master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
15 KiB
15 KiB
Sprint 160 - Export & Evidence
[Export & Evidence] 160.A) EvidenceLocker Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on EvidenceLocker).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EVID-OBS-53-001 | TODO | Bootstrap StellaOps.Evidence.Locker service with Postgres schema for evidence_bundles, evidence_artifacts, evidence_holds, tenant RLS, and object-store abstraction (WORM optional). |
Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. | Evidence Locker Guild, Orchestrator Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-53-003 | TODO | Expose REST APIs (POST /evidence/snapshot, GET /evidence/:id, POST /evidence/verify, POST /evidence/hold/:case_id) with audit logging, tenant enforcement, and size quotas. |
Evidence Locker Guild, Security Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-54-001 | TODO | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. | Evidence Locker Guild, Provenance Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-54-002 | TODO | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. | Evidence Locker Guild, DevEx/CLI Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-55-001 | TODO | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. | Evidence Locker Guild, DevOps Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments: generate sealed bundles with checksum manifest, redacted metadata, and offline verification script. Document air-gapped import/verify procedures. | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.I Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on ExportCenter (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DVOFF-64-001 | TODO | Implement Export Center job devportal --offline bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. |
DevPortal Offline Guild, Exporter Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) |
| DVOFF-64-002 | TODO | Provide verification CLI (stella devportal verify bundle.tgz) ensuring integrity before import. |
DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) |
| EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-75-001 | TODO | Provide CLI command stella attest bundle verify/import for air-gap usage. |
Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-75-002 | TODO | Document /docs/modules/attestor/airgap.md with bundle workflows and verification steps. |
Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OAS-61-002 | TODO | Provide /.well-known/openapi discovery endpoint with version metadata and ETag. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.II Depends on: Sprint 160.B - ExportCenter.I Summary: Export & Evidence focus on ExportCenter (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (export.requested, export.built, export.distributed, export.failed) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API /exports/{id}/attestation, and integrate with CLI verify path. |
Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-69-001 | TODO | Add Export Center job handler risk-bundle with provider selection, manifest signing, and audit logging. |
Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for export_profiles, export_runs, export_inputs, export_distributions with tenant scoping + tests. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (json:raw, json:policy) with canonical normalization, redaction allowlists, compression, and manifest counts. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.III Depends on: Sprint 160.B - ExportCenter.II Summary: Export & Evidence focus on ExportCenter (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-003 | TODO | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-002 | TODO | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-003 | TODO | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-004 | TODO | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-43-001 | TODO | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-TEN-48-001 | TODO | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| RISK-BUNDLE-69-001 | TODO | Implement stella export risk-bundle job producing tarball with provider datasets, manifests, and DSSE signatures. |
Risk Bundle Export Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-69-002 | TODO | Integrate bundle job into CI/offline kit pipelines with checksum publication. | Risk Bundle Export Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-70-001 | TODO | Provide CLI stella risk bundle verify command to validate bundles before import. |
Risk Bundle Export Guild, CLI Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-70-002 | TODO | Publish /docs/airgap/risk-bundles.md detailing build/import/verification workflows. |
Risk Bundle Export Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
[Export & Evidence] 160.C) TimelineIndexer Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on TimelineIndexer).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| TIMELINE-OBS-52-001 | TODO | Bootstrap StellaOps.Timeline.Indexer service with Postgres migrations for timeline_events, timeline_event_details, timeline_event_digests; enable RLS scaffolding and deterministic migration scripts. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on (event_id, tenant_id), correlation to trace IDs, and backpressure metrics. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-003 | TODO | Expose REST/gRPC APIs for timeline queries (GET /timeline, /timeline/{id}) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-004 | TODO | Finalize RLS policies, scope checks (timeline:read), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. |
Timeline Indexer Guild, Security Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests + attestation subjects; expose /timeline/{id}/evidence endpoint returning signed manifest references. |
Timeline Indexer Guild, Evidence Locker Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_170_notifications_telemetry.md