS-PHP-27-009 | TODO | Fixture suite + performance benchmarks (Laravel, Symfony, WordPress, legacy, PHAR, container) with golden outputs. | PHP Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-010 | TODO | Optional runtime evidence hooks (if provided) to ingest audit logs or opcode cache stats with path hashing. | PHP Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-011 | TODO | Package analyzer plug-in, add CLI (`stella php inspect | PHP Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PHP-27-012 | TODO | Policy signal emitter: extension requirements/presence, dangerous constructs counters, stream wrapper usage, capability summaries. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-001 | TODO | Build input normalizer & virtual filesystem for wheels, sdists, editable installs, zipapps, site-packages trees, and container roots. Detect Python version targets (pyproject.toml, runtime.txt, Dockerfile) + virtualenv layout deterministically. |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-002 | TODO | Entrypoint discovery: module __main__, console_scripts entry points, scripts, zipapp main, manage.py/gunicorn/celery patterns. Capture invocation context (module vs package, argv wrappers). |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-003 | TODO | Static import graph builder using AST and bytecode fallback. Support import, from ... import, relative imports, importlib.import_module, __import__ with literal args, pkgutil.extend_path. |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-004 | TODO | Python resolver engine (importlib semantics) handling namespace packages (PEP 420), package discovery order, .pth files, sys.path composition, zipimport, and site-packages precedence across virtualenv/container roots. |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-005 | TODO | Packaging adapters: pip editable (.egg-link), Poetry/Flit layout, Conda prefix, .dist-info/RECORD cross-check, container layer overlays. |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-006 | TODO | Detect native extensions (*.so, *.pyd), CFFI modules, ctypes loaders, embedded WASM, and runtime capability signals (subprocess, multiprocessing, ctypes, eval). |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-007 | TODO | Framework/config heuristics: Django, Flask, FastAPI, Celery, AWS Lambda handlers, Gunicorn, Click/Typer CLIs, logging configs, pyproject optional dependencies. Tagged as hints only. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-008 | TODO | Produce AOC-compliant observations: entrypoints, components (modules/packages/native), edges (import, namespace, dynamic-hint, native-extension) with reason codes/confidence and resolver traces. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-009 | TODO | Fixture suite + perf benchmarks covering virtualenv, namespace packages, zipapp, editable installs, containers, lambda handler. | Python Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-010 | TODO | Optional runtime evidence: import hook capturing module load events with path scrubbing, optional bytecode instrumentation for importlib hooks, multiprocessing tracer. |
Python Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-PYTHON-23-011 | TODO | Package analyzer plug-in, add CLI commands (`stella python inspect | Python Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.VI Depends on: Sprint 130.A - Scanner.V Summary: Scanner & Surface focus on Scanner (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ANALYZERS-PYTHON-23-012 | TODO | Container/zipapp adapter enhancements: parse OCI layers for Python runtime, detect PYTHONPATH/PYTHONHOME env, record warnings for sitecustomize/startup hooks. |
Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-001 | TODO | Build input normalizer & VFS for Ruby projects: merge source trees, Gemfile/Gemfile.lock, vendor/bundle, .gem archives, .bundle/config, Rack configs, containers. Detect framework/job fingerprints deterministically. |
Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-002 | TODO | Gem & Bundler analyzer: parse Gemfile/Gemfile.lock, vendor specs, .gem archives, produce package nodes (PURLs), dependency edges, bin scripts, Bundler group metadata. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-003 | TODO | Require/autoload graph builder: resolve static/dynamic require, require_relative, load; infer Zeitwerk autoload paths and Rack boot chain. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-004 | TODO | Framework surface mapper: extract routes/controllers/middleware for Rails/Rack/Sinatra/Grape/Hanami; inventory jobs/schedulers (Sidekiq, Resque, ActiveJob, whenever, clockwork). | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-005 | TODO | Capability analyzer: detect os-exec, filesystem, network, serialization, crypto, DB usage, TLS posture, dynamic eval; record evidence snippets with file/line. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-006 | TODO | Rake task & scheduler analyzer: parse Rakefiles/lib/tasks, capture task names/prereqs/shell commands; parse Sidekiq/whenever/clockwork configs into schedules. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-007 | TODO | Container/runtime scanner: detect Ruby version, installed gems, native extensions, web server configs in OCI layers. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, modules, edges (require/autoload), routes, jobs, tasks, capabilities, configs, warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-009 | TODO | Fixture suite + performance benchmarks (Rails, Rack, Sinatra, Sidekiq, legacy, .gem, container) with golden outputs. | Ruby Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-010 | TODO | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-011 | TODO | Package analyzer plug-in, add CLI (`stella ruby inspect | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ANALYZERS-RUBY-28-012 | TODO | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) |
| SCANNER-ENTRYTRACE-18-502 | TODO | Expand chain walker with init shim/user-switch/supervisor recognition plus env/workdir accumulation and guarded edges. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) |
| SCANNER-ENTRYTRACE-18-503 | TODO | Introduce target classifier + EntryPlan handoff with confidence scoring for ELF/Java/.NET/Node/Python and user/workdir context. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.VII Depends on: Sprint 130.A - Scanner.VI Summary: Scanner & Surface focus on Scanner (phase VII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SCANNER-ENTRYTRACE-18-504 | TODO | Emit EntryTrace AOC NDJSON (entrytrace.entry/node/edge/target/warning/capability) and wire CLI/service streaming outputs. |
EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) |
| SCANNER-ENV-01 | TODO | Replace ad-hoc environment reads with StellaOps.Scanner.Surface.Env helpers for cache roots and CAS endpoints. |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) |
| SCANNER-ENV-02 | TODO | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-ENV-03 | TODO | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) |
| SCANNER-EVENTS-16-301 | BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). |
Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-EVENTS-16-302 | DOING (2025-10-26) | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-GRAPH-21-001 | TODO | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-LNM-21-001 | TODO | Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. |
Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-LNM-21-002 | TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-SECRETS-01 | TODO | Adopt StellaOps.Scanner.Surface.Secrets for registry/CAS credentials during scan execution. |
Scanner Worker Guild, Security Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) |
| SCANNER-SECRETS-02 | TODO | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-SECRETS-03 | TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) |
| SCANNER-SURFACE-01 | TODO | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) |
| SCANNER-SURFACE-02 | TODO | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) |
| SCANNER-SURFACE-03 | TODO | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) |
[Scanner & Surface] 130.A) Scanner.VIII Depends on: Sprint 130.A - Scanner.VII Summary: Scanner & Surface focus on Scanner (phase VIII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) |
| Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md) |
| Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) |
| Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) |
| Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_140_runtime_signals.md