14617e9c3b
- Added `SchedulerWorkerOptions` class to encapsulate configuration for the scheduler worker. - Introduced `PlannerBackgroundService` to manage the planner loop, fetching and processing planning runs. - Created `PlannerExecutionService` to handle the execution logic for planning runs, including impact targeting and run persistence. - Developed `PlannerExecutionResult` and `PlannerExecutionStatus` to standardize execution outcomes. - Implemented validation logic within `SchedulerWorkerOptions` to ensure proper configuration. - Added documentation for the planner loop and impact targeting features. - Established health check endpoints and authentication mechanisms for the Signals service. - Created unit tests for the Signals API to ensure proper functionality and response handling. - Configured options for authority integration and fallback authentication methods.
48 lines
6.6 KiB
Markdown
48 lines
6.6 KiB
Markdown
# SBOM Service Task Board — Epic 3: Graph Explorer v1
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | SBOM Service Guild, Cartographer Guild | CONCELIER-GRAPH-21-001 | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement. | Schema validated with fixtures; API documented; integration tests cover CycloneDX/SPDX inputs. |
|
||
> 2025-10-27: Awaiting projection schema from Concelier (`CONCELIER-GRAPH-21-001`) before we can finalize API payloads and fixtures.
|
||
| SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | SBOM Service Guild, Scheduler Guild | SBOM-SERVICE-21-001, SCHED-MODELS-21-001 | Emit change events (`sbom.version.created`) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. | Events published on new SBOMs; consumer harness validated; replay scripts documented. |
|
||
> 2025-10-27: Blocked until `SBOM-SERVICE-21-001` defines projection schema and endpoints.
|
||
| SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | Entrypoint API live; overrides persisted; docs updated; tests cover fallback logic. |
|
||
> 2025-10-27: Depends on base projection schema (`SBOM-SERVICE-21-001`) which is blocked.
|
||
| SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | SBOM Service Guild, Observability Guild | SBOM-SERVICE-21-001 | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. | Metrics/traces exposed; dashboards updated; alert thresholds defined. |
|
||
> 2025-10-27: Projection pipeline not in place yet; will follow once `SBOM-SERVICE-21-001` unblocks.
|
||
|
||
## Policy Engine + Editor v1
|
||
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-SERVICE-23-001 | TODO | SBOM Service Guild, Policy Guild | SBOM-SERVICE-21-001 | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. | Projection schema updated; fixtures expanded; policy runtime tests consume new fields. |
|
||
| SBOM-SERVICE-23-002 | TODO | SBOM Service Guild, Platform Events Guild | SBOM-SERVICE-23-001 | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. | Events published with tests; evaluator receives updates; docs updated. |
|
||
|
||
## StellaOps Console (Sprint 23)
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-CONSOLE-23-001 | TODO | SBOM Service Guild, Cartographer Guild | SBOM-SERVICE-21-001, SBOM-SERVICE-21-003 | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | API deployed with contract tests, latency ≤ 200 ms P95 on seeded fixtures, docs updated, integration tests confirm parity with underlying projections. |
|
||
| SBOM-CONSOLE-23-002 | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001, SBOM-SERVICE-21-002 | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. | Endpoints documented, caching headers validated, integration tests cover search use cases, telemetry metrics exported. |
|
||
|
||
## Graph & Vuln Explorer v1
|
||
|
||
> 2025-10-26 update — Cartographer service (`CARTO-GRAPH-21-001..009`) now owns graph construction/overlays. SBOM Service continues to expose projections and change events via `SBOM-SERVICE-21-00x`.
|
||
|
||
## Vulnerability Explorer (Sprint 29)
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-VULN-29-001 | TODO | SBOM Service Guild | SBOM-SERVICE-21-001 | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | Evidence payloads extended; change events published with tests; documentation updated. |
|
||
| SBOM-VULN-29-002 | TODO | SBOM Service Guild, Findings Ledger Guild | SBOM-VULN-29-001, LEDGER-29-002 | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. | Feed operational with dedupe keys; integration tests confirm candidate generation; metrics added. |
|
||
|
||
## Advisory AI (Sprint 31)
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-AIAI-31-001 | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | Endpoints live with caching; perf targets met; tests cover ecosystems. |
|
||
| SBOM-AIAI-31-002 | TODO | SBOM Service Guild, Observability Guild | SBOM-AIAI-31-001 | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. | Metrics/traces live; dashboards approved. |
|
||
|
||
## Orchestrator Dashboard
|
||
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|
||
|----|--------|----------|------------|-------------|---------------|
|
||
| SBOM-ORCH-32-001 | TODO | SBOM Service Guild | ORCH-SVC-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SDK integration tested with orchestrator; artifact hashes persisted; metrics include sbom ingest job lifecycle. |
|
||
| SBOM-ORCH-33-001 | TODO | SBOM Service Guild | SBOM-ORCH-32-001, ORCH-SVC-33-001, ORCH-SVC-33-002 | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. | Backpressure metrics exported; pause/resume E2E tests pass; error classes mapped to orchestrator codes. |
|
||
| SBOM-ORCH-34-001 | TODO | SBOM Service Guild | SBOM-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. | Backfill operations verified with no duplicate artifacts; watermark status persisted; coverage metrics published. |
|