61f963fd52
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added `LedgerMetrics` class to record write latency and total events for ledger operations. - Created comprehensive tests for Ruby packages endpoints, covering scenarios for missing inventory, successful retrieval, and identifier handling. - Introduced `TestSurfaceSecretsScope` for managing environment variables during tests. - Developed `ProvenanceMongoExtensions` for attaching DSSE provenance and trust information to event documents. - Implemented `EventProvenanceWriter` and `EventWriter` classes for managing event provenance in MongoDB. - Established MongoDB indexes for efficient querying of events based on provenance and trust. - Added models and JSON parsing logic for DSSE provenance and trust information.
8.5 KiB
8.5 KiB
Sprint 120 - Policy & Reasoning
Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
Findings.I
Dependency: Sprint 110.A - AdvisoryAI (must land before this track). Focus: Policy & Reasoning focus on Findings (phase I).
| # | Task ID & handle | State | Key dependency / next step | Owners |
|---|---|---|---|---|
| 1 | LEDGER-29-007 | TODO | Instrument metrics (ledger_write_latency, projection_lag_seconds, ledger_events_total), structured logs, and Merkle anchoring alerts; publish dashboards (Deps: LEDGER-29-006) |
Findings Ledger Guild, Observability Guild / src/Findings/StellaOps.Findings.Ledger |
| 2 | LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant (Deps: LEDGER-29-007) | Findings Ledger Guild, QA Guild / src/Findings/StellaOps.Findings.Ledger |
| 3 | LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions (Deps: LEDGER-29-008) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger |
| 4 | LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries (Deps: LEDGER-29-009) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
| 5 | LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (bundle_id, merkle_root, time_anchor) on ledger events for advisories/VEX/policies imported via Mirror Bundles |
Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
| 6 | LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging (Deps: LEDGER-AIRGAP-56-001) | Findings Ledger Guild, AirGap Time Guild / src/Findings/StellaOps.Findings.Ledger |
| 7 | LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works (Deps: LEDGER-AIRGAP-56-002) | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger |
| 8 | LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context (Deps: LEDGER-AIRGAP-57-001) | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger |
| 9 | LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger |
Findings.I scope & goals
- Deliver ledger observability baselines (
LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant. - Extend ledger provenance to cover orchestrator jobs, air-gapped bundle imports, and attestation evidence (
LEDGER-34-101,LEDGER-AIRGAP-*,LEDGER-ATTEST-73-001). - Ship deployment collateral (Helm/Compose, backup/restore, offline kit) and documentation so downstream guilds can adopt without bespoke guidance.
Entry criteria
- Sprint 110.A AdvisoryAI deliverables must be complete (raw findings parity, provenance contracts).
- Observability Guild approves metric names/labels for
ledger_*series. - Mirror bundle schemas (AirGap kits) published so
LEDGER-AIRGAP-*tasks can reference stable fields.
Exit criteria
- Metrics/logs/dashboards live in ops telemetry packs with alert wiring.
- Determinism/load harness produces signed report for 5 M findings/tenant scenario.
- Deployment manifests + offline kit instructions reviewed by DevOps/AirGap guilds.
- Ledger records referential pointers to orchestrator runs, bundle provenance, and attestation envelopes.
Task clusters & owners
| Cluster | Linked tasks | Owners | Status snapshot | Notes |
|---|---|---|---|---|
| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in docs/modules/findings-ledger/observability.md; determinism harness spec added in docs/modules/findings-ledger/replay-harness.md; sequencing captured in docs/modules/findings-ledger/implementation_plan.md; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (docs/modules/findings-ledger/deployment.md); need to align Compose/Helm overlays + automate migrations. |
| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in docs/modules/findings-ledger/airgap-provenance.md; blocked on mirror bundle schema freeze + AirGap controller inputs. |
| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
Milestones & dependencies
| Target date | Milestone | Dependency / owner | Notes |
|---|---|---|---|
| 2025-11-15 | Metrics + dashboard schema sign-off | Observability Guild | Unblocks LEDGER-29-007 instrumentation PR. |
| 2025-11-18 | Determinism + replay harness dry-run at 5 M findings | QA Guild | Required before LEDGER-29-008 can close. |
| 2025-11-20 | Helm/Compose manifests + backup doc review | DevOps Guild · AirGap Controller Guild | Needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001. |
| 2025-11-22 | Mirror bundle provenance schema freeze | AirGap Time Guild | Enables LEDGER-AIRGAP-56/57/58 sequencing. |
| 2025-11-25 | Orchestrator ledger export contract signed | Orchestrator Guild | Prereq for LEDGER-34-101 linkage. |
Risks & mitigations
- Metric churn — Observability schema changes could slip schedule. Mitigation: lock metric names by Nov 15 and document in
docs/observability/policy.md. - Replay workload — 5 M findings load tests may exceed lab capacity. Mitigation: leverage existing QA replay rig, capture CPU/memory budgets for runbooks.
- Air-gap drift — Mirror bundle format still moving. Mitigation: version provenance schema, gate LEDGER-AIRGAP-* merge until doc + manifest updates reviewed.
- Cross-guild lag — Orchestrator/Attestor dependencies may delay provenance pointers. Mitigation: weekly sync notes in sprint log; add feature flags so ledger work can merge behind toggles.
External dependency tracker
| Dependency | Current state (2025-11-13) | Impact |
|---|---|---|
| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
Coordination log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
| 2025-11-13 10:45 | Published docs/modules/findings-ledger/observability.md detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. |
Findings Ledger Guild |
| 2025-11-13 11:20 | Added docs/modules/findings-ledger/deployment.md covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. |
Findings Ledger Guild |
| 2025-11-13 11:50 | Added docs/modules/findings-ledger/replay-harness.md outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. |
Findings Ledger Guild |
| 2025-11-13 12:05 | Drafted docs/modules/findings-ledger/implementation_plan.md summarizing phase sequencing and dependencies for Findings.I. |
Findings Ledger Guild |
| 2025-11-13 12:25 | Authored docs/modules/findings-ledger/airgap-provenance.md detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. |
Findings Ledger Guild |