634233dfed
- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling. - Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings. - Create ApkVersion for parsing Alpine APK version strings with suffix support. - Define IVersionComparator interface for version comparison with proof-line generation. - Implement VersionComparisonResult struct to encapsulate comparison results and proof lines. - Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling. - Create project files for the version comparison library and its tests.
3.6 KiB
3.6 KiB
SPRINT_4300 MOAT HARDENING: Verdict Attestation & Epistemic Mode
Program Overview
| Field | Value |
|---|---|
| Program ID | 4300 (Moat Series) |
| Theme | Moat Hardening: Signed Verdicts & Epistemic Operations |
| Priority | P0-P1 (Critical to High) |
| Total Effort | ~9 weeks |
| Advisory Source | 19-Dec-2025 - Stella Ops candidate features mapped to moat strength |
Strategic Context
This sprint program addresses the highest-moat features identified in the competitive analysis advisory. The goal is to harden StellaOps' structural advantages in:
- Signed, replayable risk verdicts (Moat 5) — The anchor differentiator
- Unknowns as first-class state (Moat 4) — Governance primitive
- Air-gapped epistemic mode (Moat 4) — Reproducibility moat
Sprint Breakdown
P0 Sprints (Critical)
| Sprint ID | Title | Effort | Moat |
|---|---|---|---|
| 4300_0001_0001 | OCI Verdict Attestation Referrer Push | 2 weeks | 5 |
| 4300_0001_0002 | One-Command Audit Replay CLI | 2 weeks | 5 |
Outcome: Verdicts become portable "ship tokens" that can be pushed to registries and replayed offline.
P1 Sprints (High)
| Sprint ID | Title | Effort | Moat |
|---|---|---|---|
| 4300_0002_0001 | Unknowns Budget Policy Integration | 2 weeks | 4 |
| 4300_0002_0002 | Unknowns Attestation Predicates | 1 week | 4 |
| 4300_0003_0001 | Sealed Knowledge Snapshot Export/Import | 2 weeks | 4 |
Outcome: Uncertainty becomes actionable through policy gates and attestable for audits. Air-gap customers get sealed knowledge bundles.
Related Sprint Programs
| Program | Theme | Moat Focus |
|---|---|---|
| 4400 | Delta Verdicts & Reachability Attestations | Smart-Diff, Reachability |
| 4500 | VEX Hub & Trust Scoring | VEX Distribution Network |
| 4600 | SBOM Lineage & BYOS | SBOM Ledger |
Dependency Graph
SPRINT_4300_0001_0001 (OCI Verdict Push)
│
├──► SPRINT_4300_0001_0002 (Audit Replay CLI)
│
└──► SPRINT_4400_0001_0001 (Signed Delta Verdict)
SPRINT_4300_0002_0001 (Unknowns Budget)
│
└──► SPRINT_4300_0002_0002 (Unknowns Attestation)
SPRINT_4300_0003_0001 (Sealed Snapshot)
│
└──► [Standalone, enables air-gap scenarios]
Success Metrics
| Metric | Target | Measurement |
|---|---|---|
| Verdict push success rate | >99% | OTEL metrics |
| Audit replay pass rate | 100% on same inputs | CI tests |
| Unknown budget violations detected | >0 in test suite | Integration tests |
| Air-gap import success rate | >99% | Manual testing |
Risks & Dependencies
| Risk | Impact | Mitigation |
|---|---|---|
| OCI registry incompatibility | Cannot push verdicts | Fallback to tag-based |
| Bundle size too large | Transfer issues | Streaming, compression |
| Key management complexity | Security | Document rotation procedures |
Timeline Recommendation
Phase 1 (Weeks 1-4): P0 Sprints
- OCI Verdict Push + Audit Replay
Phase 2 (Weeks 5-7): P1 Sprints
- Unknowns Budget + Attestations
Phase 3 (Weeks 8-9): P1 Sprints
- Sealed Knowledge Snapshots
Documentation Deliverables
docs/operations/verdict-attestation-guide.mddocs/operations/audit-replay-guide.mddocs/operations/unknown-budgets-guide.mddocs/operations/airgap-knowledge-sync.md- Update attestation type catalog
- Update CLI reference
Sprint Series Status: TODO
Created: 2025-12-22 Origin: Gap analysis of 19-Dec-2025 moat strength advisory