git.stella-ops.org/docs/implplan/SPRINT_3500_SUMMARY.md

# SPRINT_3500 Summary — All Sprints Quick Reference

**Epic**: Deeper Moat Beyond Reachability
**Total Duration**: 20 weeks (10 sprints)
**Status**: PLANNING

---

## Sprint Overview

| Sprint ID | Topic | Duration | Status | Key Deliverables |
|-----------|-------|----------|--------|------------------|
| **3500.0001.0001** | **Master Plan** | — | DONE | Overall planning, prerequisites, risk assessment |
| **3500.0002.0001** | Score Proofs Foundations | 2 weeks | DONE | Canonical JSON, DSSE, ProofLedger, DB schema |
| **3500.0002.0002** | Unknowns Registry v1 | 2 weeks | DONE (7/7) | 2-factor ranking, band assignment, escalation API, Scheduler integration |
| **3500.0002.0003** | Proof Replay + API | 2 weeks | DONE | All 7 tasks complete (manifest, proofs, idempotency, rate limiting, OpenAPI, tests) |
| **3500.0003.0001** | Reachability .NET Foundations | 2 weeks | DONE | Implemented via SPRINT_3600_0002_0001 (DotNetCallGraphExtractor, ReachabilityAnalyzer) |
| **3500.0003.0002** | Reachability Java Integration | 2 weeks | DONE | Implemented via SPRINT_3610_0001_0001 (JavaCallGraphExtractor, Spring Boot) |
| **3500.0003.0003** | Graph Attestations + Rekor | 2 weeks | DONE | RichGraphAttestationService, Rekor via Attestor module, budget policy documented |
| **3500.0004.0001** | CLI Verbs + Offline Bundles | 2 weeks | TODO | `stella score`, `stella graph`, offline kit extensions |
| **3500.0004.0002** | UI Components + Visualization | 2 weeks | TODO | Proof ledger view, unknowns queue, explain widgets |
| **3500.0004.0003** | Integration Tests + Corpus | 2 weeks | TODO | Golden corpus, end-to-end tests, CI gates |
| **3500.0004.0004** | Documentation + Handoff | 2 weeks | TODO | Runbooks, API docs, training materials |

---

## Epic A: Score Proofs (Sprints 3500.0002.0001–0003)

### Sprint 3500.0002.0001: Foundations
**Owner**: Scanner Team + Policy Team
**Deliverables**:
- [ ] Canonical JSON library (`StellaOps.Canonical.Json`)
- [ ] Scan Manifest model (`ScanManifest.cs`)
- [ ] DSSE envelope implementation (`StellaOps.Attestor.Dsse`)
- [ ] ProofLedger with node hashing (`StellaOps.Policy.Scoring`)
- [ ] Database schema: `scanner.scan_manifest`, `scanner.proof_bundle`
- [ ] Proof Bundle Writer

**Tests**: Unit tests ≥85% coverage, integration test for full pipeline

**Documentation**: See `SPRINT_3500_0002_0001_score_proofs_foundations.md` (DETAILED)

---

### Sprint 3500.0002.0002: Unknowns Registry
**Owner**: Policy Team
**Status**: DONE (7/7 tasks complete)
**Deliverables**:
- [x] `policy.unknowns` table (2-factor ranking model)
- [x] `UnknownRanker.Rank(...)` — Deterministic ranking function
- [x] Band assignment (HOT/WARM/COLD)
- [x] API: `GET /unknowns`, `POST /unknowns/{id}/escalate`, `POST /unknowns/{id}/resolve`
- [x] Scheduler integration: rescan on escalation (via ISchedulerJobClient abstraction)

**Tests**: Ranking determinism tests (29 tests pass), band threshold tests

**Documentation**:
- `docs/db/schemas/policy_schema_specification.md`
- `docs/api/scanner-score-proofs-api.md` (Unknowns endpoints)

---

### Sprint 3500.0002.0003: Replay + API
**Owner**: Scanner Team
**Deliverables**:
- [ ] API: `POST /api/v1/scanner/scans`
- [ ] API: `GET /api/v1/scanner/scans/{id}/manifest`
- [ ] API: `POST /api/v1/scanner/scans/{id}/score/replay`
- [ ] API: `GET /api/v1/scanner/scans/{id}/proofs/{rootHash}`
- [ ] Idempotency via `Content-Digest` headers
- [ ] Rate limiting (100 req/hr per tenant for POST endpoints)

**Tests**: API integration tests, idempotency tests, error handling tests

**Documentation**:
- `docs/api/scanner-score-proofs-api.md` (COMPREHENSIVE)
- OpenAPI spec update: `src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml`

---

## Epic B: Reachability (Sprints 3500.0003.0001–0003)

### Sprint 3500.0003.0001: .NET Reachability
**Owner**: Scanner Team
**Deliverables**:
- [ ] Roslyn-based call-graph extractor (`DotNetCallGraphExtractor.cs`)
- [ ] IL-based node ID computation
- [ ] ASP.NET Core entrypoint discovery (controllers, minimal APIs, hosted services)
- [ ] `CallGraph.v1.json` schema implementation
- [ ] BFS reachability algorithm (`ReachabilityAnalyzer.cs`)
- [ ] Database schema: `scanner.cg_node`, `scanner.cg_edge`, `scanner.entrypoint`

**Tests**: Call-graph extraction tests, BFS tests, entrypoint detection tests

**Documentation**:
- `src/Scanner/AGENTS_SCORE_PROOFS.md` (Task 3.1, 3.2) (DETAILED)
- `docs/db/schemas/scanner_schema_specification.md`
- `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`

---

### Sprint 3500.0003.0002: Java Reachability
**Owner**: Scanner Team
**Deliverables**:
- [ ] Soot/WALA-based call-graph extractor (`JavaCallGraphExtractor.cs`)
- [ ] Spring Boot entrypoint discovery (`@RestController`, `@RequestMapping`)
- [ ] JAR node ID computation (class file hash + method signature)
- [ ] Integration with `CallGraph.v1.json` schema
- [ ] Reachability analysis for Java artifacts

**Tests**: Java call-graph extraction tests, Spring Boot entrypoint tests

**Prerequisite**: Java worker POC with Soot/WALA (must complete before sprint starts)

**Documentation**:
- `docs/dev/java-call-graph-extractor-spec.md` (to be created)
- `src/Scanner/AGENTS_JAVA_REACHABILITY.md` (to be created)

---

### Sprint 3500.0003.0003: Graph Attestations
**Owner**: Attestor Team + Scanner Team
**Deliverables**:
- [ ] Graph-level DSSE attestation (one per scan)
- [ ] Rekor integration: `POST /rekor/entries`
- [ ] Rekor budget policy: graph-only by default, edge bundles on escalation
- [ ] API: `POST /api/v1/scanner/scans/{id}/callgraphs` (upload)
- [ ] API: `POST /api/v1/scanner/scans/{id}/reachability/compute`
- [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/findings`
- [ ] API: `GET /api/v1/scanner/scans/{id}/reachability/explain`

**Tests**: DSSE signing tests, Rekor integration tests, API tests

**Documentation**:
- `docs/operations/rekor-policy.md` (budget policy)
- `docs/api/scanner-score-proofs-api.md` (reachability endpoints)

---

## CLI & UI (Sprints 3500.0004.0001–0002)

### Sprint 3500.0004.0001: CLI Verbs
**Owner**: CLI Team
**Deliverables**:
- [ ] `stella score replay --scan <id>`
- [ ] `stella proof verify --bundle <path>`
- [ ] `stella scan graph --lang dotnet|java --sln <path>`
- [ ] `stella reachability explain --scan <id> --cve <cve>`
- [ ] `stella unknowns list --band HOT`
- [ ] Offline bundle extensions: `/offline/reachability/`, `/offline/corpus/`

**Tests**: CLI E2E tests, offline bundle verification tests

**Documentation**:
- `docs/09_API_CLI_REFERENCE.md` (update with new verbs)
- `docs/24_OFFLINE_KIT.md` (reachability bundle format)

---

### Sprint 3500.0004.0002: UI Components
**Owner**: UI Team
**Deliverables**:
- [ ] Proof ledger view (timeline visualization)
- [ ] Unknowns queue (filterable, sortable)
- [ ] Reachability explain widget (call-path visualization)
- [ ] Score delta badges
- [ ] "View Proof" button on finding cards

**Tests**: UI component tests (Jest/Cypress)

**Prerequisite**: UX wireframes delivered by Product team

**Documentation**:
- `docs/dev/ui-proof-visualization-spec.md` (to be created)

---

## Testing & Handoff (Sprints 3500.0004.0003–0004)

### Sprint 3500.0004.0003: Integration Tests + Corpus
**Owner**: QA + Scanner Team
**Deliverables**:
- [ ] Golden corpus: 10 .NET + 10 Java test cases
- [ ] End-to-end tests: SBOM → scan → proof → replay → verify
- [ ] CI gates: precision/recall ≥80%, deterministic replay 100%
- [ ] Load tests: 10k scans/day without degradation
- [ ] Air-gap verification tests

**Tests**: All integration tests passing, corpus CI green

**Documentation**:
- `docs/testing/golden-corpus-spec.md` (to be created)
- `docs/testing/integration-test-plan.md`

---

### Sprint 3500.0004.0004: Documentation + Handoff
**Owner**: Docs Guild + All Teams
**Deliverables**:
- [ ] Runbooks: `docs/operations/score-proofs-runbook.md`
- [ ] Runbooks: `docs/operations/reachability-troubleshooting.md`
- [ ] API documentation published
- [ ] Training materials for support team
- [ ] Competitive battlecard updated
- [ ] Claims index updated: DET-004, REACH-003, PROOF-001, UNKNOWNS-001

**Tests**: Documentation review by 3+ stakeholders

**Documentation**:
- All docs in `docs/` reviewed and published

---

## Dependencies

```mermaid
graph TD
    A[3500.0001.0001 Master Plan] --> B[3500.0002.0001 Foundations]
    B --> C[3500.0002.0002 Unknowns]
    C --> D[3500.0002.0003 Replay API]
    D --> E[3500.0003.0001 .NET Reachability]
    E --> F[3500.0003.0002 Java Reachability]
    F --> G[3500.0003.0003 Attestations]
    G --> H[3500.0004.0001 CLI]
    G --> I[3500.0004.0002 UI]
    H --> J[3500.0004.0003 Tests]
    I --> J
    J --> K[3500.0004.0004 Docs]
```

---

## Success Metrics

### Technical Metrics
- **Determinism**: 100% bit-identical replay on golden corpus ✅
- **Performance**: TTFRP <30s for 100k LOC (p95) ✅
- **Accuracy**: Precision/recall ≥80% on ground-truth corpus ✅
- **Scalability**: 10k scans/day without Postgres degradation ✅
- **Air-gap**: 100% offline bundle verification success ✅

### Business Metrics
- **Competitive wins**: ≥3 deals citing deterministic replay (6 months) 🎯
- **Customer adoption**: ≥20% of enterprise customers enable score proofs (12 months) 🎯
- **Support escalations**: <5 Rekor/attestation issues per month 🎯

---

## Quick Links

**Sprint Files**:
- [SPRINT_3500_0001_0001 - Master Plan](SPRINT_3500_0001_0001_deeper_moat_master.md) ⭐ START HERE
- [SPRINT_3500_0002_0001 - Score Proofs Foundations](SPRINT_3500_0002_0001_score_proofs_foundations.md) ⭐ DETAILED

**Documentation**:
- [Scanner Schema Specification](../db/schemas/scanner_schema_specification.md)
- [Scanner API Specification](../api/scanner-score-proofs-api.md)
- [Scanner AGENTS Guide](../../src/Scanner/AGENTS_SCORE_PROOFS.md) ⭐ FOR AGENTS

**Source Advisory**:
- [16-Dec-2025 - Building a Deeper Moat Beyond Reachability](../product-advisories/unprocessed/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md)

---

**Last Updated**: 2025-12-17
**Next Review**: Weekly during sprint execution