master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
35 KiB
35 KiB
Sprint 190 - Ops & Offline
[Ops & Offline] 190.A) Ops Deployment.I Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Ops Deployment (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| COMPOSE-44-001 | TODO | Author docker-compose.yml, .env.example, and quickstart.sh with all core services + dependencies (postgres, redis, object-store, queue, otel). |
Deployment Guild, DevEx Guild (ops/deployment/TASKS.md) |
| COMPOSE-44-002 | TODO | Implement backup.sh and reset.sh scripts with safety prompts and documentation. |
Deployment Guild (ops/deployment/TASKS.md) |
| COMPOSE-44-003 | TODO | Package seed data container and onboarding wizard toggle (QUICKSTART_MODE), ensuring default creds randomized on first run. |
Deployment Guild, Docs Guild (ops/deployment/TASKS.md) |
| DEPLOY-AIAI-31-001 | TODO | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Deployment Guild, Advisory AI Guild (ops/deployment/TASKS.md) |
| DEPLOY-AIRGAP-46-001 | TODO | Provide instructions and scripts (load.sh) for importing air-gap bundle into private registry; update Offline Kit guide. |
Deployment Guild, Offline Kit Guild (ops/deployment/TASKS.md) |
| DEPLOY-CLI-41-001 | TODO | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Deployment Guild, DevEx/CLI Guild (ops/deployment/TASKS.md) |
| DEPLOY-COMPOSE-44-001 | TODO | Finalize Quickstart scripts (quickstart.sh, backup.sh, reset.sh), seed data container, and publish README with imposed rule reminder. |
Deployment Guild (ops/deployment/TASKS.md) |
| DEPLOY-EXPORT-35-001 | BLOCKED (2025-10-29) | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md) |
| DEPLOY-EXPORT-36-001 | TODO | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md) |
| DEPLOY-HELM-45-001 | TODO | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Deployment Guild (ops/deployment/TASKS.md) |
| DEPLOY-NOTIFY-38-001 | BLOCKED (2025-10-29) | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Deployment Guild, DevOps Guild (ops/deployment/TASKS.md) |
| DEPLOY-ORCH-34-001 | TODO | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Deployment Guild, Orchestrator Service Guild (ops/deployment/TASKS.md) |
| DEPLOY-PACKS-42-001 | TODO | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Deployment Guild, Packs Registry Guild (ops/deployment/TASKS.md) |
| DEPLOY-PACKS-43-001 | TODO | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. | Deployment Guild, Task Runner Guild (ops/deployment/TASKS.md) |
| DEPLOY-POLICY-27-001 | TODO | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Deployment Guild, Policy Registry Guild (ops/deployment/TASKS.md) |
[Ops & Offline] 190.A) Ops Deployment.II Depends on: Sprint 190.A - Ops Deployment.I Summary: Ops & Offline focus on Ops Deployment (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEPLOY-POLICY-27-002 | TODO | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under /docs/runbooks/policy-incident.md. |
Deployment Guild, Policy Guild (ops/deployment/TASKS.md) |
| DEPLOY-VEX-30-001 | TODO | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Deployment Guild, VEX Lens Guild (ops/deployment/TASKS.md) |
| DEPLOY-VEX-30-002 | TODO | Package Issuer Directory deployment manifests, backups, and security hardening guidance. | Deployment Guild, Issuer Directory Guild (ops/deployment/TASKS.md) |
| DEPLOY-VULN-29-001 | TODO | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Deployment Guild, Findings Ledger Guild (ops/deployment/TASKS.md) |
| DEPLOY-VULN-29-002 | TODO | Package stella-vuln-explorer-api deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. |
Deployment Guild, Vuln Explorer API Guild (ops/deployment/TASKS.md) |
| DOWNLOADS-CONSOLE-23-001 | TODO | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under deploy/downloads/manifest.json, and document sync cadence for Console + docs parity. |
Deployment Guild, DevOps Guild (ops/deployment/TASKS.md) |
| HELM-45-001 | TODO | Scaffold deploy/helm/stella chart with values, component toggles, and pinned image digests for all services; include migration Job templates. |
Deployment Guild (ops/deployment/TASKS.md) |
| HELM-45-002 | TODO | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. | Deployment Guild, Security Guild (ops/deployment/TASKS.md) |
| HELM-45-003 | TODO | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. | Deployment Guild, Observability Guild (ops/deployment/TASKS.md) |
[Ops & Offline] 190.B) Ops Devops.I Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Ops Devops (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-AIAI-31-001 | TODO | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | DevOps Guild, Advisory AI Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-56-001 | TODO | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-56-002 | TODO | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. | DevOps Guild, AirGap Importer Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-56-003 | TODO | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. | DevOps Guild, Container Distribution Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-57-001 | TODO | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. | DevOps Guild, Mirror Creator Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-57-002 | TODO | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). | DevOps Guild, Authority Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-58-001 | TODO | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. | DevOps Guild, Notifications Guild (ops/devops/TASKS.md) |
| DEVOPS-AIRGAP-58-002 | TODO | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | DevOps Guild, Platform Guild (ops/devops/TASKS.md) |
| DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add pipeline stage executing stella aoc verify --since against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. |
DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. | DevOps Guild, QA Guild (ops/devops/TASKS.md) |
| DEVOPS-AOC-19-101 | TODO (2025-10-28) | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | DevOps Guild, Concelier Storage Guild (ops/devops/TASKS.md) |
| DEVOPS-ATTEST-73-001 | TODO | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | DevOps Guild, Attestor Service Guild (ops/devops/TASKS.md) |
| DEVOPS-ATTEST-73-002 | TODO | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. | DevOps Guild, KMS Guild (ops/devops/TASKS.md) |
| DEVOPS-ATTEST-74-001 | TODO | Deploy transparency log witness infrastructure and monitoring. | DevOps Guild, Transparency Guild (ops/devops/TASKS.md) |
[Ops & Offline] 190.B) Ops Devops.II Depends on: Sprint 190.B - Ops Devops.I Summary: Ops & Offline focus on Ops Devops (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-ATTEST-74-002 | TODO | Integrate attestation bundle builds into release/offline pipelines with checksum verification. | DevOps Guild, Export Attestation Guild (ops/devops/TASKS.md) |
| DEVOPS-ATTEST-75-001 | TODO | Add dashboards/alerts for signing latency, verification failures, key rotation events. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) |
| DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-CLI-43-001 | DOING (2025-10-27) | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-CLI-43-002 | TODO | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | DevOps Guild, Task Runner Guild (ops/devops/TASKS.md) |
| DEVOPS-CLI-43-003 | TODO | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) |
| DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops/TASKS.md) |
| DEVOPS-CONSOLE-23-002 | TODO | Produce stella-console container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. |
DevOps Guild, Console Guild (ops/devops/TASKS.md) |
| DEVOPS-CONTAINERS-44-001 | TODO | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-CONTAINERS-45-001 | TODO | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-CONTAINERS-46-001 | TODO | Build air-gap bundle generator (src/Tools/make-airgap-bundle.sh), produce signed bundle, and verify in CI using private registry. |
DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-DEVPORT-63-001 | TODO | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | DevOps Guild, Developer Portal Guild (ops/devops/TASKS.md) |
| DEVOPS-DEVPORT-64-001 | TODO | Schedule devportal --offline nightly builds with checksum validation and artifact retention policies. |
DevOps Guild, DevPortal Offline Guild (ops/devops/TASKS.md) |
| DEVOPS-EXPORT-35-001 | BLOCKED (2025-10-29) | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) |
[Ops & Offline] 190.B) Ops Devops.III Depends on: Sprint 190.B - Ops Devops.II Summary: Ops & Offline focus on Ops Devops (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-EXPORT-36-001 | TODO | Integrate Trivy compatibility validation, cosign signature checks, trivy module db import smoke tests, OCI distribution verification, and throughput/error dashboards. |
DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) |
| DEVOPS-EXPORT-37-001 | TODO | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) |
| DEVOPS-GRAPH-24-001 | TODO | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | DevOps Guild, SBOM Service Guild (ops/devops/TASKS.md) |
| DEVOPS-GRAPH-24-002 | TODO | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. | DevOps Guild, UI Guild (ops/devops/TASKS.md) |
| DEVOPS-GRAPH-24-003 | TODO | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. | DevOps Guild, Concelier Guild (ops/devops/TASKS.md) |
| DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. | DevOps Guild, Excititor Guild (ops/devops/TASKS.md) |
| DEVOPS-LNM-22-003 | TODO | Add CI/monitoring coverage for new metrics (advisory_observations_total, linksets_total, etc.) and alerts on ingest-to-API SLA breaches. |
DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-OAS-61-001 | TODO | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | DevOps Guild, API Contracts Guild (ops/devops/TASKS.md) |
| DEVOPS-OAS-61-002 | TODO | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. | DevOps Guild, Contract Testing Guild (ops/devops/TASKS.md) |
| DEVOPS-OBS-50-002 | DOING (2025-10-26) | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | DevOps Guild, Security Guild (ops/devops/TASKS.md) |
| DEVOPS-OBS-51-001 | TODO | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-OBS-52-001 | TODO | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. | DevOps Guild, Timeline Indexer Guild (ops/devops/TASKS.md) |
| DEVOPS-OBS-53-001 | TODO | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. | DevOps Guild, Evidence Locker Guild (ops/devops/TASKS.md) |
| DEVOPS-OBS-54-001 | TODO | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | DevOps Guild, Security Guild (ops/devops/TASKS.md) |
[Ops & Offline] 190.B) Ops Devops.IV Depends on: Sprint 190.B - Ops Devops.III Summary: Ops & Offline focus on Ops Devops (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-OBS-55-001 | TODO | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | DevOps Guild, Ops Guild (ops/devops/TASKS.md) |
| DEVOPS-ORCH-32-001 | TODO | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md) |
| DEVOPS-ORCH-33-001 | TODO | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-ORCH-34-001 | TODO | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md) |
| DEVOPS-POLICY-27-001 | TODO | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) |
| DEVOPS-POLICY-27-002 | TODO | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. | DevOps Guild, Policy Registry Guild (ops/devops/TASKS.md) |
| DEVOPS-POLICY-27-003 | TODO | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. | DevOps Guild, Security Guild (ops/devops/TASKS.md) |
| DEVOPS-POLICY-27-004 | TODO | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-REL-17-004 | BLOCKED (2025-10-26) | Ensure release workflow publishes out/release/debug (build-id tree + manifest) and fails when symbols are missing. |
DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-RULES-33-001 | REVIEW (2025-10-30) | Contracts & Rules anchor: • Gateway proxies only; Policy Engine composes overlays/simulations. • AOC ingestion cannot merge; only lossless canonicalization. • One graph platform: Graph Indexer + Graph API. Cartographer retired. |
DevOps Guild, Platform Leads (ops/devops/TASKS.md) |
| DEVOPS-SDK-63-001 | TODO | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops/TASKS.md) |
| DEVOPS-SIG-26-001 | TODO | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops/TASKS.md) |
| DEVOPS-SIG-26-002 | TODO | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) |
| DEVOPS-TEN-47-001 | TODO | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-TEN-48-001 | TODO | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. | DevOps Guild (ops/devops/TASKS.md) |
[Ops & Offline] 190.B) Ops Devops.V Depends on: Sprint 190.B - Ops Devops.IV Summary: Ops & Offline focus on Ops Devops (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-TEN-49-001 | TODO | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. | DevOps Guild (ops/devops/TASKS.md) |
| DEVOPS-VEX-30-001 | TODO | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops/TASKS.md) |
| DEVOPS-VULN-29-001 | TODO | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops/TASKS.md) |
| DEVOPS-VULN-29-002 | TODO | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for vuln_list_latency and projection_lag. |
DevOps Guild, Vuln Explorer API Guild (ops/devops/TASKS.md) |
| DEVOPS-VULN-29-003 | TODO | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. | DevOps Guild, Console Guild (ops/devops/TASKS.md) |
| DOCKER-44-001 | TODO | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitator, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops/TASKS.md) |
| DOCKER-44-002 | TODO | Generate SBOMs and cosign attestations for each image and integrate verification into CI. | DevOps Guild (ops/devops/TASKS.md) |
| DOCKER-44-003 | TODO | Implement /health/liveness, /health/readiness, /version, /metrics, and ensure capability endpoint returns merge=false for Conseiller/Excitator. |
DevOps Guild (ops/devops/TASKS.md) |
| OPS-ENV-01 | TODO | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | DevOps Guild, Scanner Guild (ops/devops/TASKS.md) |
| OPS-SECRETS-01 | TODO | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | DevOps Guild, Security Guild (ops/devops/TASKS.md) |
| OPS-SECRETS-02 | TODO | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. | DevOps Guild, Offline Kit Guild (ops/devops/TASKS.md) |
[Ops & Offline] 190.C) Ops Offline Kit Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Ops Offline Kit).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| CLI-PACKS-43-002 | TODO | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline Kit Guild, Packs Registry Guild (ops/offline-kit/TASKS.md) |
| DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Execute mirror_debug_store.py after the next release pipeline emits out/release/debug, verify manifest hashes, and archive metadata/debug-store.json with the kit. |
Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md) |
| DEVOPS-OFFLINE-34-006 | TODO | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. | Offline Kit Guild, Orchestrator Service Guild (ops/offline-kit/TASKS.md) |
| DEVOPS-OFFLINE-37-001 | TODO | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). | Offline Kit Guild, Exporter Service Guild (ops/offline-kit/TASKS.md) |
| DEVOPS-OFFLINE-37-002 | TODO | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. | Offline Kit Guild, Notifications Service Guild (ops/offline-kit/TASKS.md) |
| OFFLINE-CONTAINERS-46-001 | TODO | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline Kit Guild, Deployment Guild (ops/offline-kit/TASKS.md) |
| OPS-SECRETS-02 | TODO | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. | Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md) |
[Ops & Offline] 190.D) Samples Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Samples).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| SAMPLES-GRAPH-24-003 | TODO | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | Samples Guild, SBOM Service Guild (samples/TASKS.md) |
| SAMPLES-GRAPH-24-004 | TODO | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. | Samples Guild, UI Guild (samples/TASKS.md) |
| SAMPLES-LNM-22-001 | BLOCKED (2025-10-27) | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. Waiting on finalized schema/linkset outputs. | Samples Guild, Concelier Guild (samples/TASKS.md) |
| SAMPLES-LNM-22-002 | BLOCKED (2025-10-27) | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. Pending Excititor observation/linkset implementation. | Samples Guild, Excititor Guild (samples/TASKS.md) |
[Ops & Offline] 190.E) AirGap Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on AirGap).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| AIRGAP-CTL-56-001 | TODO | Implement airgap_state persistence, seal/unseal state machine, and Authority scope checks (airgap:seal, airgap:status:read). |
AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) |
| AIRGAP-CTL-56-002 | TODO | Expose GET /system/airgap/status, POST /system/airgap/seal, integrate policy hash validation, and return staleness/time anchor placeholders. |
AirGap Controller Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) |
| AIRGAP-CTL-57-001 | TODO | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. | AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) |
| AIRGAP-CTL-57-002 | TODO | Instrument seal/unseal events with trace/log fields and timeline emission (airgap.sealed, airgap.unsealed). |
AirGap Controller Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) |
| AIRGAP-CTL-58-001 | TODO | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. | AirGap Controller Guild, AirGap Time Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) |
| AIRGAP-IMP-56-001 | TODO | Implement DSSE verification helpers, TUF metadata parser (root.json, snapshot.json, timestamp.json), and Merkle root calculator. |
AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-IMP-56-002 | TODO | Introduce root rotation policy validation (dual approval) and signer trust store management. | AirGap Importer Guild, Security Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-IMP-57-001 | TODO | Write bundle_catalog and bundle_items repositories with RLS + deterministic migrations. |
AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-IMP-57-002 | TODO | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. | AirGap Importer Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-IMP-58-001 | TODO | Implement API (POST /airgap/import, /airgap/verify) and CLI commands wiring verification + catalog updates, including diff preview. |
AirGap Importer Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-IMP-58-002 | TODO | Emit timeline events (`airgap.import.started | AirGap Importer Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) |
| AIRGAP-TIME-57-001 | TODO | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) |
| AIRGAP-TIME-57-002 | TODO | Add telemetry counters for time anchors (airgap_time_anchor_age_seconds) and alerts for approaching thresholds. |
AirGap Time Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) |
| AIRGAP-TIME-58-001 | TODO | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) |
| AIRGAP-TIME-58-002 | TODO | Emit notifications and timeline events when staleness budgets breached or approaching. | AirGap Time Guild, Notifications Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) |
[Ops & Offline] 190.F) Api Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Api).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| APIGOV-61-001 | TODO | Configure spectral/linters with Stella rules; add CI job failing on violations. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) |
| APIGOV-61-002 | TODO | Implement example coverage checker ensuring every operation has at least one request/response example. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) |
| APIGOV-62-001 | TODO | Build compatibility diff tool producing additive/breaking reports comparing prior release. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) |
| APIGOV-62-002 | TODO | Automate changelog generation and publish signed artifacts to src/Sdk/StellaOps.Sdk.Release pipeline. |
API Governance Guild, DevOps Guild (src/Api/StellaOps.Api.Governance/TASKS.md) |
| APIGOV-63-001 | TODO | Integrate deprecation metadata into Notification Studio templates for API sunset events. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance/TASKS.md) |
| OAS-61-001 | TODO | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
| OAS-61-002 | TODO | Implement aggregate composer (stella.yaml) resolving $refs and merging shared components; wire into CI. |
API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
| OAS-62-001 | TODO | Populate request/response examples for top 50 endpoints, including standard error envelope. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
| OAS-62-002 | TODO | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
| OAS-63-001 | TODO | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
| OAS-63-002 | TODO | Add /.well-known/openapi discovery endpoint schema metadata (extensions, version info). |
API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) |
[Ops & Offline] 190.G) Bench Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Bench).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| BENCH-GRAPH-21-001 | BLOCKED (2025-10-27) | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. (Executed within Sprint 28 Graph program). | Bench Guild, Graph Platform Guild (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-GRAPH-21-002 | BLOCKED (2025-10-27) | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. (Executed within Sprint 28 Graph program). | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-GRAPH-24-002 | TODO | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-IMPACT-16-001 | TODO | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. | Bench Guild, Scheduler Team (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-POLICY-20-002 | TODO | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. | Bench Guild, Policy Guild, Scheduler Guild (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-SIG-26-001 | TODO | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. | Bench Guild, Signals Guild (src/Bench/StellaOps.Bench/TASKS.md) |
| BENCH-SIG-26-002 | TODO | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. | Bench Guild, Policy Guild (src/Bench/StellaOps.Bench/TASKS.md) |
[Ops & Offline] 190.H) Provenance Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli Summary: Ops & Offline focus on Provenance).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| PROV-OBS-53-001 | TODO | Implement DSSE/SLSA BuildDefinition + BuildMetadata models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. |
Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) |
| PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. | Provenance Guild, Security Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) |
| PROV-OBS-54-001 | TODO | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. | Provenance Guild, Evidence Locker Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) |
| PROV-OBS-54-002 | TODO | Generate .NET global tool for local verification + embed command helpers for CLI stella forensic verify. Provide deterministic packaging and offline kit instructions. |
Provenance Guild, DevEx/CLI Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_200_documentation_process.md