git.stella-ops.org/src/StellaOps.Concelier.Core/TASKS.md

TASKS — Epic 1: Aggregation-Only Contract

AOC Reminder: ingestion aggregates and links only—no precedence, normalization, or severity computation. Derived data lives in Policy/overlay services.

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-CORE-AOC-19-001 AOC write guard	DONE (2025-10-29)	Concelier Core Guild	WEB-AOC-19-001	Implement repository interceptor that inspects write payloads for forbidden AOC keys, validates provenance/signature presence, and maps violations to ERR_AOC_00x.
Docs alignment (2025-10-26): Behaviour/spec captured in docs/ingestion/aggregation-only-contract.md and architecture overview §2.
Implementation (2025-10-29): Added AdvisoryRawWriteGuard + DI extensions wrapping AocWriteGuard, throwing domain-specific ConcelierAocGuardException with ERR_AOC_00x mappings. Unit tests cover valid/missing-tenant/signature cases.
Coordination (2025-10-27): Authority dotnet test run is currently blocked because AdvisoryObservationQueryService.BuildAliasLookup returns ImmutableHashSet<string?>; please normalise these lookups to ImmutableHashSet<string> (trim nulls) so downstream builds succeed.
CONCELIER-CORE-AOC-19-002 Deterministic linkset extraction	DONE (2025-10-31)	Concelier Core Guild	CONCELIER-CORE-AOC-19-001	Build canonical linkset mappers for CVE/GHSA/PURL/CPE/reference extraction from upstream raw payloads, ensuring reconciled-from metadata is tracked and deterministic.
2025-10-31: Added advisory linkset mapper + DI registration, normalized PURL/CPE canonicalization, persisted reconciled_from pointers, and refreshed observation factory/tests for new raw linkset shape.
Docs alignment (2025-10-26): Linkset expectations detailed in AOC reference §4 and policy-engine architecture §2.1.
CONCELIER-CORE-AOC-19-003 Idempotent append-only upsert	DONE (2025-10-28)	Concelier Core Guild	CONCELIER-STORE-AOC-19-002	Implement idempotent upsert path using (vendor, upstreamId, contentHash, tenant) key, emitting supersedes pointers for new revisions and preventing duplicate inserts.
2025-10-28: Advisory raw ingestion now strips client-supplied supersedes hints, logs ignored pointers, and surfaces repository-supplied supersedes identifiers; service tests cover duplicate handling and append-only semantics.
Docs alignment (2025-10-26): Deployment guide + observability guide describe supersedes metrics; ensure implementation emits aoc_violation_total on failure.
CONCELIER-CORE-AOC-19-004 Remove ingestion normalization	DOING (2025-10-28)	Concelier Core Guild	CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003	Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.
Docs alignment (2025-10-26): Architecture overview emphasises policy-only derivation; coordinate with Policy Engine guild for rollout.
CONCELIER-CORE-AOC-19-013 Authority tenant scope smoke coverage	TODO	Concelier Core Guild	AUTH-AOC-19-002	Extend Concelier smoke/e2e fixtures to configure requiredTenants and assert cross-tenant rejection with updated Authority tokens.

Policy Engine v2

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-POLICY-20-002 Linkset enrichment for policy	TODO	Concelier Core Guild, Policy Guild	CONCELIER-CORE-AOC-19-002, POLICY-ENGINE-20-001	Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs.

2025-10-31: Base advisory linkset mapper landed under CONCELIER-CORE-AOC-19-002; policy enrichment work can now proceed with mapper outputs and observation schema fixtures.

Graph Explorer v1

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-GRAPH-21-001 SBOM projection enrichment	BLOCKED (2025-10-27)	Concelier Core Guild, Cartographer Guild	CONCELIER-POLICY-20-002, CARTO-GRAPH-21-002	Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer.

2025-10-27: Waiting on policy-driven linkset enrichment (CONCELIER-POLICY-20-002) and Cartographer API contract (CARTO-GRAPH-21-002) to define required relationship payloads. Without those schemas the projection changes cannot be implemented deterministically. | CONCELIER-GRAPH-21-002 Change events | BLOCKED (2025-10-27) | Concelier Core Guild, Scheduler Guild | CONCELIER-GRAPH-21-001 | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | 2025-10-27: Depends on CONCELIER-GRAPH-21-001; event schema hinges on finalized projection output and Cartographer webhook contract, both pending.

Link-Not-Merge v1

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-LNM-21-001 Advisory observation schema	TODO	Concelier Core Guild	CONCELIER-CORE-AOC-19-001	Introduce immutable advisory_observations model with AOC metadata, raw payload pointers, normalized fields, and tenancy guardrails; publish schema definition. DOCS-LNM-22-001 blocked pending this deliverable.
CONCELIER-LNM-21-002 Linkset builder	TODO	Concelier Core Guild, Data Science Guild	CONCELIER-LNM-21-001	Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces advisory_linksets with confidence + conflict annotations. Docs note: unblock DOCS-LNM-22-001 once builder lands.
CONCELIER-LNM-21-003 Conflict annotator	TODO	Concelier Core Guild	CONCELIER-LNM-21-002	Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads.
CONCELIER-LNM-21-004 Merge code removal	TODO	Concelier Core Guild	CONCELIER-LNM-21-002	Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges.
CONCELIER-LNM-21-005 Event emission	TODO	Concelier Core Guild, Platform Events Guild	CONCELIER-LNM-21-002	Emit advisory.linkset.updated events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery.

Policy Engine + Editor v1

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-POLICY-23-001 Evidence indexes	TODO	Concelier Core Guild	CONCELIER-LNM-21-002	Add secondary indexes/materialized views to accelerate policy lookups (alias, severity per observation, correlation confidence). Document query contracts for runtime.
CONCELIER-POLICY-23-002 Event guarantees	TODO	Concelier Core Guild, Platform Events Guild	CONCELIER-LNM-21-005	Ensure advisory.linkset.updated emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary).

Graph & Vuln Explorer v1

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-GRAPH-24-001 Advisory overlay inputs	DONE (2025-10-29)	Concelier Core Guild	CONCELIER-POLICY-23-001	Expose raw advisory observations/linksets with tenant filters for overlay services; no derived counts/severity in ingestion.

2025-10-29: Filter-aware lookup path and /concelier/observations coverage landed; overlay services can consume raw advisory feeds deterministically.

Reachability v1

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-SIG-26-001 Vulnerable symbol exposure	TODO	Concelier Core Guild, Signals Guild	SIGNALS-24-002	Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures.

Orchestrator Dashboard

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-ORCH-32-001 Source registry integration	TODO	Concelier Core Guild	ORCH-SVC-32-001, AUTH-ORCH-32-001	Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes.
CONCELIER-ORCH-32-002 Worker SDK adoption	TODO	Concelier Core Guild	CONCELIER-ORCH-32-001, WORKER-GO-32-001, WORKER-PY-32-001	Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys.
CONCELIER-ORCH-33-001 Control hook compliance	TODO	Concelier Core Guild	CONCELIER-ORCH-32-002, ORCH-SVC-33-001, ORCH-SVC-33-002	Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume.
CONCELIER-ORCH-34-001 Backfill + ledger linkage	TODO	Concelier Core Guild	CONCELIER-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001	Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports.

Authority-Backed Scopes & Tenancy (Epic 14)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-TEN-48-001 Tenant-aware linking	TODO	Concelier Core Guild	AUTH-TEN-47-001	Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting merge=false; update events with tenant context.

Observability & Forensics (Epic 15)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-OBS-50-001 Telemetry adoption	TODO	Concelier Core Guild, Observability Guild	TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002	Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs.
CONCELIER-OBS-51-001 Metrics & SLOs	TODO	Concelier Core Guild, DevOps Guild	CONCELIER-OBS-50-001, TELEMETRY-OBS-51-001	Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs.
CONCELIER-OBS-52-001 Timeline events	TODO	Concelier Core Guild	CONCELIER-OBS-50-001, TIMELINE-OBS-52-002	Emit timeline_event records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders.
CONCELIER-OBS-53-001 Evidence snapshots	TODO	Concelier Core Guild, Evidence Locker Guild	CONCELIER-OBS-52-001, EVID-OBS-53-002	Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes.
CONCELIER-OBS-54-001 Attestation & verification	TODO	Concelier Core Guild, Provenance Guild	CONCELIER-OBS-53-001, PROV-OBS-54-001	Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger.
CONCELIER-OBS-55-001 Incident mode hooks	TODO	Concelier Core Guild, DevOps Guild	CONCELIER-OBS-51-001, DEVOPS-OBS-55-001	Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak.

Air-Gapped Mode (Epic 16)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-AIRGAP-56-001 Mirror ingestion adapters	TODO	Concelier Core Guild	AIRGAP-IMP-57-002, MIRROR-CRT-56-001	Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only.
CONCELIER-AIRGAP-56-002 Bundle catalog linking	TODO	Concelier Core Guild, AirGap Importer Guild	CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001	Persist bundle_id, merkle_root, and time anchor references on observations/linksets for provenance.
CONCELIER-AIRGAP-57-001 Sealed-mode source restrictions	TODO	Concelier Core Guild, AirGap Policy Guild	CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001	Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors.
CONCELIER-AIRGAP-57-002 Staleness annotations	TODO	Concelier Core Guild, AirGap Time Guild	CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001	Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges.
CONCELIER-AIRGAP-58-001 Portable advisory evidence	TODO	Concelier Core Guild, Evidence Locker Guild	CONCELIER-OBS-53-001, EVID-OBS-54-001	Package advisory evidence fragments into portable evidence bundles for cross-domain transfer.

SDKs & OpenAPI (Epic 17)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-OAS-61-001 Spec coverage	TODO	Concelier Core Guild, API Contracts Guild	OAS-61-001	Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields.
CONCELIER-OAS-61-002 Examples library	TODO	Concelier Core Guild	CONCELIER-OAS-61-001	Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs.
CONCELIER-OAS-62-001 SDK smoke tests	TODO	Concelier Core Guild, SDK Generator Guild	CONCELIER-OAS-61-001, SDKGEN-63-001	Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced.
CONCELIER-OAS-63-001 Deprecation headers	TODO	Concelier Core Guild, API Governance Guild	APIGOV-63-001	Implement deprecation header support and timeline events for retiring endpoints.

Risk Profiles (Epic 18)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-RISK-66-001 CVSS/KEV providers	TODO	Concelier Core Guild, Risk Engine Guild	RISK-ENGINE-67-001	Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved.
CONCELIER-RISK-66-002 Fix availability signals	TODO	Concelier Core Guild	CONCELIER-RISK-66-001	Provide structured fix availability and release metadata consumable by risk engine; document provenance.
CONCELIER-RISK-67-001 Source consensus metrics	TODO	Concelier Core Guild	CONCELIER-RISK-66-001	Add consensus counts and confidence scores for linked advisories; ensure explainability includes source digests.
CONCELIER-RISK-68-001 Policy Studio integration	TODO	Concelier Core Guild, Policy Studio Guild	POLICY-RISK-68-001	Surface advisory fields in Policy Studio profile editor (signal pickers, reducers).
CONCELIER-RISK-69-001 Notification hooks	TODO	Concelier Core Guild, Notifications Guild	CONCELIER-RISK-66-002	Emit events when advisory signals change impacting risk scores (e.g., fix available).

Attestor Console (Epic 19)

ID	Status	Owner(s)	Depends on	Notes
CONCELIER-ATTEST-73-001 ScanResults attestation inputs	TODO	Concelier Core Guild, Attestor Service Guild	ATTEST-TYPES-72-001	Provide normalized advisory data and linkset digests needed for ScanResults attestations.
CONCELIER-ATTEST-73-002 Transparency metadata	TODO	Concelier Core Guild	CONCELIER-ATTEST-73-001	Ensure Conseiller exposes source digests for transparency proofs and explainability.