1c6730a1d2
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
7.4 KiB
7.4 KiB
Sprint 124 - Policy & Reasoning
Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
Policy.II
Dependency: Sprint 120.C - Policy.I (must land before this track). Focus: Policy & Reasoning focus on Policy (phase II).
| # | Task ID & handle | State | Key dependency / next step | Owners |
|---|---|---|---|---|
| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | DONE (2025-11-20) | Prep doc at docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md; captures evaluator constraints. |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions (Deps: POLICY-CONSOLE-23-001) | Policy Guild, Product Ops / src/Policy/StellaOps.Policy.Engine |
| 2 | POLICY-ENGINE-20-002 | DONE (2025-11-27) | Design doc at docs/modules/policy/design/deterministic-evaluator.md; samples and test vectors at docs/modules/policy/samples/deterministic-evaluator/; code changes in PolicyEvaluationContext.cs and PolicyExpressionEvaluator.cs |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 3 | POLICY-ENGINE-20-003 | DONE (2025-11-27) | SelectionJoin models, PurlEquivalence table, and SelectionJoinService implemented in src/Policy/StellaOps.Policy.Engine/SelectionJoin/ |
Policy Guild, Concelier Core Guild, Excititor Core Guild / src/Policy/StellaOps.Policy.Engine |
| 4 | POLICY-ENGINE-20-004 | DONE (2025-11-27) | Materialization writer implemented in src/Policy/StellaOps.Policy.Engine/Materialization/ with EffectiveFinding models, append-only history, tenant scoping, and trace references |
Policy Guild, Platform Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 5 | POLICY-ENGINE-20-005 | DONE (2025-11-27) | Determinism guard implemented in src/Policy/StellaOps.Policy.Engine/DeterminismGuard/ with static analyzer (ProhibitedPatternAnalyzer), runtime sandbox (DeterminismGuardService, EvaluationScope), and guarded evaluator integration (GuardedPolicyEvaluator) |
Policy Guild, Security Engineering / src/Policy/StellaOps.Policy.Engine |
| 6 | POLICY-ENGINE-20-006 | DONE (2025-11-27) | Incremental orchestrator implemented in src/Policy/StellaOps.Policy.Engine/IncrementalOrchestrator/ with PolicyChangeEvent models (advisory/VEX/SBOM change types), IncrementalPolicyOrchestrator (batching, deduplication, retry logic), and IncrementalOrchestratorBackgroundService (continuous processing, metrics) |
Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine |
| 7 | POLICY-ENGINE-20-007 | DONE (2025-11-27) | Structured traces implemented in src/Policy/StellaOps.Policy.Engine/Telemetry/ with RuleHitTrace.cs (trace models, statistics), RuleHitTraceCollector.cs (sampling controls, exporters), and ExplainTraceExport.cs (JSON/NDJSON/Text/Markdown export formats) |
Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 8 | POLICY-ENGINE-20-008 | TODO | Add unit/property/golden/perf suites covering policy compilation, evaluation correctness, determinism, and SLA targets (Deps: POLICY-ENGINE-20-007) | Policy Guild, QA Guild / src/Policy/StellaOps.Policy.Engine |
| 9 | POLICY-ENGINE-20-009 | TODO | Define Mongo schemas/indexes for policies, policy_runs, and effective_finding_*; implement migrations and tenant enforcement (Deps: POLICY-ENGINE-20-008) |
Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 10 | POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes (Deps: POLICY-ENGINE-20-009) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 11 | POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims (Deps: POLICY-ENGINE-27-001) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (POST /policy/eval/batch) returning determinations + rationale chain for sets of (artifact,purl,version,advisory) tuples; support pagination and cost budgets (Deps: POLICY-ENGINE-27-004) |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-27-004 | DONE (2025-10-19) | Completed in Sprint 120; see archived tasks note. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation (Deps: POLICY-ENGINE-29-001) | Policy Guild, Findings Ledger Guild / src/Policy/StellaOps.Policy.Engine |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-27 | POLICY-ENGINE-20-006: Completed incremental orchestrator - PolicyChangeEvent.cs (change event models with factory for advisory/VEX/SBOM changes, deterministic content hashing, batching), IncrementalPolicyOrchestrator.cs (event processing with idempotency, retry logic, priority-based batching), IncrementalOrchestratorBackgroundService.cs (continuous processing with metrics). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-005: Completed determinism guard - DeterminismViolation.cs (violation models/options), ProhibitedPatternAnalyzer.cs (static analysis with regex patterns for DateTime.Now, Random, Guid.NewGuid, HttpClient, File.Read, etc.), DeterminismGuardService.cs (runtime sandbox with EvaluationScope, DeterministicTimeProvider), GuardedPolicyEvaluator.cs (integration layer). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-004: Completed materialization writer - EffectiveFindingModels.cs (document schema), EffectiveFindingWriter.cs (upsert + append-only history). Tenant-scoped collections, trace references, content hash deduplication. Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-003: Completed selection joiners - SelectionJoinModels.cs (tuple models), PurlEquivalence.cs (equivalence table with package key extraction), SelectionJoinService.cs (deterministic batching, multi-index lookup). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-002: Completed. Created design doc, sample config, test vectors. Added EvaluationTimestamp/now for deterministic timestamps. Status → DONE. |
Implementer |
| 2025-11-20 | Published deterministic evaluator prep note (docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md); set PREP-POLICY-ENGINE-20-002 to DONE. |
Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-25 | Reconciled POLICY-ENGINE-27-004 as DONE (completed 2025-10-19 in Sprint 120); added to Delivery Tracker for traceability. | Project Mgmt |