git.stella-ops.org/src/StellaOps.SbomService/TASKS.md

SBOM Service Task Board — Epic 3: Graph Explorer v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-SERVICE-21-001	BLOCKED (2025-10-27)	SBOM Service Guild, Cartographer Guild	CONCELIER-GRAPH-21-001	Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement.	Schema validated with fixtures; API documented; integration tests cover CycloneDX/SPDX inputs.

2025-10-27: Awaiting projection schema from Concelier (CONCELIER-GRAPH-21-001) before we can finalize API payloads and fixtures. | SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | SBOM Service Guild, Scheduler Guild | SBOM-SERVICE-21-001, SCHED-MODELS-21-001 | Emit change events (sbom.version.created) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. | Events published on new SBOMs; consumer harness validated; replay scripts documented. | 2025-10-27: Blocked until SBOM-SERVICE-21-001 defines projection schema and endpoints. | SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | Entrypoint API live; overrides persisted; docs updated; tests cover fallback logic. | 2025-10-27: Depends on base projection schema (SBOM-SERVICE-21-001) which is blocked. | SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | SBOM Service Guild, Observability Guild | SBOM-SERVICE-21-001 | Wire observability: metrics (sbom_projection_seconds, sbom_projection_size), traces, structured logs with tenant info; set alerts for backlog. | Metrics/traces exposed; dashboards updated; alert thresholds defined. | 2025-10-27: Projection pipeline not in place yet; will follow once SBOM-SERVICE-21-001 unblocks.

Policy Engine + Editor v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-SERVICE-23-001	TODO	SBOM Service Guild, Policy Guild	SBOM-SERVICE-21-001	Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs.	Projection schema updated; fixtures expanded; policy runtime tests consume new fields.
SBOM-SERVICE-23-002	TODO	SBOM Service Guild, Platform Events Guild	SBOM-SERVICE-23-001	Emit sbom.asset.updated events when metadata changes; ensure idempotent payloads and documentation.	Events published with tests; evaluator receives updates; docs updated.

StellaOps Console (Sprint 23)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-CONSOLE-23-001	TODO	SBOM Service Guild, Cartographer Guild	SBOM-SERVICE-21-001, SBOM-SERVICE-21-003	Provide Console-focused SBOM catalog API (/console/sboms) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees.	API deployed with contract tests, latency ≤ 200 ms P95 on seeded fixtures, docs updated, integration tests confirm parity with underlying projections.
SBOM-CONSOLE-23-002	TODO	SBOM Service Guild	SBOM-CONSOLE-23-001, SBOM-SERVICE-21-002	Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement.	Endpoints documented, caching headers validated, integration tests cover search use cases, telemetry metrics exported.

Graph & Vuln Explorer v1

2025-10-26 update — Cartographer service (CARTO-GRAPH-21-001..009) now owns graph construction/overlays. SBOM Service continues to expose projections and change events via SBOM-SERVICE-21-00x.

Vulnerability Explorer (Sprint 29)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-VULN-29-001	TODO	SBOM Service Guild	SBOM-SERVICE-21-001	Emit inventory evidence with scope, runtime_flag, dependency paths, and nearest safe version hints, streaming change events for resolver jobs.	Evidence payloads extended; change events published with tests; documentation updated.
SBOM-VULN-29-002	TODO	SBOM Service Guild, Findings Ledger Guild	SBOM-VULN-29-001, LEDGER-29-002	Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery.	Feed operational with dedupe keys; integration tests confirm candidate generation; metrics added.

Advisory AI (Sprint 31)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-AIAI-31-001	TODO	SBOM Service Guild	SBOM-VULN-29-001	Provide GET /sbom/paths?purl=... and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata).	Endpoints live with caching; perf targets met; tests cover ecosystems.
SBOM-AIAI-31-002	TODO	SBOM Service Guild, Observability Guild	SBOM-AIAI-31-001	Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards.	Metrics/traces live; dashboards approved.

Orchestrator Dashboard

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
SBOM-ORCH-32-001	TODO	SBOM Service Guild	ORCH-SVC-32-001, WORKER-GO-32-001, WORKER-PY-32-001	Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata.	SDK integration tested with orchestrator; artifact hashes persisted; metrics include sbom ingest job lifecycle.
SBOM-ORCH-33-001	TODO	SBOM Service Guild	SBOM-ORCH-32-001, ORCH-SVC-33-001, ORCH-SVC-33-002	Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs.	Backpressure metrics exported; pause/resume E2E tests pass; error classes mapped to orchestrator codes.
SBOM-ORCH-34-001	TODO	SBOM Service Guild	SBOM-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001	Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse.	Backfill operations verified with no duplicate artifacts; watermark status persisted; coverage metrics published.