stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
10212d67c0dfa0dd849fd798c24502b773664749
git.stella-ops.org/docs/implplan/SPRINT_129_policy_reasoning.md
master 75c2bcafce
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add LDAP Distinguished Name Helper and Credential Audit Context 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
2025-11-09 12:21:38 +02:00

13 KiB
Raw Blame History

Sprint 129 - Policy & Reasoning

Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.

Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.

Policy.VII

Dependency: Sprint 120.C - Policy.VI (must land before this track). Focus: Policy & Reasoning focus on Policy (phase VII).

# Task ID & handle State Key dependency / next step Owners
1 POLICY-TEN-48-001 TODO Add tenant_id/project_id columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata Policy Guild / src/Policy/StellaOps.Policy.Engine
2 REGISTRY-API-27-001 TODO Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
3 REGISTRY-API-27-002 TODO Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies (Deps: REGISTRY-API-27-001) Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
4 REGISTRY-API-27-003 TODO Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics (Deps: REGISTRY-API-27-002) Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
5 REGISTRY-API-27-004 TODO Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains (Deps: REGISTRY-API-27-003) Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
6 REGISTRY-API-27-005 TODO Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest (Deps: REGISTRY-API-27-004) Policy Registry Guild, Scheduler Guild / src/Policy/StellaOps.Policy.Registry
7 REGISTRY-API-27-006 TODO Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks (Deps: REGISTRY-API-27-005) Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
8 REGISTRY-API-27-007 TODO Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events (Deps: REGISTRY-API-27-006) Policy Registry Guild, Security Guild / src/Policy/StellaOps.Policy.Registry
9 REGISTRY-API-27-008 TODO Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history (Deps: REGISTRY-API-27-007) Policy Registry Guild / src/Policy/StellaOps.Policy.Registry
10 REGISTRY-API-27-009 TODO Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards (Deps: REGISTRY-API-27-008) Policy Registry Guild, Observability Guild / src/Policy/StellaOps.Policy.Registry
11 REGISTRY-API-27-010 TODO Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI (Deps: REGISTRY-API-27-009) Policy Registry Guild, QA Guild / src/Policy/StellaOps.Policy.Registry

RiskEngine

Dependency: Sprint 110.A - AdvisoryAI (must land before this track). Focus: Policy & Reasoning focus on RiskEngine).

# Task ID & handle State Key dependency / next step Owners
1 RISK-ENGINE-66-001 TODO Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness Risk Engine Guild / src/RiskEngine/StellaOps.RiskEngine
2 RISK-ENGINE-66-002 TODO Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator (Deps: RISK-ENGINE-66-001) Risk Engine Guild / src/RiskEngine/StellaOps.RiskEngine
3 RISK-ENGINE-67-001 TODO Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (max, any, consensus) (Deps: RISK-ENGINE-66-002) Risk Engine Guild, Concelier Guild / src/RiskEngine/StellaOps.RiskEngine
4 RISK-ENGINE-67-002 TODO Integrate VEX gate provider and ensure gating short-circuits scoring as configured (Deps: RISK-ENGINE-67-001) Risk Engine Guild, Excitor Guild / src/RiskEngine/StellaOps.RiskEngine
5 RISK-ENGINE-67-003 TODO Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement (Deps: RISK-ENGINE-67-002) Risk Engine Guild, Policy Engine Guild / src/RiskEngine/StellaOps.RiskEngine
6 RISK-ENGINE-68-001 TODO Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash (Deps: RISK-ENGINE-67-003) Risk Engine Guild, Findings Ledger Guild / src/RiskEngine/StellaOps.RiskEngine
7 RISK-ENGINE-68-002 TODO Expose APIs (/risk/jobs, /risk/results, /risk/results/{id}/explanation); include pagination, filtering, error codes (Deps: RISK-ENGINE-68-001) Risk Engine Guild, API Guild / src/RiskEngine/StellaOps.RiskEngine
8 RISK-ENGINE-69-001 TODO Implement simulation mode producing distributions and top movers without mutating ledger (Deps: RISK-ENGINE-68-002) Risk Engine Guild, Policy Studio Guild / src/RiskEngine/StellaOps.RiskEngine
9 RISK-ENGINE-69-002 TODO Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards (Deps: RISK-ENGINE-69-001) Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine
10 RISK-ENGINE-70-001 TODO Support offline provider bundles with manifest verification and missing-data reporting (Deps: RISK-ENGINE-69-002) Risk Engine Guild, Export Guild / src/RiskEngine/StellaOps.RiskEngine
11 RISK-ENGINE-70-002 TODO Integrate runtime evidence provider and reachability provider outputs with caching + TTL (Deps: RISK-ENGINE-70-001) Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine

VexLens.I

Dependency: Sprint 110.A - AdvisoryAI (must land before this track). Focus: Policy & Reasoning focus on VexLens (phase I).

# Task ID & handle State Key dependency / next step Owners
1 VEXLENS-30-001 TODO Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing) VEX Lens Guild / src/VexLens/StellaOps.VexLens
2 VEXLENS-30-002 TODO Build product mapping library (CPE/CPE2.3/vendor tokens → purl/version) with scope quality scoring and path metadata (Deps: VEXLENS-30-001) VEX Lens Guild / src/VexLens/StellaOps.VexLens
3 VEXLENS-30-003 TODO Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons (Deps: VEXLENS-30-002) VEX Lens Guild, Issuer Directory Guild / src/VexLens/StellaOps.VexLens
4 VEXLENS-30-004 TODO Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config (Deps: VEXLENS-30-003) VEX Lens Guild, Policy Guild / src/VexLens/StellaOps.VexLens
5 VEXLENS-30-005 TODO Implement consensus algorithm producing consensus_state, confidence, weights, quorum, rationale; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE (Deps: VEXLENS-30-004) VEX Lens Guild / src/VexLens/StellaOps.VexLens
6 VEXLENS-30-006 TODO Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers (Deps: VEXLENS-30-005) VEX Lens Guild, Findings Ledger Guild / src/VexLens/StellaOps.VexLens
7 VEXLENS-30-007 TODO Expose APIs (/vex/consensus, /vex/consensus/query, /vex/consensus/{id}, /vex/consensus/simulate, /vex/consensus/export) with pagination, cost budgets, and OpenAPI docs (Deps: VEXLENS-30-006) VEX Lens Guild / src/VexLens/StellaOps.VexLens
8 VEXLENS-30-008 TODO Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view (Deps: VEXLENS-30-007) VEX Lens Guild, Policy Guild / src/VexLens/StellaOps.VexLens
9 VEXLENS-30-009 TODO Instrument metrics (vex_consensus_compute_latency, vex_consensus_disputed_total, vex_signature_verification_rate), structured logs, and traces; publish dashboards/alerts (Deps: VEXLENS-30-008) VEX Lens Guild, Observability Guild / src/VexLens/StellaOps.VexLens
10 VEXLENS-30-010 TODO Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees (Deps: VEXLENS-30-009) VEX Lens Guild, QA Guild / src/VexLens/StellaOps.VexLens
11 VEXLENS-30-011 TODO Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks (Deps: VEXLENS-30-010) VEX Lens Guild, DevOps Guild / src/VexLens/StellaOps.VexLens
12 VEXLENS-AIAI-31-001 TODO Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations VEX Lens Guild / src/VexLens/StellaOps.VexLens
13 VEXLENS-AIAI-31-002 TODO Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints) (Deps: VEXLENS-AIAI-31-001) VEX Lens Guild / src/VexLens/StellaOps.VexLens
14 VEXLENS-EXPORT-35-001 TODO Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles VEX Lens Guild / src/VexLens/StellaOps.VexLens
15 VEXLENS-ORCH-33-001 TODO Register consensus_compute job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches VEX Lens Guild / src/VexLens/StellaOps.VexLens

VexLens.II

Dependency: Sprint 120.E - VexLens.I (must land before this track). Focus: Policy & Reasoning focus on VexLens (phase II).

# Task ID & handle State Key dependency / next step Owners
1 VEXLENS-ORCH-34-001 TODO Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata (Deps: VEXLENS-ORCH-33-001) VEX Lens Guild / src/VexLens/StellaOps.VexLens

VulnExplorer

Dependency: Sprint 110.A - AdvisoryAI (must land before this track). Focus: Policy & Reasoning focus on VulnExplorer).

# Task ID & handle State Key dependency / next step Owners
1 VULN-API-29-001 TODO Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
2 VULN-API-29-002 TODO Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets (Deps: VULN-API-29-001) Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
3 VULN-API-29-003 TODO Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary (Deps: VULN-API-29-002) Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
4 VULN-API-29-004 TODO Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation (Deps: VULN-API-29-003) Vuln Explorer API Guild, Findings Ledger Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
5 VULN-API-29-005 TODO Implement simulation endpoint comparing policy_from vs policy_to, returning diffs without side effects; hook into Policy Engine batch eval (Deps: VULN-API-29-004) Vuln Explorer API Guild, Policy Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
6 VULN-API-29-006 TODO Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose paths array in details (Deps: VULN-API-29-005) Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
7 VULN-API-29-007 TODO Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging (Deps: VULN-API-29-006) Vuln Explorer API Guild, Security Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
8 VULN-API-29-008 TODO Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata (Deps: VULN-API-29-007) Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
9 VULN-API-29-009 TODO Instrument metrics (vuln_list_latency, vuln_simulation_latency, vuln_export_duration, vuln_workflow_events_total), structured logs, and traces; publish dashboards/alerts (Deps: VULN-API-29-008) Vuln Explorer API Guild, Observability Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
10 VULN-API-29-010 TODO Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries (Deps: VULN-API-29-009) Vuln Explorer API Guild, QA Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api
11 VULN-API-29-011 TODO Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance (Deps: VULN-API-29-010) Vuln Explorer API Guild, DevOps Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api