git.stella-ops.org/docs/implplan/SPRINT_140_runtime_signals.md

Sprint 140 - Runtime & Signals

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

This file now only tracks the runtime & signals status snapshot. Active backlog lives in Sprint 141+ files.

Wave coordination

Wave	Guild owners	Shared prerequisites	Status	Notes
140.A Graph	Graph Indexer Guild · Observability Guild	Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under docs/implplan/SPRINT_130_scanner_surface.md)	TODO	Hold until Scanner surface work emits the analyzer artifacts required for clustering jobs.
140.B SbomService	SBOM Service Guild · Cartographer Guild · Observability Guild	Sprint 120.A – AirGap; Sprint 130.A – Scanner	TODO	Projection schema remains blocked on Concelier outputs; keep AirGap parity requirements in scope.
140.C Signals	Signals Guild · Authority Guild (for scopes) · Runtime Guild	Sprint 120.A – AirGap; Sprint 130.A – Scanner	DOING	API skeleton and callgraph ingestion are active; runtime facts endpoint still depends on the same shared prerequisites.
140.D Zastava	Zastava Observer/Webhook Guilds · Security Guild	Sprint 120.A – AirGap; Sprint 130.A – Scanner	TODO	Surface.FS integration waits on Scanner surface caches; prep sealed-mode env helpers meanwhile.

Status snapshot (2025-11-09)

• 140.A Graph – GRAPH-INDEX-28-007/008/009/010 remain TODO while Scanner surface artifacts and SBOM projection schemas are outstanding; no clustering/backfill/fixture work has started.
• 140.B SbomService – Advisory AI, console, and orchestrator tracks stay TODO; SBOM-SERVICE-21-001..004 are BLOCKED until Concelier Link-Not-Merge (CONCELIER-GRAPH-21-001) + Cartographer schema (CARTO-GRAPH-21-002) land.
• 140.C Signals – SIGNALS-24-001 now complete (host, RBAC, sealed-mode readiness, /signals/facts/{subject}); SIGNALS-24-002 added callgraph retrieval APIs but still needs CAS promotion; SIGNALS-24-003 accepts JSON + NDJSON runtime uploads, yet NDJSON provenance/context wiring remains TODO. Scoring/cache work (SIGNALS-24-004/005) is still BLOCKED pending runtime feed availability (target 2025-11-09).
• 140.D Zastava – ZASTAVA-ENV-01/02, ZASTAVA-SECRETS-01/02, and ZASTAVA-SURFACE-01/02 are still TODO because Surface.FS cache outputs from Scanner aren’t published; guilds limited to design/prep.

Blockers & coordination

• Concelier Link-Not-Merge / Cartographer schemas – SBOM-SERVICE-21-001..004 cannot start until CONCELIER-GRAPH-21-001 and CARTO-GRAPH-21-002 deliver the projection payloads.
• Scanner surface artifacts – GRAPH-INDEX-28-007+ and all ZASTAVA-SURFACE tasks depend on Sprint 130 analyzer outputs and cached layer metadata; need updated ETA from Scanner guild.
• Signals host merge – SIGNALS-24-003/004/005 remain blocked until SIGNALS-24-001/002 merge and Authority scope work (AUTH-SIG-26-001) is validated with Runtime guild.

Next actions (target: 2025-11-12)

Owner(s)	Action
Graph Indexer Guild	Hold design sync with Scanner Surface + SBOM Service owners to lock artifact delivery dates; prep clustering job scaffolds so work can start once feeds land.
SBOM Service Guild	Finalize projection schema doc with Concelier/Cartographer, then flip SBOM-SERVICE-21-001 to DOING and align SBOM-AIAI-31-001 with Sprint 111 requirements.
Signals Guild	Land SIGNALS-24-001/002 PRs, then immediately kick off SIGNALS-24-003; coordinate scoring/cache roadmap with Runtime + Data Science guilds.
Zastava Guilds	Draft Surface.Env helper adoption plan and ensure Surface.Secrets references are wired so implementation can begin when Surface.FS caches publish.

Downstream dependency rollup (snapshot: 2025-11-09)

Track	Dependent sprint(s)	Impact if delayed
140.A Graph	docs/implplan/SPRINT_141_graph.md (Graph clustering/backfill) and downstream Graph UI overlays	Graph insights, policy overlays, and runtime clustering views cannot progress without GRAPH-INDEX-28-007+ landing.
140.B SbomService	docs/implplan/SPRINT_142_sbomservice.md, Advisory AI (Sprint 111), Policy/Vuln Explorer feeds	SBOM projections/events stay unavailable, blocking Advisory AI remedation heuristics, policy joins, and Vuln Explorer candidate generation.
140.C Signals	docs/implplan/SPRINT_143_signals.md plus Runtime/Reachability dashboards	Reachability scoring, cache/event layers, and runtime facts outputs cannot start until SIGNALS-24-001/002 merge and Scanner runtime data flows.
140.D Zastava	docs/implplan/SPRINT_144_zastava.md, Runtime admission enforcement	Surface-integrated drift/admission hooks remain stalled; sealed-mode env helpers cannot ship without Surface.FS metadata.

Risk log

Risk	Impact	Mitigation / owner
Concelier Link-Not-Merge schema slips	SBOM-SERVICE-21-001..004 + Advisory AI SBOM endpoints stay blocked	Concelier + Cartographer guilds to publish CARTO-GRAPH-21-002 ETA during next coordination call; SBOM guild to prep schema doc meanwhile.
Scanner surface artifact delay	GRAPH-INDEX-28-007+ and ZASTAVA-SURFACE-* cannot even start	Scanner guild to deliver analyzer artifact roadmap; Graph/Zastava teams to prepare mocks/tests in advance.
Signals host/callgraph merge misses 2025-11-09	SIGNALS-24-003/004/005 remain blocked, pushing reachability scoring past sprint goals	Signals + Authority guilds to prioritize AUTH-SIG-26-001 review and merge SIGNALS-24-001/002 before 2025-11-10 standup.
Authority build regression (PackApprovalFreshAuthWindow)	Signals test suite cannot run in CI, delaying validation of new endpoints	Coordinate with Authority guild to restore missing constant in StellaOps.Auth.ServerIntegration; rerun Signals tests once fixed.

Coordination log

Date	Notes
2025-11-09	Sprint 140 snapshot refreshed; awaiting Scanner surface artifact ETA, Concelier/CARTO schema delivery, and Signals host merge before any wave can advance to DOING.

Sprint 140 - Runtime & Signals