1d962ee6fc
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
68 KiB
68 KiB
Sprint 110 - Ingestion & Evidence
[Ingestion & Evidence] 110.A) AdvisoryAI Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on AdvisoryAI.
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| AIAI-31-001 | DOING (2025-11-02) | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-002 | TODO | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). Dependencies: SBOM-VULN-29-001. | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-003 | TODO | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. Dependencies: AIAI-31-001..002. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-004 | TODO | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). Dependencies: AIAI-31-001..003, AUTH-VULN-29-001. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-005 | TODO | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. Dependencies: AIAI-31-004. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-006 | TODO | Expose REST API endpoints (/advisory/ai/*) with RBAC, rate limits, OpenAPI schemas, and batching support. Dependencies: AIAI-31-004..005. |
Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-007 | TODO | Instrument metrics (advisory_ai_latency, guardrail_blocks, validation_failures, citation_coverage), logs, and traces; publish dashboards/alerts. Dependencies: AIAI-31-004..006. |
Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Concelier (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-AIAI-31-001 Paragraph anchors |
TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-002 Structured fields |
TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. Dependencies: CONCELIER-AIAI-31-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-003 Advisory AI telemetry |
TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. Dependencies: CONCELIER-AIAI-31-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. Dependencies: AIRGAP-IMP-57-002, MIRROR-CRT-56-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-56-002 Bundle catalog linking |
TODO | Persist bundle_id, merkle_root, and time anchor references on observations/linksets for provenance. Dependencies: CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001. |
Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-001 Sealed-mode source restrictions |
TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. Dependencies: CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-002 Staleness annotations |
TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. Dependencies: CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-58-001 Portable advisory evidence |
TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. Dependencies: CONCELIER-OBS-53-001, EVID-OBS-54-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-001 ScanResults attestation inputs |
TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). Dependencies: ATTEST-TYPES-72-001. | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-002 Transparency metadata |
TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. Dependencies: CONCELIER-ATTEST-73-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CONSOLE-23-001 Advisory aggregation views |
TODO | Expose /console/advisories endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. Dependencies: CONCELIER-LNM-21-201, CONCELIER-LNM-21-202. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-002 Dashboard deltas API |
TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. Dependencies: CONCELIER-CONSOLE-23-001, CONCELIER-LNM-21-203. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-003 Search fan-out helpers |
TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. Dependencies: CONCELIER-CONSOLE-23-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CORE-AOC-19-004 Remove ingestion normalization |
DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only. 2025-10-29 19:05Z: Audit completed for AdvisoryRawService/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under docs/dev/aoc-normalization-removal-notes.md (pending commit).2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory. 2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in docs/dev/raw-linkset-backfill-plan.md. Dependencies: CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Extend Concelier smoke/e2e fixtures to configure requiredTenants and assert cross-tenant rejection with updated Authority tokens. Dependencies: AUTH-AOC-19-002. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.II Depends on: Sprint 110.B - Concelier.I Summary: Ingestion & Evidence focus on Concelier (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-GRAPH-21-001 SBOM projection enrichment |
BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-21-002 Change events |
BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. Dependencies: CONCELIER-GRAPH-21-001. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-24-101 Advisory summary API |
TODO | Expose /advisories/summary returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. Dependencies: CONCELIER-GRAPH-21-002. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-GRAPH-28-102 Evidence batch API |
TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. Dependencies: CONCELIER-GRAPH-24-101. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-001 Advisory observation schema |
TODO | Introduce immutable advisory_observations model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. DOCS-LNM-22-001 blocked pending this deliverable. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-002 Linkset builder |
TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces advisory_linksets with confidence + conflict annotations. Docs note: unblock DOCS-LNM-22-001 once builder lands. Dependencies: CONCELIER-LNM-21-001. |
Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-003 Conflict annotator |
TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. Dependencies: CONCELIER-LNM-21-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-004 Merge code removal |
TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. Dependencies: CONCELIER-LNM-21-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-005 Event emission |
TODO | Emit advisory.linkset.updated events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. Dependencies: CONCELIER-LNM-21-004. |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-101 Observations collections |
TODO | Provision advisory_observations and advisory_linksets collections with hashed shard keys, TTL for ingest metadata, and required indexes (aliases, purls, observation_ids). Dependencies: CONCELIER-LNM-21-005. |
Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-102 Migration tooling |
TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. Dependencies: CONCELIER-LNM-21-101. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-103 Blob/store wiring |
TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. Dependencies: CONCELIER-LNM-21-102. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-201 Observation APIs |
TODO | Add REST endpoints for advisory observations (GET /advisories/observations) with filters (alias, purl, source), pagination, and tenancy enforcement. Dependencies: CONCELIER-LNM-21-103. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export endpoints (/advisories/linksets/{id}, /advisories/by-purl/{purl}, /advisories/linksets/{id}/export, /evidence) with correlation/conflict payloads and ERR_AGG_* mapping. Dependencies: CONCELIER-LNM-21-201. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-203 Ingest events |
TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. Dependencies: CONCELIER-LNM-21-202. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.III Depends on: Sprint 110.B - Concelier.II Summary: Ingestion & Evidence focus on Concelier (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-OAS-61-001 Spec coverage |
TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-61-002 Examples library |
TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. Dependencies: CONCELIER-OAS-61-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-62-001 SDK smoke tests |
TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. Dependencies: CONCELIER-OAS-61-002. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-63-001 Deprecation headers |
TODO | Implement deprecation header support and timeline events for retiring endpoints. Dependencies: CONCELIER-OAS-62-001. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-50-001 Telemetry adoption |
TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-51-001 Metrics & SLOs |
TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. Dependencies: CONCELIER-OBS-50-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-52-001 Timeline events |
TODO | Emit timeline_event records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. Dependencies: CONCELIER-OBS-51-001. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-53-001 Evidence snapshots |
TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. Dependencies: CONCELIER-OBS-52-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. Dependencies: CONCELIER-OBS-53-001. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-55-001 Incident mode hooks |
TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. Dependencies: CONCELIER-OBS-54-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-001 Source registry integration |
TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-002 Worker SDK adoption |
TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. Dependencies: CONCELIER-ORCH-32-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-33-001 Control hook compliance |
TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. Dependencies: CONCELIER-ORCH-32-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-34-001 Backfill + ledger linkage |
TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. Dependencies: CONCELIER-ORCH-33-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-001 Policy selection endpoints |
TODO | Add batch advisory lookup APIs (/policy/select/advisories, /policy/select/vex) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.IV Depends on: Sprint 110.B - Concelier.III Summary: Ingestion & Evidence focus on Concelier (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-POLICY-20-002 Linkset enrichment for policy |
TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. Dependencies: CONCELIER-POLICY-20-001. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-003 Selection cursors |
TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. Dependencies: CONCELIER-POLICY-20-002. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-POLICY-23-001 Evidence indexes |
TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. Dependencies: CONCELIER-POLICY-20-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-23-002 Event guarantees |
TODO | Ensure advisory.linkset.updated emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). Dependencies: CONCELIER-POLICY-23-001. |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-001 CVSS/KEV providers |
TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. Dependencies: RISK-ENGINE-67-001. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-002 Fix availability signals |
TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. Dependencies: CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-67-001 Source coverage metrics |
TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. Dependencies: CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-68-001 Policy Studio integration |
TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). Dependencies: POLICY-RISK-68-001. | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-69-001 Notification hooks |
TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). Dependencies: CONCELIER-RISK-66-002. | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-SIG-26-001 Vulnerable symbol exposure |
TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. Dependencies: SIGNALS-24-002. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-STORE-AOC-19-005 Raw linkset backfill |
TODO (2025-11-04) | Plan and execute advisory_observations rawLinkset backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in docs/dev/raw-linkset-backfill-plan.md. Dependencies: CONCELIER-CORE-AOC-19-004. |
Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-TEN-48-001 Tenant-aware linking |
TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting merge=false; update events with tenant context. Dependencies: AUTH-TEN-47-001. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-VEXLENS-30-001 Advisory rationale bridges |
TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. Dependencies: CONCELIER-VULN-29-001, VEXLENS-30-005. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-001 Advisory key canonicalization |
TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into advisory_key, persist links[], expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. Dependencies: CONCELIER-LNM-21-001. |
Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-002 Evidence retrieval API |
TODO | Provide /vuln/evidence/advisories/{advisory_key} returning raw advisory docs with provenance, filtering by tenant and source. Dependencies: CONCELIER-VULN-29-001, VULN-API-29-003. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.V Depends on: Sprint 110.B - Concelier.IV Summary: Ingestion & Evidence focus on Concelier (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-VULN-29-004 Observability enhancements |
TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. Dependencies: CONCELIER-VULN-29-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-001 Mirror import APIs |
TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-002 Airgap status surfaces |
TODO | Add staleness metadata and bundle provenance to advisory APIs (/advisories/observations, /advisories/linksets). Dependencies: CONCELIER-WEB-AIRGAP-56-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-57-001 Error remediation |
TODO | Map sealed-mode violations to AIRGAP_EGRESS_BLOCKED responses with user guidance. Dependencies: CONCELIER-WEB-AIRGAP-56-002. |
Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-58-001 Import timeline emission |
TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. Dependencies: CONCELIER-WEB-AIRGAP-57-001. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-002 AOC observability |
TODO | Emit ingestion_write_total, aoc_violation_total, latency histograms, and tracing spans (ingest.fetch/transform/write, aoc.guard). Wire structured logging to include tenant, source vendor, upstream id, and content hash. |
Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-003 Schema/guard unit tests |
TODO | Add unit tests covering schema validation failures, forbidden field rejections (ERR_AOC_001/002/006/007), idempotent upserts, and supersedes chains using deterministic fixtures. Dependencies: CONCELIER-WEB-AOC-19-002. |
QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-004 End-to-end ingest verification |
TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. Dependencies: CONCELIER-WEB-AOC-19-003. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-001 /.well-known/openapi |
DONE (2025-11-02) | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-002 Error envelope migration |
TODO | Ensure all API responses use standardized error envelope; update controllers/tests. Dependencies: CONCELIER-WEB-OAS-61-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-62-001 Examples expansion |
TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. Dependencies: CONCELIER-WEB-OAS-61-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-63-001 Deprecation headers |
TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. Dependencies: CONCELIER-WEB-OAS-62-001. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (tenant_id, route, decision_effect), and add correlation IDs to responses. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-51-001 Observability APIs |
TODO | Surface ingest health metrics, queue depth, and SLO status via /obs/concelier/health endpoint for Console widgets, with caching and tenant partitioning. Dependencies: CONCELIER-WEB-OBS-50-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE stream /obs/concelier/timeline bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. Dependencies: CONCELIER-WEB-OBS-51-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VI Depends on: Sprint 110.B - Concelier.V Summary: Ingestion & Evidence focus on Concelier (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-WEB-OBS-53-001 Evidence locker integration |
TODO | Add /evidence/advisories/* routes invoking evidence locker snapshots, verifying tenant scopes (evidence:read), and returning signed manifest metadata. Dependencies: CONCELIER-WEB-OBS-52-001. |
Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-54-001 Attestation exposure |
TODO | Provide /attestations/advisories/* read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. Dependencies: CONCELIER-WEB-OBS-53-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-55-001 Incident mode toggles |
TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. Dependencies: CONCELIER-WEB-OBS-54-001. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
| FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | TODO (due 2025-10-21) – Map CCCS advisories into the new advisory_observations.affected.versions[] structure, preserving each upstream range with provenance anchors (cccs:{serial}:{index}) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.2025-10-29: docs/dev/normalized-rule-recipes.md now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with UPDATE_CCCS_FIXTURES=1. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md) |
| FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | TODO (due 2025-10-22) – Translate product.Versions phrases (e.g., 2023.1 bis 2024.2, alle) into comparison helpers for advisory_observations.affected.versions[], capturing provenance (certbund:{advisoryId}:{vendor}) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md) |
| FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | TODO (due 2025-10-21) – Emit Cisco SemVer ranges into advisory_observations.affected.versions[] with provenance identifiers (cisco:{productId}) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md) |
| FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | TODO (due 2025-10-23) – Promote existing firmware/semver data into advisory_observations.affected.versions[] entries with deterministic comparison keys and provenance identifiers (ics-cisa:{advisoryId}:{product}). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.2025-10-29: Follow docs/dev/normalized-rule-recipes.md §2 to build observation version entries and log failures without invoking the retired merge helpers. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md) |
| FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | TODO (due 2025-10-24) – Define comparison helpers for Hangul-labelled firmware ranges (XFU 1.0.1.0084 ~ 2.0.1.0034) and map them into advisory_observations.affected.versions[] with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md) |
| FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | DOING (2025-10-19) – Provide a reusable CLI/utility to seed pendingDocuments/pendingMappings for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. Prereqs confirmed none (2025-10-19). |
Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md) |
| FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | TODO (due 2025-10-21) – Confirm Cccs/Cisco version-provenance updates land, capture LinksetVersionCoverage dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.2025-10-29: Observation metrics now surface version_entries_total/missing_version_entries_total; include screenshots for both when closing this task. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | TODO (due 2025-10-23) – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files. 2025-10-29: docs/dev/normalized-rule-recipes.md (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models. Dependencies: FEEDMERGE-COORD-02-901. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | TODO (due 2025-10-24) – Pair with KISA team on proposed firmware comparison helper (kisa.build or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. Dependencies: FEEDMERGE-COORD-02-902. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| Fixture validation sweep | QA | DOING (2025-10-19) – Prereqs confirmed none; continuing RHSA fixture regeneration and diff review alongside mapper provenance updates. 2025-10-29: Added scripts/update-redhat-fixtures.sh to regenerate golden snapshots with UPDATE_GOLDENS=1; run it before reviews to capture CSAF contract deltas. |
None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md) |
| Link-Not-Merge version provenance coordination | BE-Merge | DOING – Coordinate remaining connectors (Acsc, Cccs, CertBund, CertCc, Cve, Ghsa, Ics.Cisa, Kisa, Ru.Bdu, Ru.Nkcki, Vndr.Apple, Vndr.Cisco, Vndr.Msrc) so they emit advisory_observations.affected.versions[] entries with provenance tags and deterministic comparison keys. Track rollout status in docs/dev/normalized-rule-recipes.md (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via LinksetVersionCoverage warnings to replace prior concelier.merge.normalized_rules* alerts. Dependencies: CONCELIER-LNM-21-203. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-001 Migration plan authoring | BE-Merge, Architecture Guild | Draft no-merge migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. |
CONCELIER-LNM-21-101 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VII Depends on: Sprint 110.B - Concelier.VI Summary: Ingestion & Evidence focus on Concelier (phase VII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MERGE-LNM-21-002 Merge service deprecation | BE-Merge | Refactor or retire AdvisoryMergeService and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage. Dependencies: MERGE-LNM-21-001. |
MERGE-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. Dependencies: MERGE-LNM-21-002. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Excititor (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-AIAI-31-001 Justification enrichment |
TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-002 VEX chunk API |
TODO | Provide /vex/evidence/chunks endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. Dependencies: EXCITITOR-AIAI-31-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-003 Telemetry |
TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. Dependencies: EXCITITOR-AIAI-31-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-56-002 Bundle provenance |
TODO | Persist bundle metadata on VEX observations/linksets with provenance references. Dependencies: EXCITITOR-AIRGAP-56-001. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-001 Sealed-mode enforcement |
TODO | Block non-mirror connectors in sealed mode and surface remediation errors. Dependencies: EXCITITOR-AIRGAP-56-002. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-002 Staleness annotations |
TODO | Annotate VEX statements with staleness metrics and expose via API. Dependencies: EXCITITOR-AIRGAP-57-001. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-58-001 Portable VEX evidence |
TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. Dependencies: EXCITITOR-AIRGAP-57-002. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-ATTEST-01-003 – Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) – Continuing implementation: build IVexAttestationVerifier, wire metrics/logging, and add regression tests. Draft plan in EXCITITOR-ATTEST-01-003-plan.md (2025-10-19) guides scope; updating with worknotes as progress lands.2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. |
EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md) |
EXCITITOR-ATTEST-73-001 VEX attestation payloads |
TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. Dependencies: EXCITITOR-ATTEST-01-003. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ATTEST-73-002 Chain provenance |
TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. Dependencies: EXCITITOR-ATTEST-73-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints | Team Excititor Connectors – MSRC | TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md) |
| EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment | Team Excititor Connectors – Oracle | TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw VexClaim batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. |
Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. Dependencies: EXCITITOR-CONN-STELLA-07-002. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.II Depends on: Sprint 110.C - Excititor.I Summary: Ingestion & Evidence focus on Excititor (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md) |
| EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md) |
EXCITITOR-CONSOLE-23-001 VEX aggregation views |
TODO | Expose /console/vex endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-LNM-21-202. |
Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-002 Dashboard VEX deltas |
TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. Dependencies: EXCITITOR-CONSOLE-23-001, EXCITITOR-LNM-21-203. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-003 VEX search helpers |
TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. Dependencies: EXCITITOR-CONSOLE-23-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CORE-AOC-19-002 VEX linkset extraction |
TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into linkset, capturing reconciled-from metadata for traceability. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-003 Idempotent VEX raw upsert |
TODO | Enforce (vendor, upstreamId, contentHash, tenant) uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. Dependencies: EXCITITOR-CORE-AOC-19-002. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-004 Remove ingestion consensus |
TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. Dependencies: EXCITITOR-CORE-AOC-19-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. Dependencies: EXCITITOR-CORE-AOC-19-004. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-001 Inspector linkouts |
BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-002 Overlay enrichment |
BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. Dependencies: EXCITITOR-GRAPH-21-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-005 Inspector indexes |
BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. Dependencies: EXCITITOR-GRAPH-21-002. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-GRAPH-24-101 VEX summary API |
TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. Dependencies: EXCITITOR-GRAPH-21-005. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-GRAPH-24-102 Evidence batch API |
TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. Dependencies: EXCITITOR-GRAPH-24-101. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-001 VEX observation model |
TODO | Define immutable vex_observations schema capturing raw statements, product PURLs, justification, and AOC metadata. DOCS-LNM-22-002 blocked pending this schema. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.III Depends on: Sprint 110.C - Excititor.II Summary: Ingestion & Evidence focus on Excititor (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-LNM-21-002 Linkset correlator |
TODO | Build correlation pipeline combining alias + product PURL signals to form vex_linksets with confidence metrics. Docs waiting to finalize VEX aggregation guide. Dependencies: EXCITITOR-LNM-21-001. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-003 Conflict annotator |
TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for DOCS-LNM-22-002. Dependencies: EXCITITOR-LNM-21-002. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-004 Merge removal |
TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. Dependencies: EXCITITOR-LNM-21-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-005 Event emission |
TODO | Emit vex.linkset.updated events for downstream consumers with delta descriptions and tenant context. Dependencies: EXCITITOR-LNM-21-004. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-101 Observations collections |
TODO | Provision vex_observations/vex_linksets collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. Dependencies: EXCITITOR-LNM-21-005. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-102 Migration/backfill |
TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. Dependencies: EXCITITOR-LNM-21-101. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-201 Observation APIs |
TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. Dependencies: EXCITITOR-LNM-21-102. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to ERR_AGG_*. Dependencies: EXCITITOR-LNM-21-201. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-203 Event publishing |
TODO | Publish vex.linkset.updated events, document schema, and ensure idempotent delivery. Dependencies: EXCITITOR-LNM-21-202. |
Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-OAS-61-001 Spec coverage |
TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-61-002 Example catalog |
TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. Dependencies: EXCITITOR-OAS-61-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-62-001 SDK smoke tests |
TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. Dependencies: EXCITITOR-OAS-61-002. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-63-001 Deprecation headers |
TODO | Add deprecation metadata and notifications for legacy VEX routes. Dependencies: EXCITITOR-OAS-62-001. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-50-001 Telemetry adoption |
TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-51-001 Metrics & SLOs |
TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. Dependencies: EXCITITOR-OBS-50-001. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.IV Depends on: Sprint 110.C - Excititor.III Summary: Ingestion & Evidence focus on Excititor (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-OBS-52-001 Timeline events |
TODO | Emit timeline_event entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. Dependencies: EXCITITOR-OBS-51-001. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-53-001 Evidence snapshots |
TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. Dependencies: EXCITITOR-OBS-52-001. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. Dependencies: EXCITITOR-OBS-53-001. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-55-001 Incident mode |
TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. Dependencies: EXCITITOR-OBS-54-001. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ORCH-32-001 Worker SDK adoption |
TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-33-001 Control compliance |
TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. Dependencies: EXCITITOR-ORCH-32-001. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-34-001 Backfill & circuit breaker |
TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. Dependencies: EXCITITOR-ORCH-33-001. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
| EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals | Team Excititor Policy | BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md) |
EXCITITOR-POLICY-20-001 Policy selection endpoints |
TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. Dependencies: EXCITITOR-POLICY-02-002. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-POLICY-20-002 Scope-aware linksets |
TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. Dependencies: EXCITITOR-POLICY-20-001. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-20-003 Selection cursors |
TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. Dependencies: EXCITITOR-POLICY-20-002. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-POLICY-23-001 Evidence indexes |
TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. Dependencies: EXCITITOR-POLICY-20-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-23-002 Event guarantees |
TODO | Ensure vex.linkset.updated events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. Dependencies: EXCITITOR-POLICY-23-001. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-001 VEX gate provider |
TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-002 Reachability inputs |
TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. Dependencies: EXCITITOR-RISK-66-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.V Depends on: Sprint 110.C - Excititor.IV Summary: Ingestion & Evidence focus on Excititor (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-RISK-67-001 Explainability metadata |
TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. Dependencies: EXCITITOR-RISK-66-002. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-68-001 Policy Studio integration |
TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. Dependencies: EXCITITOR-RISK-67-001. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-SIG-26-001 Vendor exploitability hints |
TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-STORE-AOC-19-001 vex_raw schema validator |
TODO | Define Mongo JSON schema for vex_raw enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-002 idempotency unique index |
TODO | Create (source.vendor, upstream.upstream_id, upstream.content_hash, tenant) unique index with backfill checker, updating migrations + bootstrapper for offline installs. Dependencies: EXCITITOR-STORE-AOC-19-001. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-003 append-only migration plan |
TODO | Migrate legacy consensus collections to _backup_*, seed supersedes chain for raw docs, and document rollback path + dry-run verification. Dependencies: EXCITITOR-STORE-AOC-19-002. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-004 validator deployment docset |
TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. Dependencies: EXCITITOR-STORE-AOC-19-003. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-TEN-48-001 Tenant-aware VEX linking |
TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-VEXLENS-30-001 VEX evidence enrichers |
TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-001 VEX key canonicalization |
TODO | Canonicalize (lossless) VEX advisory/product keys (map to advisory_key, capture product scopes); expose original sources in links[]; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-002 Evidence retrieval |
TODO | Provide /vuln/evidence/vex/{advisory_key} returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. Dependencies: EXCITITOR-VULN-29-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-004 Observability |
TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. Dependencies: EXCITITOR-VULN-29-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. Dependencies: EXCITITOR-WEB-AIRGAP-56-001. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. Dependencies: EXCITITOR-WEB-AIRGAP-56-002. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.VI Depends on: Sprint 110.C - Excititor.V Summary: Ingestion & Evidence focus on Excititor (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. Dependencies: EXCITITOR-WEB-AIRGAP-57-001. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-001 Raw VEX ingestion APIs |
TODO | Implement POST /ingest/vex, GET /vex/raw*, and POST /aoc/verify endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-002 AOC observability + metrics |
TODO | Export metrics (ingestion_write_total, aoc_violation_total, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. Dependencies: EXCITITOR-WEB-AOC-19-001. |
Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-003 Guard + schema test harness |
TODO | Add unit/integration tests for schema validation, forbidden field rejection (ERR_AOC_001/006/007), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. Dependencies: EXCITITOR-WEB-AOC-19-002. |
QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-004 Batch ingest validation |
TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI aoc verify compatibility. Document load test/runbook updates. Dependencies: EXCITITOR-WEB-AOC-19-003. |
Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-001 | TODO | Implement /.well-known/openapi discovery endpoint with spec version metadata. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. Dependencies: EXCITITOR-WEB-OAS-61-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. Dependencies: EXCITITOR-WEB-OAS-61-002. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. Dependencies: EXCITITOR-WEB-OAS-62-001. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-51-001 Observability health endpoints |
TODO | Implement /obs/excititor/health summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. Dependencies: EXCITITOR-WEB-OBS-50-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. Dependencies: EXCITITOR-WEB-OBS-51-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-53-001 Evidence APIs |
TODO | Expose /evidence/vex/* endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. Dependencies: EXCITITOR-WEB-OBS-52-001. |
Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-54-001 Attestation APIs |
TODO | Add /attestations/vex/* endpoints returning DSSE verification state, builder identity, and chain-of-custody links. Dependencies: EXCITITOR-WEB-OBS-53-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-55-001 Incident mode toggles |
TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. Dependencies: EXCITITOR-WEB-OBS-54-001. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.D) Mirror Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Mirror.
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. Dependencies: EXPORT-OBS-51-001. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (root, snapshot, timestamp, targets). Dependencies: MIRROR-CRT-56-001, PROV-OBS-53-001. |
Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. Dependencies: MIRROR-CRT-56-001. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (meta/time-anchor.json) sourced from trusted authority. Dependencies: MIRROR-CRT-56-002, AIRGAP-TIME-57-001. |
Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | verify` commands with content selection flags, delta mode, and dry-run verification. Dependencies: MIRROR-CRT-56-002, CLI-AIRGAP-56-001. |
| MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md