stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
600f3a7a3cc47441484b201e372aed1bc5528d6e
git.stella-ops.org/docs/product-advisories/ADVISORY_INDEX.md
StellaOps Bot 600f3a7a3c
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships 
- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.
2025-12-04 09:36:59 +02:00

38 KiB
Raw Blame History

Product Advisory Index

This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.

Canonical Advisories (Active)

These are the authoritative advisories to reference for implementation:

CVSS v4.0

  • Canonical: 25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md
  • Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md
  • Gaps: 31-Nov-2025 FINDINGS.md (CV1CV10 remediation task CVSS-GAPS-190-013)
  • Timing/UI: 01-Dec-2025 - Time-to-Evidence (TTE) Metric.md (archived)
  • Status: New sprint created

CVSS v4.0 Momentum Briefing

  • Canonical: 29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md
  • Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md (context)
  • Related Docs:
    • docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md (implementation focus)
    • docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md (this briefing)
  • Gaps: 31-Nov-2025 FINDINGS.md (CVM1CVM10 remediation task CVSS-GAPS-190-014)
  • Status: Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now.

SCA Failure Catalogue

  • Canonical: 29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md (this catalogue)
    • docs/implplan/SPRINT_300_documentation_process.md (tracking sync)
  • Gaps: 31-Nov-2025 FINDINGS.md (FC1FC10 remediation task SCA-FIXTURE-GAPS-300-014)
  • Status: Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.

Mid-Level .NET Onboarding (Quick Start)

  • Canonical: 29-Nov-2025 - StellaOps Mid-Level .NET Onboarding (Quick Start).md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/onboarding/dev-quickstart.md (to be updated)
    • docs/modules/platform/architecture-overview.md
  • Gaps: 31-Nov-2025 FINDINGS.md (OB1OB10 remediation task ONBOARD-GAPS-300-015)
  • Status: Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links.

Implementor Guidelines

  • Canonical: 30-Nov-2025 - Implementor Guidelines for Stella Ops.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md (this briefing)
    • docs/05_SYSTEM_REQUIREMENTS_SPEC.md / docs/13_RELEASE_ENGINEERING_PLAYBOOK.md (reference requirements)
  • Gaps: 31-Nov-2025 FINDINGS.md (IG1IG10 remediation task IMPLEMENTOR-GAPS-300-018)
  • Status: Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices.

Rekor Receipt Checklist

  • Canonical: 30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
  • Sprint: SPRINT_0314_0001_0001_docs_modules_authority.md
  • Related Docs: Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published)
  • Gaps: 31-Nov-2025 FINDINGS.md (RR1RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
  • Status: Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation.

Standup Sprint Kickstarters

  • Canonical: 30-Nov-2025 - Standup Sprint Kickstarters.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs: docs/implplan/README.md (sprint template)
  • Gaps: 31-Nov-2025 FINDINGS.md (SK1SK10 remediation task STANDUP-GAPS-300-019)
  • Status: Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules.

UI Micro-Interactions

  • Canonical: 30-Nov-2025 - UI Micro-Interactions for StellaOps.md
  • Sprint: SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed)
  • Related Docs: docs/modules/ui/architecture.md, Storybook token catalog (planned)
  • Gaps: 31-Nov-2025 FINDINGS.md (MI1MI10 remediation task UI-MICRO-GAPS-0209-011)
  • Status: Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance.

Proof-Linked VEX UI (Not-Affected Proof Drawer)

  • Canonical: Proof-linked VEX UI spec (chat-provided; to land as docs/ui/proof-linked-vex.md)
  • Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md
  • Related Docs: docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md, docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md, VexLens/Policy module docs
  • Gaps: 31-Nov-2025 FINDINGS.md (PVX1PVX10 remediation task UI-PROOF-VEX-0215-010)
  • Status: Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests.

Time-to-Evidence (TTE) Metric

  • Canonical: 01-Dec-2025 - Time-to-Evidence (TTE) Metric.md
  • Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md
  • Related Docs: UI sprints 0209/0215, telemetry architecture docs
  • Gaps: 31-Nov-2025 FINDINGS.md (TTE1TTE10 remediation task TTE-GAPS-0215-011)
  • Status: Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests.

Archived Advisories (1523 Nov 2025)

  • Canonical: docs/product-advisories/archived/*.md (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.)
  • Sprint: SPRINT_300_documentation_process.md (triage/decision)
  • Related Docs: None current (need revival + canonicalization)
  • Gaps: 31-Nov-2025 FINDINGS.md (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020)
  • Status: Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories.

SBOM → VEX Proof Blueprint

  • Canonical: 29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md (itself)
    • docs/modules/platform/architecture-overview.md (platform dossier link)
  • Gaps: 31-Nov-2025 FINDINGS.md (BP1BP10 remediation task SBOM-VEX-GAPS-300-013)
  • Status: Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs.

UI Micro-Interactions

  • Canonical: 30-Nov-2025 - UI Micro-Interactions for StellaOps.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • apps/console/src/app/shared/micro/
    • docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md
  • Status: Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX.

Rekor Receipt Checklist

  • Canonical: 30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
  • Sprint: SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
    • docs/modules/platform/architecture-overview.md
  • Gaps: 31-Nov-2025 FINDINGS.md (RR1RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
  • Status: Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs.

Air-Gap Deployment Playbook

  • Canonical: 25-Nov-2025 - Air-gap deployment playbook for StellaOps.md
  • Sprint: SPRINT_0510_0001_0001_airgap.md (Ops & Offline)
  • Gaps: 31-Nov-2025 FINDINGS.md (AG1AG12 remediation task AIRGAP-GAPS-510-009)
  • Status: Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability.

Ecosystem Reality Tests

  • Canonical: 30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md
  • Status: Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability.

Unknowns Decay & Triage Heuristics

  • Canonical: 30-Nov-2025 - Unknowns Decay & Triage Heuristics.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md
  • Gaps: 31-Nov-2025 FINDINGS.md (UT1UT10 remediation task UNKNOWN-HEUR-GAPS-140-007)
  • Status: Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns.

Standup Sprint Kickstarters

  • Canonical: 30-Nov-2025 - Standup Sprint Kickstarters.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md
  • Status: Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments.

Evidence + Suppression Patterns

  • Canonical: 30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md
  • Gaps: 31-Nov-2025 FINDINGS.md (CE1CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016)
  • Status: Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives.

Ecosystem Reality Test Cases

  • Canonical: 30-Nov-2025 - Ecosystem Reality Test Cases.md
  • Sprint: SPRINT_300_documentation_process.md (docs tracker)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md
  • Gaps: 31-Nov-2025 FINDINGS.md (ET1ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017)
  • Status: Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs.

Reachability Benchmark Fixtures

  • Canonical: 30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md
  • Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY)
  • Related Docs:
    • docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md
  • Gaps: 31-Nov-2025 FINDINGS.md (RB1RB10 remediation task REACH-FIXTURE-GAPS-513-020)
  • Status: SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora.

SBOM/VEX Pipeline

  • Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
  • Supersedes:
    • 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md → archive
    • 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md → archive
    • 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md → archive

Rekor/DSSE Batch Sizing

  • Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
  • Supersedes:
    • 27-Nov-2025 - Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md → archive (duplicate)

Graph Revision IDs

  • Canonical: 26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
  • Gaps: 31-Nov-2025 FINDINGS.md (GR1GR10 remediation task GRAPHREV-GAPS-401-063)
  • Supersedes:
    • 25-Nov-2025 - HashStable Graph Revisions Across Systems.md → archive (earlier version)

Reachability Benchmark (Public)

  • Canonical: 24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md
  • Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md
  • Related:
    • 26-Nov-2025 - Opening Up a Reachability Dataset.md → complementary (dataset focus)
    • 31-Nov-2025 FINDINGS.md → gap analysis (G1G12) with remediation task BENCH-GAPS-513-018
  • Gaps (dataset): 31-Nov-2025 FINDINGS.md (RD1RD10 remediation task DATASET-GAPS-513-019)

Unknowns Registry

  • Canonical: 27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
  • Extends: archived/18-Nov-2025 - Unknowns-Registry.md
  • Gaps: 31-Nov-2025 FINDINGS.md (UN1UN10 remediation task UNKNOWN-GAPS-140-006)
  • Status: Already implemented in Signals module; advisory validates design

Confidence Decay for Prioritization

  • Canonical: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (integration point)
  • Gaps: 31-Nov-2025 FINDINGS.md (U1U10 remediation task DECAY-GAPS-140-005)
  • Related: Unknowns Registry (time-based decay complements ambiguity tracking)
  • Status: Design advisory - provides exponential decay formula for priority freshness

Explainability

  • Canonical (Graphs): 27-Nov-2025 - Making Graphs Understandable to Humans.md
  • Canonical (Verdicts): 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
  • Gaps: 31-Nov-2025 FINDINGS.md (EX1EX10 remediation task EXPLAIN-GAPS-401-064)
  • Status: Complementary advisories - graphs cover edge reasons, verdicts cover audit trails

VEX Proofs

  • Canonical: 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)
  • Gaps: 31-Nov-2025 FINDINGS.md (VEX1VEX10 remediation task VEX-GAPS-401-062)

Binary Reachability

  • Canonical: 27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)
  • Gaps: 31-Nov-2025 FINDINGS.md (BR1BR10 remediation task BINARY-GAPS-401-066)

Scanner Roadmap

  • Canonical: 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • Sprint: Multiple sprints (0186, 0401, 0512)
  • Gaps: 31-Nov-2025 FINDINGS.md (SC1SC10 remediation task SCANNER-GAPS-186-018)
  • Status: High-level roadmap document

SBOM-First, VEX-Ready Spine

  • Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001
  • Gaps: 31-Nov-2025 FINDINGS.md (SP1SP10 remediation task SPINE-GAPS-186-019)
  • Status: Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement.

SBOM & VEX Competitor Snapshot

  • Canonical: 27-Nov-2025 - LateNovember SBOM & VEX competitor.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization)
  • Gaps: 31-Nov-2025 FINDINGS.md (CM1CM10 remediation task COMPETITOR-GAPS-186-020)
  • Status: Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity.

Vulnerability Triage UX & VEX-First Decisioning

  • Canonical: 28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md
  • Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
  • Related Sprints:
    • SPRINT_0210_0001_0002_ui_ii.md (UI-LNM-22-003 VEX tab)
    • SPRINT_0334_docs_modules_vuln_explorer.md (docs)
  • Related Advisories:
    • 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md (evidence chain)
    • 27-Nov-2025 - Making Graphs Understandable to Humans.md (graph UX)
    • 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md (VEX proofs)
  • Gaps: 31-Nov-2025 FINDINGS.md (VT1VT10 remediation task TRIAGE-GAPS-215-042)
  • Status: New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
  • Schemas:
    • docs/schemas/vex-decision.schema.json
    • docs/schemas/attestation-vuln-scan.schema.json
    • docs/schemas/audit-bundle-index.schema.json

Sovereign Crypto for Regional Compliance

  • Canonical: 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
  • Sprint: SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
  • Related Docs:
    • docs/security/rootpack_ru_*.md - RootPack RU documentation
    • docs/security/crypto-registry-decision-2025-11-18.md - Registry design
    • docs/security/pq-provider-options.md - Post-quantum options
  • Gaps: 31-Nov-2025 FINDINGS.md (SC1SC10 remediation task SC-GAPS-514-010)
  • Status: Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
  • Compliance: EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)

Plugin Architecture & Extensibility

  • Canonical: 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
  • Sprint: Foundational - appears in module-specific sprints
  • Related Docs:
    • docs/dev/plugins/README.md - General plugin guide
    • docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md - Concelier connectors
    • docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md - Authority plugins
    • docs/modules/scanner/guides/surface-validation-extensibility.md - Scanner extensibility
  • Gaps: 31-Nov-2025 FINDINGS.md (PL1PL10 remediation task Plugin architecture gaps remediation — Sprint 300)
  • Status: Fills MEDIUM-priority gap - consolidates extensibility patterns across modules

Evidence Bundle & Replay Contracts

  • Canonical: 28-Nov-2025 - Evidence Bundle and Replay Contracts.md
  • Sprint: SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
    • SPRINT_0160_0001_0001_export_evidence.md (Coordination)
  • Related Docs:
    • docs/modules/evidence-locker/bundle-packaging.md - Bundle spec
    • docs/modules/evidence-locker/attestation-contract.md - DSSE contract
    • docs/modules/evidence-locker/replay-payload-contract.md - Replay schema
  • Gaps: 31-Nov-2025 FINDINGS.md (EB1EB10 remediation task EVID-GAPS-161-007)
  • Status: Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode

Export Center & Reporting

  • Canonical: 28-Nov-2025 - Export Center and Reporting Strategy.md
  • Sprint: SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I)
  • Related Sprints: SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md
  • Gaps: 31-Nov-2025 FINDINGS.md (EC1EC10 remediation task EXPORT-GAPS-162-013)
  • Status: Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation.

Acceptance Tests Pack for Guardrails

  • Canonical: 29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md
  • Sprint: SPRINT_300_documentation_process.md (Docs Governance)
  • Related Docs:
    • docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md (itself)
    • docs/implplan/SPRINT_300_documentation_process.md (tracking the sync)
  • Gaps: 31-Nov-2025 FINDINGS.md (AT1AT10 remediation task AT-GAPS-300-012)
  • Status: Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests.

Mirror & Offline Kit Strategy

  • Canonical: 28-Nov-2025 - Mirror and Offline Kit Strategy.md
  • Sprint: SPRINT_0125_0001_0001 (Mirror Bundles)
  • Related Sprints:
    • SPRINT_0150_0001_0001 (DSSE/Time Anchors)
    • SPRINT_0150_0001_0002 (Time Anchors)
    • SPRINT_0150_0001_0003 (Orchestrator Hooks)
  • Related Docs:
    • docs/modules/mirror/dsse-tuf-profile.md - DSSE/TUF spec
    • docs/modules/mirror/thin-bundle-assembler.md - Thin bundle spec
    • docs/airgap/time-anchor-schema.json - Time anchor schema
  • Gaps: 31-Nov-2025 FINDINGS.md (OK1OK10 remediation task OFFKIT-GAPS-125-011; RK1RK10 task REKOR-GAPS-125-012; MS1MS10 task MIRROR-GAPS-125-013)
  • Status: Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring

Rekor v2 / DSSE Limits

  • Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md
  • Sprint: SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used.
  • Gaps: 31-Nov-2025 FINDINGS.md (RK1RK10 remediation task REKOR-GAPS-125-012)
  • Status: Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints.

Task Pack Orchestration & Automation

  • Canonical: 28-Nov-2025 - Task Pack Orchestration and Automation.md
  • Sprint: SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
    • SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
  • Related Docs:
    • docs/task-packs/spec.md - Pack manifest specification
    • docs/task-packs/authoring-guide.md - Authoring workflow
    • docs/task-packs/registry.md - Registry architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (TP1TP10 remediation task TASKRUN-GAPS-157-014)
  • Status: Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture

Authentication & Authorization Architecture

  • Canonical: 28-Nov-2025 - Authentication and Authorization Architecture.md
  • Sprint: Multiple (see below)
  • Related Sprints:
    • SPRINT_100_identity_signing.md (CLOSED - historical)
    • SPRINT_314_docs_modules_authority.md (Docs)
    • SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
  • Gaps: 31-Nov-2025 FINDINGS.md (AU1AU10 remediation task AUTH-GAPS-314-004)
  • Related Docs:
    • docs/modules/authority/architecture.md - Module architecture
    • docs/11_AUTHORITY.md - Overview
    • docs/security/authority-scopes.md - Scope reference
    • docs/security/dpop-mtls-rollout.md - Sender constraints
  • Status: Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation

CLI Developer Experience & Command UX

  • Canonical: 28-Nov-2025 - CLI Developer Experience and Command UX.md
  • Sprint: SPRINT_0201_0001_0001_cli_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_203_cli_iii.md
    • SPRINT_205_cli_v.md
  • Related Docs:
    • docs/modules/cli/architecture.md - Module architecture
    • docs/09_API_CLI_REFERENCE.md - Command reference
  • Gaps: 31-Nov-2025 FINDINGS.md (CL1CL10 remediation task CLI-GAPS-201-003)
  • Status: Fills HIGH-priority gap - covers command surface, auth model, Buildx integration

Orchestrator Event Model & Job Lifecycle

  • Canonical: 28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
  • Sprint: SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_152_orchestrator_ii.md
    • SPRINT_0152_0001_0002_orchestrator_ii.md
  • Related Docs:
    • docs/modules/orchestrator/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (OR1OR10 remediation task ORCH-GAPS-151-016)
  • Status: Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics

Export Center & Reporting Strategy

  • Canonical: 28-Nov-2025 - Export Center and Reporting Strategy.md
  • Sprint: SPRINT_0160_0001_0001_export_evidence.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0161_0001_0001_evidencelocker.md
  • Related Docs:
    • docs/modules/export-center/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels

Runtime Posture & Observation (Zastava)

  • Canonical: 28-Nov-2025 - Runtime Posture and Observation with Zastava.md
  • Sprint: SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0140_0001_0001_runtime_signals.md
    • SPRINT_0143_0000_0001_signals.md
  • Related Docs:
    • docs/modules/zastava/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (ZR1ZR10 remediation task ZASTAVA-GAPS-144-007)
  • Status: Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection

Notification Rules & Alerting Engine

  • Canonical: 28-Nov-2025 - Notification Rules and Alerting Engine.md
  • Sprint: SPRINT_0170_0001_0001_notify_engine.md (NEW)
  • Related Sprints:
    • SPRINT_0171_0001_0002_notify_connectors.md
    • SPRINT_0172_0001_0003_notify_ack_tokens.md
  • Related Docs:
    • docs/modules/notify/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (NR1NR10 remediation task NOTIFY-GAPS-171-014; blueprint docs/notifications/gaps-nr1-nr10.md)
  • Status: Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens

Graph Analytics & Dependency Insights

  • Canonical: 28-Nov-2025 - Graph Analytics and Dependency Insights.md
  • Sprint: SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0401_0001_0001_reachability_evidence_chain.md
    • SPRINT_0140_0001_0001_runtime_signals.md
  • Related Docs:
    • docs/modules/graph/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (GA1GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013)
  • Status: Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization

Telemetry & Observability Patterns

  • Canonical: 28-Nov-2025 - Telemetry and Observability Patterns.md
  • Sprint: SPRINT_0180_0001_0001_telemetry_core.md (NEW)
  • Related Sprints:
    • SPRINT_0181_0001_0002_telemetry_forensic.md
    • SPRINT_0182_0001_0003_telemetry_offline.md
  • Related Docs:
    • docs/modules/telemetry/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (TO1TO10 remediation task TELEM-GAPS-180-001)
  • Status: Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles

Policy Simulation & Shadow Gates

  • Canonical: 28-Nov-2025 - Policy Simulation and Shadow Gates.md
  • Sprint: SPRINT_0185_0001_0001_policy_simulation.md (NEW)
  • Related Sprints:
    • SPRINT_0120_0000_0001_policy_reasoning.md
    • SPRINT_0121_0001_0001_policy_reasoning.md
  • Related Docs:
    • docs/modules/policy/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (PS1PS10 remediation task POLICY-GAPS-185-006)
  • Status: Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates

Findings Ledger & Immutable Audit Trail

  • Canonical: 28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0120_0000_0001_policy_reasoning.md
    • SPRINT_311_docs_tasks_md_xi.md
  • Related Docs:
    • docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml - OpenAPI spec
  • Gaps: 31-Nov-2025 FINDINGS.md (FL1FL10 remediation task LEDGER-GAPS-121-009)
  • Status: Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections

Concelier Advisory Ingestion Model

  • Canonical: 28-Nov-2025 - Concelier Advisory Ingestion Model.md
  • Sprint: SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0113_0001_0002_concelier_ii.md
    • SPRINT_0114_0001_0003_concelier_iii.md
  • Related Docs:
    • docs/modules/concelier/architecture.md - Module architecture
  • Gaps: 31-Nov-2025 FINDINGS.md (CI1CI10 remediation task CONCELIER-GAPS-115-014)
    • docs/modules/concelier/link-not-merge-schema.md - LNM schema
  • Status: Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports

Files Archived

The following files have been moved to archived/27-Nov-2025-superseded/:

# Superseded by canonical advisories
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - HashStable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md

Cleanup Completed (2025-11-28)

The following issues were fixed:

  • Deleted junk file: 24-Nov-2025 - 1 copy 2.md
  • Deleted malformed duplicate: 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd
  • Fixed filename: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md (was missing .md extension)

Sprint Cross-Reference

Advisory Topic Sprint ID Status
CVSS v4.0 SPRINT_0190_0001_0001 NEW
SPDX 3.0.1 / SBOM SPRINT_0186_0001_0001 AUGMENTED
Reachability Benchmark SPRINT_0513_0001_0001 NEW
Reachability Evidence SPRINT_0401_0001_0001 EXISTING
Unknowns Registry SPRINT_0140_0001_0001 IMPLEMENTED
Confidence Decay SPRINT_0140_0001_0001 DESIGN
Graph Revision IDs SPRINT_0401_0001_0001 EXISTING
DSSE/Rekor Batching SPRINT_0401_0001_0001 EXISTING
Vuln Triage UX / VEX SPRINT_0215_0001_0001 NEW
Sovereign Crypto SPRINT_0514_0001_0001 EXISTING
Plugin Architecture Multiple (module-specific) FOUNDATIONAL
Evidence Bundle & Replay SPRINT_0161_0001_0001 EXISTING
Mirror & Offline Kit SPRINT_0125_0001_0001 EXISTING
Task Pack Orchestration SPRINT_0157_0001_0001 EXISTING
Auth/AuthZ Architecture Multiple (100, 314, 0514) EXISTING
CLI Developer Experience SPRINT_0201_0001_0001 NEW
Orchestrator Event Model SPRINT_0151_0001_0001 NEW
Export Center Strategy SPRINT_0160_0001_0001 NEW
Zastava Runtime Posture SPRINT_0144_0001_0001 NEW
Notification Rules Engine SPRINT_0170_0001_0001 NEW
Graph Analytics SPRINT_0141_0001_0001 NEW
Telemetry & Observability SPRINT_0180_0001_0001 NEW
Policy Simulation SPRINT_0185_0001_0001 NEW
Findings Ledger SPRINT_0186_0001_0001 NEW
Concelier Ingestion SPRINT_0115_0001_0004 NEW

Implementation Priority

Based on gap analysis:

  1. P0 - CVSS v4.0 (Sprint 0190) - Industry moving to v4.0, genuine gap
  2. P1 - SPDX 3.0.1 (Sprint 0186 tasks 15a-15f) - Standards compliance
  3. P1 - Public Benchmark (Sprint 0513) - Differentiation/marketing value
  4. P1 - Vuln Triage UX (Sprint 0215) - Industry-aligned UX for competitive parity
  5. P1 - Sovereign Crypto (Sprint 0514) - Regional compliance enablement
  6. P1 - Evidence Bundle & Replay (Sprint 0161, 0187) - Audit/compliance critical
  7. P1 - Mirror & Offline Kit (Sprint 0125, 0150) - Air-gap deployment critical
  8. P1 - CLI Developer Experience (Sprint 0201) - Developer UX critical
  9. P1 - Orchestrator Event Model (Sprint 0151) - Job lifecycle foundation
  10. P2 - Task Pack Orchestration (Sprint 0157, 0158) - Automation foundation
  11. P2 - Explainability (Sprint 0401) - UX enhancement, existing tasks
  12. P2 - Plugin Architecture (Multiple) - Foundational extensibility patterns
  13. P2 - Auth/AuthZ Architecture (Multiple) - Security consolidation
  14. P2 - Export Center (Sprint 0160) - Reporting flexibility
  15. P2 - Zastava Runtime (Sprint 0144) - Runtime observability
  16. P2 - Notification Rules (Sprint 0170) - Alert management
  17. P2 - Graph Analytics (Sprint 0141) - Dependency insights
  18. P2 - Telemetry (Sprint 0180) - Observability infrastructure
  19. P2 - Policy Simulation (Sprint 0185) - Safe policy testing
  20. P2 - Findings Ledger (Sprint 0186) - Audit immutability
  21. P2 - Concelier Ingestion (Sprint 0115) - Advisory pipeline
  22. P3 - Already Implemented - Unknowns, Graph IDs, DSSE batching

Implementer Quick Reference

For each topic, the implementer should read:

  1. Sprint file - Contains task definitions, dependencies, working directories
  2. Documentation Prerequisites - Listed in each sprint file
  3. Canonical advisory - Full product context and rationale
  4. Module AGENTS.md - If exists, contains module-specific coding guidance

Key Module Docs to Read Before Implementation

Module Architecture Doc AGENTS.md
Policy docs/modules/policy/architecture.md src/Policy/*/AGENTS.md
Scanner docs/modules/scanner/architecture.md src/Scanner/*/AGENTS.md
Sbomer docs/modules/sbomer/architecture.md src/Sbomer/*/AGENTS.md
Signals docs/modules/signals/architecture.md src/Signals/*/AGENTS.md
Attestor docs/modules/attestor/architecture.md src/Attestor/*/AGENTS.md
Vuln Explorer docs/modules/vuln-explorer/architecture.md src/VulnExplorer/*/AGENTS.md
VEX-Lens docs/modules/vex-lens/architecture.md src/Excititor/*/AGENTS.md
UI docs/modules/ui/architecture.md src/UI/*/AGENTS.md
Authority docs/modules/authority/architecture.md src/Authority/*/AGENTS.md
Evidence Locker docs/modules/evidence-locker/*.md src/EvidenceLocker/*/AGENTS.md
Mirror docs/modules/mirror/*.md src/Mirror/*/AGENTS.md
TaskRunner docs/modules/taskrunner/*.md src/TaskRunner/*/AGENTS.md
CLI docs/modules/cli/architecture.md src/Cli/*/AGENTS.md
Orchestrator docs/modules/orchestrator/architecture.md src/Orchestrator/*/AGENTS.md
Export Center docs/modules/export-center/architecture.md src/ExportCenter/*/AGENTS.md
Zastava docs/modules/zastava/architecture.md src/Zastava/*/AGENTS.md
Notify docs/modules/notify/architecture.md src/Notify/*/AGENTS.md
Graph docs/modules/graph/architecture.md src/Graph/*/AGENTS.md
Telemetry docs/modules/telemetry/architecture.md src/Telemetry/*/AGENTS.md
Findings Ledger docs/modules/findings-ledger/openapi/ src/Findings/*/AGENTS.md
Concelier docs/modules/concelier/architecture.md src/Concelier/*/AGENTS.md

Developer Onboarding Quick Start

  • Canonical: 29-Nov-2025 - StellaOps Mid-Level .NET Onboarding (Quick Start).md
  • Sprint: SPRINT_300_documentation_process.md (Docs Governance)
  • Related Docs:
    • docs/onboarding/dev-quickstart.md (derived from this advisory)
    • docs/README.md (new quickstart reference)
    • docs/modules/platform/architecture-overview.md (platform dossier mention)
  • Status: Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues.

Topical Gaps (Advisory Needed)

The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:

Gap Severity Status Notes
Regional Crypto (eIDAS/FIPS/GOST/SM) HIGH FILLED 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
Plugin Architecture Patterns MEDIUM FILLED 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
Evidence Bundle Packaging HIGH FILLED 28-Nov-2025 - Evidence Bundle and Replay Contracts.md
Mirror/Offline Kit Strategy HIGH FILLED 28-Nov-2025 - Mirror and Offline Kit Strategy.md
Task Pack Orchestration HIGH FILLED 28-Nov-2025 - Task Pack Orchestration and Automation.md
Auth/AuthZ Architecture HIGH FILLED 28-Nov-2025 - Authentication and Authorization Architecture.md
CLI Developer Experience HIGH FILLED 28-Nov-2025 - CLI Developer Experience and Command UX.md
Orchestrator Event Model HIGH FILLED 28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
Export Center Strategy MEDIUM FILLED 28-Nov-2025 - Export Center and Reporting Strategy.md
Runtime Posture & Observation MEDIUM FILLED 28-Nov-2025 - Runtime Posture and Observation with Zastava.md
Notification Rules Engine MEDIUM FILLED 28-Nov-2025 - Notification Rules and Alerting Engine.md
Graph Analytics & Clustering MEDIUM FILLED 28-Nov-2025 - Graph Analytics and Dependency Insights.md
Telemetry & Observability MEDIUM FILLED 28-Nov-2025 - Telemetry and Observability Patterns.md
Policy Simulation & Shadow Gates MEDIUM FILLED 28-Nov-2025 - Policy Simulation and Shadow Gates.md
Findings Ledger & Audit Trail MEDIUM FILLED 28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
Concelier Advisory Ingestion MEDIUM FILLED 28-Nov-2025 - Concelier Advisory Ingestion Model.md
CycloneDX 1.6 .NET Integration LOW Open Deep Architecture covers generically; expand with .NET-specific guidance

Known Issues (Non-Blocking)

Unicode Encoding Inconsistency: Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:

  • 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md

Archived Duplicate: archived/17-Nov-2025 - SBOM-Provenance-Spine.md and archived/18-Nov-2025 - SBOM-Provenance-Spine.md are potential duplicates. The 18-Nov version is likely canonical.

Index created: 2025-11-27 Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)