61f963fd52
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added `LedgerMetrics` class to record write latency and total events for ledger operations. - Created comprehensive tests for Ruby packages endpoints, covering scenarios for missing inventory, successful retrieval, and identifier handling. - Introduced `TestSurfaceSecretsScope` for managing environment variables during tests. - Developed `ProvenanceMongoExtensions` for attaching DSSE provenance and trust information to event documents. - Implemented `EventProvenanceWriter` and `EventWriter` classes for managing event provenance in MongoDB. - Established MongoDB indexes for efficient querying of events based on provenance and trust. - Added models and JSON parsing logic for DSSE provenance and trust information.
11 KiB
11 KiB
Sprint 136 - Scanner & Surface
Implementation order remains sequential across Sprint 130–139. Complete each sprint in order before pulling tasks from the next file.
7. Scanner.VII — Scanner & Surface focus on Scanner (phase VII).
Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).
| Task ID | State | Summary | Owner / Source | Depends On |
|---|---|---|---|---|
SCANNER-ENTRYTRACE-18-504 |
TODO | Emit EntryTrace AOC NDJSON (entrytrace.entry/node/edge/target/warning/capability) and wire CLI/service streaming outputs. |
EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-503 |
SCANNER-ENTRYTRACE-18-505 |
TODO | Implement process-tree replay (ProcGraph) to reconcile /proc exec chains with static EntryTrace results, collapsing wrappers and emitting agreement/conflict diagnostics. |
EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-504 |
SCANNER-ENTRYTRACE-18-506 |
TODO | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. | EntryTrace Guild, Scanner WebService Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-505 |
SCANNER-ENV-01 |
TODO (2025-11-06) | Replace ad-hoc environment reads with StellaOps.Scanner.Surface.Env helpers for cache roots and CAS endpoints. |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | — |
SCANNER-ENV-02 |
TODO (2025-11-06) | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-ENV-01 |
SCANNER-ENV-03 |
TODO | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-ENV-02 |
SURFACE-ENV-01 |
DONE (2025-11-13) | Draft surface-env.md enumerating environment variables, defaults, and air-gap behaviour for Surface consumers. |
Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | — |
SURFACE-ENV-02 |
DOING (2025-11-02) | Implement strongly-typed env accessors with validation and deterministic logging inside StellaOps.Scanner.Surface.Env. |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-01 |
SURFACE-ENV-03 |
TODO | Adopt the env helper across Scanner Worker/WebService/BuildX plug-ins. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-04 |
TODO | Wire env helper into Zastava Observer/Webhook containers. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-05 |
TODO | Update Helm/Compose/offline kit templates with new env knobs and documentation. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-03, SURFACE-ENV-04 |
SCANNER-EVENTS-16-301 |
BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). |
Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-GRAPH-21-001 |
TODO | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-001 |
TODO | Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. |
Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-002 |
TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-LNM-21-001 |
SCANNER-SECRETS-03 |
TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-SECRETS-02 |
SURFACE-SECRETS-01 |
DOING (2025-11-02) | Produce surface-secrets.md defining secret reference schema, storage backends, scopes, and rotation rules. |
Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | — |
SURFACE-SECRETS-02 |
DOING (2025-11-02) | Implement StellaOps.Scanner.Surface.Secrets core provider interfaces, secret models, and in-memory test backend. |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-01 |
SURFACE-SECRETS-03 |
TODO | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-04 |
TODO | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-05 |
TODO | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-06 |
TODO | Update deployment manifests/offline kit bundles to provision secret references instead of raw values. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-03 |
SCANNER-ENG-0020 |
TODO | Implement Homebrew collector & fragment mapper per design/macos-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0021 |
TODO | Implement pkgutil receipt collector per design/macos-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0022 |
TODO | Implement macOS bundle inspector & capability overlays per design/macos-analyzer.md §3.3. |
Scanner Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0023 |
TODO | Deliver macOS policy/offline integration per design/macos-analyzer.md §5–6. |
Scanner Guild, Offline Kit Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0024 |
TODO | Implement Windows MSI collector per design/windows-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0025 |
TODO | Implement WinSxS manifest collector per design/windows-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0026 |
TODO | Implement Windows Chocolatey & registry collectors per design/windows-analyzer.md §3.3–3.4. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0027 |
TODO | Deliver Windows policy/offline integration per design/windows-analyzer.md §5–6. |
Scanner Guild, Policy Guild, Offline Kit Guild (docs/modules/scanner) | — |
SCHED-SURFACE-02 |
TODO | Integrate Scheduler worker prefetch using Surface manifest reader and persist manifest pointers with rerun plans. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | SURFACE-FS-02, SCHED-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §3 for implementation checklist |
ZASTAVA-SURFACE-02 |
TODO | Use Surface manifest reader helpers to resolve cas:// pointers and enrich drift diagnostics with manifest provenance. |
Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | SURFACE-FS-02, ZASTAVA-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §4 for integration steps |
SURFACE-FS-03 |
TODO | Integrate Surface.FS writer into Scanner Worker analyzer pipeline to persist layer + entry-trace fragments. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-04 |
TODO | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-05 |
TODO | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-03 |
SURFACE-FS-06 |
TODO | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02..05 |
SCANNER-SURFACE-04 |
TODO | DSSE-sign every layer.fragments payload, emit _composition.json, and persist DSSE envelopes so offline kits can replay deterministically (see docs/modules/scanner/deterministic-sbom-compose.md §2.1). |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | SCANNER-SURFACE-01, SURFACE-FS-03 |
SURFACE-FS-07 |
TODO | Extend Surface.FS manifest schema with composition.recipe, fragment attestation metadata, and verification helpers per deterministic SBOM spec. |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SCANNER-SURFACE-04 |
SCANNER-EMIT-15-001 |
TODO | Enforce canonical JSON (stella.contentHash, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in docs/modules/scanner/deterministic-sbom-compose.md §2.2. |
Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | SCANNER-SURFACE-04 |
SCANNER-SORT-02 |
TODO | Sort layer fragments by digest and components by identity.purl/identity.key before composition; add determinism regression tests. |
Scanner Core Guild (src/Scanner/__Libraries/StellaOps.Scanner.Core) | SCANNER-EMIT-15-001 |
SURFACE-VAL-01 |
DOING (2025-11-01) | Define the Surface validation framework (surface-validation.md) covering env/cache/secret checks and extension hooks. |
Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-FS-01, SURFACE-ENV-01 |
SURFACE-VAL-02 |
TODO | Implement base validation library with check registry and default validators for env/cached manifests/secret refs. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02 |
SURFACE-VAL-03 |
TODO | Integrate validation pipeline into Scanner analyzers so checks run before processing. | Scanner Guild, Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-04 |
TODO | Expose validation helpers to Zastava and other runtime consumers for preflight checks. | Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-05 |
TODO | Document validation extensibility, registration, and customization in scanner-engine guides. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |