master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
45 KiB
45 KiB
Sprint 120 - Policy & Reasoning
[Policy & Reasoning] 120.A) AirGap Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on AirGap).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| AIRGAP-POL-56-001 | TODO | Implement StellaOps.AirGap.Policy package exposing EgressPolicy facade with sealed/unsealed branches and remediation-friendly errors. |
AirGap Policy Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
| AIRGAP-POL-56-002 | TODO | Create Roslyn analyzer/code fix warning on raw HttpClient usage outside approved wrappers; add CI integration. |
AirGap Policy Guild, DevEx Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
| AIRGAP-POL-57-001 | TODO | Update core web services (Web, Exporter, Policy, Findings, Authority) to use EgressPolicy; ensure configuration wiring for sealed mode. |
AirGap Policy Guild, BE-Base Platform Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
| AIRGAP-POL-57-002 | TODO | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list. | AirGap Policy Guild, Task Runner Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
| AIRGAP-POL-58-001 | TODO | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning. | AirGap Policy Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
| AIRGAP-POL-58-002 | TODO | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation. | AirGap Policy Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) |
[Policy & Reasoning] 120.B) Findings.I Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on Findings (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| LEDGER-29-001 | TODO | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-002 | TODO | Implement ledger write API (POST /vuln/ledger/events) with validation, idempotency, hash chaining, and Merkle root computation job. |
Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-003 | TODO | Build projector worker that derives findings_projection rows from ledger events + policy determinations; ensure idempotent replay keyed by (tenant,finding_id,policy_version). |
Findings Ledger Guild, Scheduler Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-004 | TODO | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references. | Findings Ledger Guild, Policy Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-005 | TODO | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-006 | TODO | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. | Findings Ledger Guild, Security Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-007 | TODO | Instrument metrics (ledger_write_latency, projection_lag_seconds, ledger_events_total), structured logs, and Merkle anchoring alerts; publish dashboards. |
Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. | Findings Ledger Guild, QA Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (bundle_id, merkle_root, time_anchor) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. | Findings Ledger Guild, AirGap Time Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. | Findings Ledger Guild, AirGap Controller Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability. | Findings Ledger Guild, Attestor Service Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
[Policy & Reasoning] 120.B) Findings.II Depends on: Sprint 120.B - Findings.I Summary: Policy & Reasoning focus on Findings (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| LEDGER-ATTEST-73-002 | TODO | Enable search/filter in findings projections by verification result and attestation status. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-EXPORT-35-001 | TODO | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OAS-61-001 | TODO | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples. | Findings Ledger Guild, API Contracts Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OAS-61-002 | TODO | Implement /.well-known/openapi endpoint and ensure version metadata matches release. |
Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OAS-62-001 | TODO | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance. | Findings Ledger Guild, SDK Generator Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OAS-63-001 | TODO | Support deprecation headers and Notifications for retiring finding endpoints. | Findings Ledger Guild, API Governance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-50-001 | TODO | Integrate telemetry core within ledger writer/projector services, emitting structured logs and trace spans for ledger append, projector replay, and query APIs with tenant context. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-51-001 | TODO | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage. Define SLOs (ledger append P95 < 1s, replay lag < 30s) with burn-rate alerts and dashboards. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-52-001 | TODO | Emit timeline events for ledger writes and projector commits (ledger.event.appended, ledger.projection.updated) with trace ID, policy version, evidence bundle reference placeholders. |
Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-53-001 | TODO | Persist evidence bundle references (evaluation/job capsules) alongside ledger entries, exposing lookup API linking findings to evidence manifests and timeline. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-54-001 | TODO | Verify attestation references for ledger-derived exports; expose /ledger/attestations endpoint returning DSSE verification state and chain-of-custody summary. |
Findings Ledger Guild, Provenance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-OBS-55-001 | TODO | Enhance incident mode to record additional replay diagnostics (lag traces, conflict snapshots) and extend retention while active. Emit activation events to timeline + notifier. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-PACKS-42-001 | TODO | Provide snapshot/time-travel APIs and digestable exports for task pack simulation and CLI offline mode. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-RISK-66-001 | TODO | Add schema migrations for risk_score, risk_severity, profile_version, explanation_id, and supporting indexes. |
Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-RISK-66-002 | TODO | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
[Policy & Reasoning] 120.B) Findings.III Depends on: Sprint 120.B - Findings.II Summary: Policy & Reasoning focus on Findings (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| LEDGER-RISK-67-001 | TODO | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links. | Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-RISK-68-001 | TODO | Enable export of scored findings and simulation results via Export Center integration. | Findings Ledger Guild, Export Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-RISK-69-001 | TODO | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
| LEDGER-TEN-48-001 | TODO | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.I Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on Policy (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXPORT-CONSOLE-23-001 | TODO | Build evidence bundle/export generator producing signed manifests, CSV/JSON replay endpoints, and trace attachments; integrate with scheduler jobs and expose progress telemetry. | Policy Guild, Scheduler Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AIRGAP-56-001 | TODO | Support policy pack imports from Mirror Bundles, track bundle_id metadata, and ensure deterministic caching. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AIRGAP-56-002 | TODO | Export policy sub-bundles (stella policy bundle export) with DSSE signatures for outbound transfer. |
Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AIRGAP-57-001 | TODO | Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface AIRGAP_EGRESS_BLOCKED errors with remediation. |
Policy Guild, AirGap Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AIRGAP-57-002 | TODO | Annotate rule explanations with staleness information and fallback data (cached EPSS, vendor risk). | Policy Guild, AirGap Time Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AIRGAP-58-001 | TODO | Emit notifications when policy packs near staleness thresholds or missing required bundles. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-AOC-19-001 | TODO | Add Roslyn/CI lint preventing ingestion projects from referencing Policy merge/severity helpers; block forbidden writes at compile time. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-AOC-19-002 | TODO | Enforce effective_finding_* write gate ensuring only Policy Engine identity can create/update materializations. |
Policy Guild, Platform Security (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-AOC-19-003 | TODO | Update readers/processors to consume only content.raw, identifiers, and linkset. Remove dependencies on legacy normalized fields and refresh fixtures. |
Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-AOC-19-004 | TODO | Add regression tests ensuring policy derived outputs remain deterministic when ingesting revised raw docs (supersedes) and when violations occur. | Policy Guild, QA Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-ATTEST-73-001 | TODO | Introduce VerificationPolicy object: schema, persistence, versioning, and lifecycle. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ATTEST-73-002 | TODO | Provide Policy Studio editor with validation, dry-run simulation, and version diff. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ATTEST-74-001 | TODO | Integrate verification policies into attestor verification pipeline with caching and waiver support. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ATTEST-74-002 | TODO | Surface policy evaluations in Console verification reports with rule explanations. | Policy Guild, Console Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-CONSOLE-23-001 | TODO | Optimize findings/explain APIs for Console: cursor-based pagination at scale, global filter parameters (severity bands, policy version, time window), rule trace summarization, and aggregation hints for dashboard cards. Ensure deterministic ordering and expose provenance refs. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.II Depends on: Sprint 120.C - Policy.I Summary: Policy & Reasoning focus on Policy (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions. | Policy Guild, Product Ops (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-003 | TODO | Implement selection joiners resolving SBOM↔advisory↔VEX tuples using linksets and PURL equivalence tables, with deterministic batching. | Policy Guild, Concelier Core Guild, Excititor Core Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-004 | TODO | Ship materialization writer that upserts into effective_finding_{policyId} with append-only history, tenant scoping, and trace references. |
Policy Guild, Platform Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-005 | TODO | Enforce determinism guard banning wall-clock, RNG, and network usage during evaluation via static analysis + runtime sandbox. | Policy Guild, Security Engineering (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-006 | TODO | Implement incremental orchestrator reacting to advisory/vex/SBOM change streams and scheduling partial policy re-evaluations. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-007 | TODO | Emit structured traces/logs of rule hits with sampling controls, metrics (rules_fired_total, vex_overrides_total), and expose explain trace exports. |
Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-008 | TODO | Add unit/property/golden/perf suites covering policy compilation, evaluation correctness, determinism, and SLA targets. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-20-009 | TODO | Define Mongo schemas/indexes for policies, policy_runs, and effective_finding_*; implement migrations and tenant enforcement. |
Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-27-003 | TODO | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (ERR_POL_COMPLEXITY). |
Policy Guild, Security Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-27-004 | TODO | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (POST /policy/eval/batch) returning determinations + rationale chain for sets of (artifact,purl,version,advisory) tuples; support pagination and cost budgets. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation. | Policy Guild, Findings Ledger Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.III Depends on: Sprint 120.C - Policy.II Summary: Policy & Reasoning focus on Policy (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-ENGINE-29-003 | TODO | Surface path/scope awareness in determinations (signal optional/dev/test downgrade, runtime boost) for Vuln Explorer display. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-29-004 | TODO | Add metrics/logs for batch evaluation (latency, queue depth) and simulation diff counts; update dashboards. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-30-001 | TODO | Define overlay contract for graph nodes/edges (status, severity, rationale refs, path relevance), expose projection API for Cartographer, and document schema versioning. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-30-002 | TODO | Implement simulation bridge returning on-the-fly overlays for Cartographer/Graph Explorer when invoking Policy Engine simulate; ensure no writes and deterministic outputs. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-30-003 | TODO | Emit change events (policy.effective.updated) with graph-friendly payloads so Cartographer overlay worker refreshes nodes/edges within 2 minutes. |
Policy Guild, Scheduler Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-30-101 | TODO | Surface trust weighting configuration (issuer base weights, signature modifiers, recency decay, scope adjustments) for VEX Lens via Policy Studio + API; ensure deterministic evaluation. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-31-001 | TODO | Expose policy knobs for Advisory AI (trust presets, temperature, token limits, plan ranking weights, TTLs) via Policy Studio and config APIs. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-31-002 | TODO | Provide batch endpoint delivering policy context (thresholds, obligations) consumed by Advisory AI remediation planner. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-32-101 | TODO | Define orchestrator policy_eval job schema, idempotency keys, and enqueue hooks triggered by advisory/VEX/SBOM events. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-33-101 | TODO | Implement orchestrator-driven policy evaluation workers using SDK heartbeats, respecting throttles, and emitting SLO metrics. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-34-101 | TODO | Publish policy run ledger exports + SLO burn-rate metrics to orchestrator; ensure provenance chain links to Findings Ledger. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-35-201 | TODO | Expose deterministic policy snapshot API and evaluated findings stream keyed by policy version for exporter consumption. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-38-201 | TODO | Emit enriched policy violation events (decision rationale ids, risk bands) via orchestrator event bus for Notifications Studio. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-40-001 | TODO | Update severity/status evaluation pipelines to consume multiple source severities per linkset, supporting selection strategies (max, preferred source, policy-defined). | Policy Guild, Concelier Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-40-002 | TODO | Accept VEX linkset conflicts and provide rationale references in effective findings; ensure explain traces cite observation IDs. | Policy Guild, Excititor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.IV Depends on: Sprint 120.C - Policy.III Summary: Policy & Reasoning focus on Policy (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-ENGINE-40-003 | TODO | Provide API/SDK utilities for consumers (Web Scanner, Graph Explorer) to request policy decisions with source evidence summaries (top severity sources, conflict counts). | Policy Guild, Web Scanner Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-001 | TODO | Implement SPL compiler: validate YAML, canonicalize, produce signed bundle, store artifact in object storage, write policy_revisions with AOC metadata. |
Policy Guild, Platform Security (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-002 | TODO | Build runtime evaluator executing compiled plans over advisory/vex linksets + SBOM asset metadata with deterministic caching (Redis) and fallback path. | Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-003 | TODO | Implement evaluation/compilation metrics, tracing, and structured logs (policy_eval_seconds, policy_compiles_total, explanation sampling). |
Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-004 | TODO | Build event pipeline: subscribe to linkset/SBOM updates, schedule re-eval jobs, emit policy.effective.updated events with diff metadata. |
Policy Guild, Platform Events Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-005 | TODO | Design and implement policy_packs, policy_revisions, policy_runs, policy_artifacts collections with indexes, TTL, and tenant scoping. |
Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-006 | TODO | Implement explainer persistence + retrieval APIs linking decisions to explanation tree and AOC chain. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-50-007 | TODO | Provide evaluation worker host/DI wiring and job orchestration hooks for batch re-evaluations after policy activation. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-60-001 | TODO | Maintain Redis effective decision maps per asset/snapshot for Graph overlays; implement versioning and eviction strategy. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-60-002 | TODO | Expose simulation bridge for Graph What-if APIs, supporting hypothetical SBOM diffs and draft policies without persisting results. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-70-002 | TODO | Design and create Mongo collections (exceptions, exception_reviews, exception_bindings) with indexes and migrations; expose repository APIs. |
Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-70-003 | TODO | Build Redis exception decision cache (exceptions_effective_map) with warm/invalidation logic reacting to exception.* events. |
Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-70-004 | TODO | Extend metrics/tracing/logging for exception application (latency, counts, expiring events) and include AOC references in logs. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-70-005 | TODO | Provide APIs/workers hook for exception activation/expiry (auto start/end) and event emission (exception.activated/expired). |
Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-80-001 | TODO | Integrate reachability/exploitability inputs into evaluation pipeline (state/score/confidence) with caching and explain support. | Policy Guild, Signals Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.V Depends on: Sprint 120.C - Policy.IV Summary: Policy & Reasoning focus on Policy (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-ENGINE-80-002 | TODO | Create joining layer to read reachability_facts efficiently (indexes, projections) and populate Redis overlay caches. |
Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation. | Policy Guild, Policy Editor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-ENGINE-80-004 | TODO | Emit metrics (policy_reachability_applied_total, policy_reachability_cache_hit_ratio) and traces for signals usage. |
Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with tenant_id, policy_version, decision_effect, and trace IDs. |
Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-52-001 | TODO | Emit timeline events policy.evaluate.started, policy.evaluate.completed, policy.decision.recorded with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests. | Policy Guild, Evidence Locker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose /evaluations/{id}/attestation, and link attestation IDs in timeline + console. Provide verification harness. |
Policy Guild, Provenance Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
| POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
| POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment. | Policy Guild, Risk Profile Schema Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics. | Policy Guild, Risk Profile Schema Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks. | Policy Guild, Risk Engine Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate). | Risk Profile Schema Guild, Policy Engine Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.VI Depends on: Sprint 120.C - Policy.V Summary: Policy & Reasoning focus on Policy (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-RISK-67-002 | TODO | Implement profile lifecycle APIs (/risk/profiles create/publish/deprecate) and scope attachment logic. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-67-002 | TODO | Publish .well-known/risk-profile-schema endpoint and CLI validation tooling. |
Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
| POLICY-RISK-67-003 | TODO | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns. | Policy Guild, Risk Engine Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-RISK-68-001 | TODO | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers. | Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-68-001 | TODO | Implement scope selectors, precedence rules, and Authority attachment APIs. | Risk Profile Schema Guild, Authority Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
| POLICY-RISK-68-002 | TODO | Add override/adjustment support with audit metadata and validation for conflicting rules. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) |
| POLICY-RISK-68-002 | TODO | Enable exporting/importing RiskProfiles with signatures via policy tooling (CLI + API). | Policy Guild, Export Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-RISK-69-001 | TODO | Emit events/notifications on profile publish, deprecate, and severity threshold changes. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-RISK-70-001 | TODO | Support exporting/importing profiles with signatures for air-gapped bundles. | Policy Guild, Export Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| POLICY-SPL-23-001 | TODO | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures. | Policy Guild, Language Infrastructure Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-SPL-23-002 | TODO | Implement canonicalizer that normalizes policy packs (ordering, defaults), computes content hash, and prepares bundle metadata for AOC/signing. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-SPL-23-003 | TODO | Build policy layering/override engine (global/org/project/env/exception) with field-level precedence matrices; add unit/property tests. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-SPL-23-004 | TODO | Design explanation tree model (rule hits, inputs, decisions) and persistence structures reused by runtime, UI, and CLI. | Policy Guild, Audit Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-SPL-23-005 | TODO | Create migration tool to snapshot existing behavior into baseline SPL packs (org.core.baseline), including policy docs and sample bundles. |
Policy Guild, DevEx Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
| POLICY-SPL-24-001 | TODO | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures. | Policy Guild, Signals Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) |
[Policy & Reasoning] 120.C) Policy.VII Depends on: Sprint 120.C - Policy.VI Summary: Policy & Reasoning focus on Policy (phase VII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| POLICY-TEN-48-001 | TODO | Add tenant_id/project_id columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) |
| REGISTRY-API-27-001 | TODO | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-002 | TODO | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-003 | TODO | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-004 | TODO | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-005 | TODO | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest. | Policy Registry Guild, Scheduler Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-006 | TODO | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-007 | TODO | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events. | Policy Registry Guild, Security Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-008 | TODO | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-009 | TODO | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards. | Policy Registry Guild, Observability Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
| REGISTRY-API-27-010 | TODO | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI. | Policy Registry Guild, QA Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) |
[Policy & Reasoning] 120.D) RiskEngine Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on RiskEngine).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| RISK-ENGINE-66-001 | TODO | Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-66-002 | TODO | Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-67-001 | TODO | Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (max, any, consensus). |
Risk Engine Guild, Concelier Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider and ensure gating short-circuits scoring as configured. | Risk Engine Guild, Excitator Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-67-003 | TODO | Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement. | Risk Engine Guild, Policy Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-68-001 | TODO | Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash. | Risk Engine Guild, Findings Ledger Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-68-002 | TODO | Expose APIs (/risk/jobs, /risk/results, /risk/results/{id}/explanation); include pagination, filtering, error codes. |
Risk Engine Guild, API Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-69-001 | TODO | Implement simulation mode producing distributions and top movers without mutating ledger. | Risk Engine Guild, Policy Studio Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-69-002 | TODO | Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-70-001 | TODO | Support offline provider bundles with manifest verification and missing-data reporting. | Risk Engine Guild, Export Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
| RISK-ENGINE-70-002 | TODO | Integrate runtime evidence provider and reachability provider outputs with caching + TTL. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) |
[Policy & Reasoning] 120.E) VexLens.I Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on VexLens (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| VEXLENS-30-001 | TODO | Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-002 | TODO | Build product mapping library (CPE/CPE2.3/vendor tokens → purl/version) with scope quality scoring and path metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-003 | TODO | Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons. | VEX Lens Guild, Issuer Directory Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-004 | TODO | Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-005 | TODO | Implement consensus algorithm producing consensus_state, confidence, weights, quorum, rationale; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE. |
VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-006 | TODO | Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers. | VEX Lens Guild, Findings Ledger Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-007 | TODO | Expose APIs (/vex/consensus, /vex/consensus/query, /vex/consensus/{id}, /vex/consensus/simulate, /vex/consensus/export) with pagination, cost budgets, and OpenAPI docs. |
VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-008 | TODO | Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-009 | TODO | Instrument metrics (vex_consensus_compute_latency, vex_consensus_disputed_total, vex_signature_verification_rate), structured logs, and traces; publish dashboards/alerts. |
VEX Lens Guild, Observability Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-010 | TODO | Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees. | VEX Lens Guild, QA Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-30-011 | TODO | Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks. | VEX Lens Guild, DevOps Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-AIAI-31-001 | TODO | Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-AIAI-31-002 | TODO | Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-EXPORT-35-001 | TODO | Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
| VEXLENS-ORCH-33-001 | TODO | Register consensus_compute job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches. |
VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
[Policy & Reasoning] 120.E) VexLens.II Depends on: Sprint 120.E - VexLens.I Summary: Policy & Reasoning focus on VexLens (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| VEXLENS-ORCH-34-001 | TODO | Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) |
[Policy & Reasoning] 120.F) VulnExplorer Depends on: Sprint 110.A - AdvisoryAI Summary: Policy & Reasoning focus on VulnExplorer).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| VULN-API-29-001 | TODO | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-002 | TODO | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-003 | TODO | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-004 | TODO | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation. | Vuln Explorer API Guild, Findings Ledger Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-005 | TODO | Implement simulation endpoint comparing policy_from vs policy_to, returning diffs without side effects; hook into Policy Engine batch eval. |
Vuln Explorer API Guild, Policy Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-006 | TODO | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose paths array in details. |
Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-007 | TODO | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging. | Vuln Explorer API Guild, Security Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-008 | TODO | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-009 | TODO | Instrument metrics (vuln_list_latency, vuln_simulation_latency, vuln_export_duration, vuln_workflow_events_total), structured logs, and traces; publish dashboards/alerts. |
Vuln Explorer API Guild, Observability Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-010 | TODO | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries. | Vuln Explorer API Guild, QA Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
| VULN-API-29-011 | TODO | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance. | Vuln Explorer API Guild, DevOps Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_130_scanner_surface.md