stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
17d45a6d303350efb35db194b706c526070417be
git.stella-ops.org/docs/implplan/SPRINT_132_scanner_surface.md
StellaOps Bot 3b96b2e3ea
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
up
2025-11-27 23:45:09 +02:00

8.5 KiB
Raw Blame History

Sprint 132 - Scanner & Surface

Implementation order remains sequential across Sprint 130139. Complete each sprint in order before pulling tasks from the next file.

3. Scanner.III — Scanner & Surface focus on Scanner (phase III).

Dependency: Sprint 131 - 2. Scanner.II — Scanner & Surface focus on Scanner (phase II).

Task ID State Summary Owner / Source Depends On
SCANNER-ANALYZERS-LANG-11-002 BLOCKED Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) SCANNER-ANALYZERS-LANG-11-001
SCANNER-ANALYZERS-LANG-11-003 BLOCKED Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. StellaOps.Scanner EPDR Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) SCANNER-ANALYZERS-LANG-11-002
SCANNER-ANALYZERS-LANG-11-004 BLOCKED Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. StellaOps.Scanner EPDR Guild, SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) SCANNER-ANALYZERS-LANG-11-003
SCANNER-ANALYZERS-LANG-11-005 BLOCKED Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. StellaOps.Scanner EPDR Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) SCANNER-ANALYZERS-LANG-11-004
SCANNER-ANALYZERS-NATIVE-20-001 DONE Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native)
SCANNER-ANALYZERS-NATIVE-20-002 DONE Parse ELF dynamic sections: DT_NEEDED, DT_RPATH, DT_RUNPATH, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason elf-dtneeded and attach version needs. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-001
SCANNER-ANALYZERS-NATIVE-20-003 DONE Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons pe-import and pe-delayimport, plus SxS policy metadata. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-002
SCANNER-ANALYZERS-NATIVE-20-004 DONE Parse Mach-O load commands (LC_LOAD_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_UUID, fat headers). Handle @rpath/@loader_path placeholders and slice separation. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-003
SCANNER-ANALYZERS-NATIVE-20-005 DONE Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (@rpath expansion). Works against virtual image roots, producing explain traces. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-004
SCANNER-ANALYZERS-NATIVE-20-006 DONE Build heuristic scanner for dlopen/LoadLibrary strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with reason_code (string-dlopen, config-plugin, ecosystem-heuristic) and confidence levels. Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-005
SCANNER-ANALYZERS-NATIVE-20-007 DONE Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. Native Analyzer Guild, SBOM Service Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-006
SCANNER-ANALYZERS-NATIVE-20-008 DONE Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). Native Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-007
SCANNER-ANALYZERS-NATIVE-20-009 DONE Provide optional runtime capture adapters (Linux eBPF dlopen, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. Native Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-008
SCANNER-ANALYZERS-NATIVE-20-010 DONE Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. Native Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) SCANNER-ANALYZERS-NATIVE-20-009
SCANNER-ANALYZERS-NODE-22-001 TODO Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (.nvmrc, .node-version, Dockerfile) and workspace roots deterministically. Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node)
SCANNER-ANALYZERS-NODE-22-002 TODO Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) SCANNER-ANALYZERS-NODE-22-001
SCANNER-ANALYZERS-NODE-22-003 TODO Parse JS/TS sources for static import, require, import() and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) SCANNER-ANALYZERS-NODE-22-002
SCANNER-ANALYZERS-NODE-22-004 TODO Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) SCANNER-ANALYZERS-NODE-22-003
SCANNER-ANALYZERS-NODE-22-005 TODO Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) SCANNER-ANALYZERS-NODE-22-004

Status Notes (2025-11-27)

Native Analyzer (NATIVE-20-xxx): DONE

All 10 tasks completed. Implementation verified with 165 passing tests.

Implemented components:

  • NativeFormatDetector.cs - Format detection for ELF/PE/Mach-O with binary identity
  • ElfDynamicSectionParser.cs - ELF dynamic sections, DT_NEEDED, rpath/runpath
  • PeImportParser.cs - PE imports, delay-load, manifests, subsystem flags
  • MachOLoadCommandParser.cs - Mach-O load commands, @rpath, fat binaries
  • NativeResolver.cs - Cross-platform loader search order modeling
  • HeuristicScanner.cs - dlopen/LoadLibrary string detection, plugin configs
  • Observations/ - AOC-compliant observation builder and serializer
  • RuntimeCapture/ - Linux eBPF, Windows ETW, macOS dyld adapters
  • Plugin/ - Plugin packaging with DI registration

DotNet Analyzer (LANG-11-xxx): BLOCKED

Tasks 11-002 through 11-005 are blocked pending SCANNER-ANALYZERS-LANG-11-001 from Sprint 131.

Blocker: SCANNER-ANALYZERS-LANG-11-001 (not in this sprint) must implement the foundation for IL analysis before static analyzer heuristics can be built.

Node Analyzer (NODE-22-xxx): TODO

Tasks 22-001 through 22-005 remain TODO. Existing infrastructure provides partial coverage:

  • NodePackageCollector - handles dirs, tgz, Yarn PnP cache
  • NodeVersionDetector - detects .nvmrc, .node-version, Dockerfile
  • NodeWorkspaceIndex - workspace root detection
  • NodeImportWalker - basic import/require parsing

Missing components for Sprint 132:

  • Full VFS abstraction for container layers and pnpm store (22-001)
  • Exports/imports map handling and condition set builder (22-002)
  • Dynamic pattern confidence levels and source map support (22-003)
  • Complete Node resolver engine for CJS+ESM (22-004)
  • pnpm virtual store adapter (22-005)