stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
00d2c99af94dfd42dd599b66285e3926b38a4d4f
git.stella-ops.org/docs/implplan/SPRINT_3500_SUMMARY.md
master 8bbfe4d2d2 feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration 
- Add RateLimitConfig for configuration management with YAML binding support.
- Introduce RateLimitDecision to encapsulate the result of rate limit checks.
- Implement RateLimitMetrics for OpenTelemetry metrics tracking.
- Create RateLimitMiddleware for enforcing rate limits on incoming requests.
- Develop RateLimitService to orchestrate instance and environment rate limit checks.
- Add RateLimitServiceCollectionExtensions for dependency injection registration.
2025-12-17 18:02:37 +02:00

9.6 KiB
Raw Blame History

SPRINT_3500 Summary — All Sprints Quick Reference

Epic: Deeper Moat Beyond Reachability Total Duration: 20 weeks (10 sprints) Status: PLANNING

Sprint Overview

Sprint ID Topic Duration Status Key Deliverables
3500.0001.0001 Master Plan TODO Overall planning, prerequisites, risk assessment
3500.0002.0001 Score Proofs Foundations 2 weeks TODO Canonical JSON, DSSE, ProofLedger, DB schema
3500.0002.0002 Unknowns Registry v1 2 weeks TODO 2-factor ranking, band assignment, escalation API
3500.0002.0003 Proof Replay + API 2 weeks TODO POST /scans, GET /manifest, POST /score/replay
3500.0003.0001 Reachability .NET Foundations 2 weeks TODO Roslyn call-graph, BFS algorithm, entrypoint discovery
3500.0003.0002 Reachability Java Integration 2 weeks TODO Soot/WALA call-graph, Spring Boot entrypoints
3500.0003.0003 Graph Attestations + Rekor 2 weeks TODO DSSE graph signing, Rekor integration, budget policy
3500.0004.0001 CLI Verbs + Offline Bundles 2 weeks TODO stella score, stella graph, offline kit extensions
3500.0004.0002 UI Components + Visualization 2 weeks TODO Proof ledger view, unknowns queue, explain widgets
3500.0004.0003 Integration Tests + Corpus 2 weeks TODO Golden corpus, end-to-end tests, CI gates
3500.0004.0004 Documentation + Handoff 2 weeks TODO Runbooks, API docs, training materials

Epic A: Score Proofs (Sprints 3500.0002.00010003)

Sprint 3500.0002.0001: Foundations

Owner: Scanner Team + Policy Team Deliverables:

  • Canonical JSON library (StellaOps.Canonical.Json)
  • Scan Manifest model (ScanManifest.cs)
  • DSSE envelope implementation (StellaOps.Attestor.Dsse)
  • ProofLedger with node hashing (StellaOps.Policy.Scoring)
  • Database schema: scanner.scan_manifest, scanner.proof_bundle
  • Proof Bundle Writer

Tests: Unit tests ≥85% coverage, integration test for full pipeline

Documentation: See SPRINT_3500_0002_0001_score_proofs_foundations.md (DETAILED)

Sprint 3500.0002.0002: Unknowns Registry

Owner: Policy Team Deliverables:

  • policy.unknowns table (2-factor ranking model)
  • UnknownRanker.Rank(...) — Deterministic ranking function
  • Band assignment (HOT/WARM/COLD)
  • API: GET /unknowns, POST /unknowns/{id}/escalate
  • Scheduler integration: rescan on escalation

Tests: Ranking determinism tests, band threshold tests

Documentation:

  • docs/db/schemas/policy_schema_specification.md
  • docs/api/scanner-score-proofs-api.md (Unknowns endpoints)

Sprint 3500.0002.0003: Replay + API

Owner: Scanner Team Deliverables:

  • API: POST /api/v1/scanner/scans
  • API: GET /api/v1/scanner/scans/{id}/manifest
  • API: POST /api/v1/scanner/scans/{id}/score/replay
  • API: GET /api/v1/scanner/scans/{id}/proofs/{rootHash}
  • Idempotency via Content-Digest headers
  • Rate limiting (100 req/hr per tenant for POST endpoints)

Tests: API integration tests, idempotency tests, error handling tests

Documentation:

  • docs/api/scanner-score-proofs-api.md (COMPREHENSIVE)
  • OpenAPI spec update: src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml

Epic B: Reachability (Sprints 3500.0003.00010003)

Sprint 3500.0003.0001: .NET Reachability

Owner: Scanner Team Deliverables:

  • Roslyn-based call-graph extractor (DotNetCallGraphExtractor.cs)
  • IL-based node ID computation
  • ASP.NET Core entrypoint discovery (controllers, minimal APIs, hosted services)
  • CallGraph.v1.json schema implementation
  • BFS reachability algorithm (ReachabilityAnalyzer.cs)
  • Database schema: scanner.cg_node, scanner.cg_edge, scanner.entrypoint

Tests: Call-graph extraction tests, BFS tests, entrypoint detection tests

Documentation:

  • src/Scanner/AGENTS_SCORE_PROOFS.md (Task 3.1, 3.2) (DETAILED)
  • docs/db/schemas/scanner_schema_specification.md
  • docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md

Sprint 3500.0003.0002: Java Reachability

Owner: Scanner Team Deliverables:

  • Soot/WALA-based call-graph extractor (JavaCallGraphExtractor.cs)
  • Spring Boot entrypoint discovery (@RestController, @RequestMapping)
  • JAR node ID computation (class file hash + method signature)
  • Integration with CallGraph.v1.json schema
  • Reachability analysis for Java artifacts

Tests: Java call-graph extraction tests, Spring Boot entrypoint tests

Prerequisite: Java worker POC with Soot/WALA (must complete before sprint starts)

Documentation:

  • docs/dev/java-call-graph-extractor-spec.md (to be created)
  • src/Scanner/AGENTS_JAVA_REACHABILITY.md (to be created)

Sprint 3500.0003.0003: Graph Attestations

Owner: Attestor Team + Scanner Team Deliverables:

  • Graph-level DSSE attestation (one per scan)
  • Rekor integration: POST /rekor/entries
  • Rekor budget policy: graph-only by default, edge bundles on escalation
  • API: POST /api/v1/scanner/scans/{id}/callgraphs (upload)
  • API: POST /api/v1/scanner/scans/{id}/reachability/compute
  • API: GET /api/v1/scanner/scans/{id}/reachability/findings
  • API: GET /api/v1/scanner/scans/{id}/reachability/explain

Tests: DSSE signing tests, Rekor integration tests, API tests

Documentation:

  • docs/operations/rekor-policy.md (budget policy)
  • docs/api/scanner-score-proofs-api.md (reachability endpoints)

CLI & UI (Sprints 3500.0004.00010002)

Sprint 3500.0004.0001: CLI Verbs

Owner: CLI Team Deliverables:

  • stella score replay --scan <id>
  • stella proof verify --bundle <path>
  • stella scan graph --lang dotnet|java --sln <path>
  • stella reachability explain --scan <id> --cve <cve>
  • stella unknowns list --band HOT
  • Offline bundle extensions: /offline/reachability/, /offline/corpus/

Tests: CLI E2E tests, offline bundle verification tests

Documentation:

  • docs/09_API_CLI_REFERENCE.md (update with new verbs)
  • docs/24_OFFLINE_KIT.md (reachability bundle format)

Sprint 3500.0004.0002: UI Components

Owner: UI Team Deliverables:

  • Proof ledger view (timeline visualization)
  • Unknowns queue (filterable, sortable)
  • Reachability explain widget (call-path visualization)
  • Score delta badges
  • "View Proof" button on finding cards

Tests: UI component tests (Jest/Cypress)

Prerequisite: UX wireframes delivered by Product team

Documentation:

  • docs/dev/ui-proof-visualization-spec.md (to be created)

Testing & Handoff (Sprints 3500.0004.00030004)

Sprint 3500.0004.0003: Integration Tests + Corpus

Owner: QA + Scanner Team Deliverables:

  • Golden corpus: 10 .NET + 10 Java test cases
  • End-to-end tests: SBOM → scan → proof → replay → verify
  • CI gates: precision/recall ≥80%, deterministic replay 100%
  • Load tests: 10k scans/day without degradation
  • Air-gap verification tests

Tests: All integration tests passing, corpus CI green

Documentation:

  • docs/testing/golden-corpus-spec.md (to be created)
  • docs/testing/integration-test-plan.md

Sprint 3500.0004.0004: Documentation + Handoff

Owner: Docs Guild + All Teams Deliverables:

  • Runbooks: docs/operations/score-proofs-runbook.md
  • Runbooks: docs/operations/reachability-troubleshooting.md
  • API documentation published
  • Training materials for support team
  • Competitive battlecard updated
  • Claims index updated: DET-004, REACH-003, PROOF-001, UNKNOWNS-001

Tests: Documentation review by 3+ stakeholders

Documentation:

  • All docs in docs/ reviewed and published

Dependencies

graph TD
    A[3500.0001.0001 Master Plan] --> B[3500.0002.0001 Foundations]
    B --> C[3500.0002.0002 Unknowns]
    C --> D[3500.0002.0003 Replay API]
    D --> E[3500.0003.0001 .NET Reachability]
    E --> F[3500.0003.0002 Java Reachability]
    F --> G[3500.0003.0003 Attestations]
    G --> H[3500.0004.0001 CLI]
    G --> I[3500.0004.0002 UI]
    H --> J[3500.0004.0003 Tests]
    I --> J
    J --> K[3500.0004.0004 Docs]

Success Metrics

Technical Metrics

  • Determinism: 100% bit-identical replay on golden corpus
  • Performance: TTFRP <30s for 100k LOC (p95)
  • Accuracy: Precision/recall ≥80% on ground-truth corpus
  • Scalability: 10k scans/day without Postgres degradation
  • Air-gap: 100% offline bundle verification success

Business Metrics

  • Competitive wins: ≥3 deals citing deterministic replay (6 months) 🎯
  • Customer adoption: ≥20% of enterprise customers enable score proofs (12 months) 🎯
  • Support escalations: <5 Rekor/attestation issues per month 🎯

Quick Links

Sprint Files:

Documentation:

Source Advisory:

  • [16-Dec-2025 - Building a Deeper Moat Beyond Reachability](../product-advisories/unprocessed/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md)

Last Updated: 2025-12-17 Next Review: Weekly during sprint execution