12 KiB
12 KiB
Sprint 136 - Scanner & Surface
Implementation order remains sequential across Sprint 130–139. Complete each sprint in order before pulling tasks from the next file.
7. Scanner.VII — Scanner & Surface focus on Scanner (phase VII).
Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).
| Task ID | State | Summary | Owner / Source | Depends On |
|---|---|---|---|---|
SCANNER-ENTRYTRACE-18-504 |
TODO | Emit EntryTrace AOC NDJSON (entrytrace.entry/node/edge/target/warning/capability) and wire CLI/service streaming outputs. |
EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-503 |
SCANNER-ENTRYTRACE-18-505 |
TODO | Implement process-tree replay (ProcGraph) to reconcile /proc exec chains with static EntryTrace results, collapsing wrappers and emitting agreement/conflict diagnostics. |
EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-504 |
SCANNER-ENTRYTRACE-18-506 |
TODO | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. | EntryTrace Guild, Scanner WebService Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-505 |
SCANNER-ENV-01 |
DONE (2025-11-18) | Worker already wired to AddSurfaceEnvironment/ISurfaceEnvironment for cache roots + CAS endpoints; no remaining ad-hoc env reads. |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | — |
SCANNER-ENV-02 |
TODO (2025-11-06) | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-ENV-01 |
SCANNER-ENV-03 |
BLOCKED (2025-11-19) | Waiting on SCANNER-ENV-02 tests/restore to complete and Surface.Env package publish; plugin wiring on hold. | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-ENV-02 |
SURFACE-ENV-01 |
DONE (2025-11-13) | Draft surface-env.md enumerating environment variables, defaults, and air-gap behaviour for Surface consumers. |
Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | — |
SURFACE-ENV-02 |
DONE (2025-11-18) | Strongly-typed env accessors implemented; validation covers required endpoint, bounds, TLS cert path; regression tests passing. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-01 |
SURFACE-ENV-03 |
TODO | Adopt the env helper across Scanner Worker/WebService/BuildX plug-ins. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-04 |
TODO | Wire env helper into Zastava Observer/Webhook containers. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-05 |
TODO | Update Helm/Compose/offline kit templates with new env knobs and documentation. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-03, SURFACE-ENV-04 |
SCANNER-EVENTS-16-301 |
BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). |
Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-GRAPH-21-001 |
TODO | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-001 |
TODO | Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. |
Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-002 |
TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-LNM-21-001 |
SCANNER-SECRETS-03 |
TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-SECRETS-02 |
SURFACE-SECRETS-01 |
BLOCKED (2025-11-19) | Secret schema/backends need Security Guild approval; draft doc not reviewed. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | — |
SURFACE-SECRETS-02 |
BLOCKED (2025-11-19) | Awaiting SURFACE-SECRETS-01 approval and test backend contract. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-01 |
SURFACE-SECRETS-03 |
TODO | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-04 |
TODO | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-05 |
TODO | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-06 |
TODO | Update deployment manifests/offline kit bundles to provision secret references instead of raw values. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-03 |
SCANNER-ENG-0020 |
TODO | Implement Homebrew collector & fragment mapper per design/macos-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0021 |
TODO | Implement pkgutil receipt collector per design/macos-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0022 |
TODO | Implement macOS bundle inspector & capability overlays per design/macos-analyzer.md §3.3. |
Scanner Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0023 |
TODO | Deliver macOS policy/offline integration per design/macos-analyzer.md §5–6. |
Scanner Guild, Offline Kit Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0024 |
TODO | Implement Windows MSI collector per design/windows-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0025 |
TODO | Implement WinSxS manifest collector per design/windows-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0026 |
TODO | Implement Windows Chocolatey & registry collectors per design/windows-analyzer.md §3.3–3.4. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0027 |
TODO | Deliver Windows policy/offline integration per design/windows-analyzer.md §5–6. |
Scanner Guild, Policy Guild, Offline Kit Guild (docs/modules/scanner) | — |
SCHED-SURFACE-02 |
TODO | Integrate Scheduler worker prefetch using Surface manifest reader and persist manifest pointers with rerun plans. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | SURFACE-FS-02, SCHED-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §3 for implementation checklist |
ZASTAVA-SURFACE-02 |
TODO | Use Surface manifest reader helpers to resolve cas:// pointers and enrich drift diagnostics with manifest provenance. |
Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | SURFACE-FS-02, ZASTAVA-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §4 for integration steps |
SURFACE-FS-03 |
TODO | Integrate Surface.FS writer into Scanner Worker analyzer pipeline to persist layer + entry-trace fragments. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-04 |
TODO | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-05 |
TODO | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-03 |
SURFACE-FS-06 |
TODO | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02..05 |
SCANNER-SURFACE-04 |
TODO | DSSE-sign every layer.fragments payload, emit _composition.json, and persist DSSE envelopes so offline kits can replay deterministically (see docs/modules/scanner/deterministic-sbom-compose.md §2.1). |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | SCANNER-SURFACE-01, SURFACE-FS-03 |
SURFACE-FS-07 |
TODO | Extend Surface.FS manifest schema with composition.recipe, fragment attestation metadata, and verification helpers per deterministic SBOM spec. |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SCANNER-SURFACE-04 |
SCANNER-EMIT-15-001 |
TODO | Enforce canonical JSON (stella.contentHash, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in docs/modules/scanner/deterministic-sbom-compose.md §2.2. |
Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | SCANNER-SURFACE-04 |
SCANNER-SORT-02 |
TODO | Sort layer fragments by digest and components by identity.purl/identity.key before composition; add determinism regression tests. |
Scanner Core Guild (src/Scanner/__Libraries/StellaOps.Scanner.Core) | SCANNER-EMIT-15-001 |
SURFACE-VAL-01 |
BLOCKED (2025-11-19) | Waiting on SURFACE-SECRETS-01 schema and Surface.Env publish to finalize validation framework doc. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-FS-01, SURFACE-ENV-01 |
SURFACE-VAL-02 |
TODO | Implement base validation library with check registry and default validators for env/cached manifests/secret refs. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02 |
SURFACE-VAL-03 |
TODO | Integrate validation pipeline into Scanner analyzers so checks run before processing. | Scanner Guild, Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-04 |
TODO | Expose validation helpers to Zastava and other runtime consumers for preflight checks. | Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-05 |
TODO | Document validation extensibility, registration, and customization in scanner-engine guides. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-10-26 | Initial sprint plan captured; dependencies noted across Scheduler/Surface/Cartographer. | Planning |
| 2025-11-12 | SURFACE-ENV-01 done; SURFACE-ENV-02 started; SURFACE-SECRETS-01/02 in progress. | Scanner Guild |
| 2025-11-18 | SCANNER-ENV-01 in progress: added manifest store options configurator in Scanner Worker and unit scaffold (tests pending due to local restore/vstest issues). | Implementer |
| 2025-11-18 | SCANNER-ENV-02 started: wired Surface manifest store options into Scanner WebService and unit scaffold added; tests pending (nuget.org restore cancelled locally). | Implementer |
| 2025-11-18 | Attempted dotnet test for Worker Surface manifest configurator; restore failed fetching StackExchange.Redis from nuget.org (network timeout); tests still pending CI. |
Implementer |
| 2025-11-18 | SCANNER-ENV-03 started: BuildX plugin now loads Surface.Env defaults (SCANNER/SURFACE prefixes) for cache root/bucket/tenant when args/env missing; tests not yet added. | Implementer |
| 2025-11-19 | Marked SCANNER-ENV-03, SURFACE-SECRETS-01/02, and SURFACE-VAL-01 BLOCKED pending Security/Surface schema approvals and published env/secrets artifacts; move back to TODO once upstream contracts land. | Implementer |