stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
68da90a11a3f12708a9492c56f3cf439732978af
git.stella-ops.org/src/Scanner/StellaOps.Scanner.WebService/TASKS.md
root 68da90a11a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

9.5 KiB
Raw Blame History

Scanner WebService Task Board

ID Status Owner(s) Depends on Description Exit Criteria
SCANNER-WEB-09-101 DONE (2025-10-18) Scanner WebService Guild SCANNER-CORE-09-501 Stand up minimal API host with Authority OpTok + DPoP enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. Host boots with configuration validation, /healthz and /readyz return 200, Authority middleware enforced in integration tests.
SCANNER-WEB-09-102 DONE (2025-10-18) Scanner WebService Guild SCANNER-WEB-09-101, SCANNER-QUEUE-09-401 Implement /api/v1/scans submission/status endpoints with deterministic IDs, validation, and cancellation tokens. Contract documented, e2e test posts scan request and retrieves status, cancellation token honoured.
SCANNER-WEB-09-103 DONE (2025-10-19) Scanner WebService Guild SCANNER-WEB-09-102, SCANNER-CORE-09-502 Emit scan progress via SSE/JSONL with correlation IDs and deterministic timestamps; document API reference. Streaming endpoint verified in tests, timestamps formatted ISO-8601 UTC, docs updated in docs/09_API_CLI_REFERENCE.md.
SCANNER-WEB-09-104 DONE (2025-10-19) Scanner WebService Guild SCANNER-STORAGE-09-301, SCANNER-QUEUE-09-401 Bind configuration for Mongo, MinIO, queue, feature flags; add startup diagnostics and fail-fast policy for missing deps. Misconfiguration fails fast with actionable errors, configuration bound tests pass, diagnostics logged with correlation IDs.
SCANNER-POLICY-09-105 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-001 Integrate policy schema loader + diagnostics + OpenAPI (YAML ignore rules, VEX include/exclude, vendor precedence). Policy endpoints documented; validation surfaces actionable errors; OpenAPI schema published.
SCANNER-POLICY-09-106 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-002, SCANNER-POLICY-09-105 /reports verdict assembly (Feedser/Vexer/Policy merge) + signed response envelope. Aggregated report includes policy metadata; integration test verifies signed response; docs updated.
SCANNER-POLICY-09-107 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-005, SCANNER-POLICY-09-106 Surface score inputs, config version, and quietedBy provenance in /reports response and signed payload; document schema changes. /reports JSON + DSSE contain score, reachability, sourceTrust, confidenceBand, quiet provenance; contract tests updated; docs refreshed.
SCANNER-WEB-10-201 DONE (2025-10-19) Scanner WebService Guild SCANNER-CACHE-10-101 Register scanner cache services and maintenance loop within WebService host. AddScannerCache wired for configuration binding; maintenance service skips when disabled; project references updated.
SCANNER-RUNTIME-12-301 DONE (2025-10-20) Scanner WebService Guild ZASTAVA-CORE-12-201 Implement /runtime/events ingestion endpoint with validation, batching, and storage hooks per Zastava contract. Observer fixtures POST events, data persisted and acked; invalid payloads rejected with deterministic errors.
SCANNER-RUNTIME-12-302 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-301, ZASTAVA-CORE-12-201 Implement /policy/runtime endpoint joining SBOM baseline + policy verdict, returning admission guidance. Coordinate with CLI (CLI-RUNTIME-13-008) before GA to lock response field names/metadata. Webhook integration test passes; responses include verdict, TTL, reasons; metrics/logging added; CLI contract review signed off.
SCANNER-RUNTIME-12-303 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-302 Replace /policy/runtime heuristic with canonical policy evaluation (Feedser/Vexer inputs, PolicyPreviewService) so results align with /reports. Runtime policy endpoint now pipes findings through PolicyPreviewService, emits canonical verdicts/confidence/quiet metadata, and updated tests cover pass/warn/fail paths + CLI contract fixtures.
SCANNER-RUNTIME-12-304 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-302 Surface attestation verification status by integrating Authority/Attestor Rekor validation (beyond presence-only). /policy/runtime maps Rekor UUIDs through the runtime attestation verifier so rekor.verified reflects attestor outcomes; webhook/CLI coverage added.
SCANNER-RUNTIME-12-305 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-301, SCANNER-RUNTIME-12-302 Promote shared fixtures with Zastava/CLI and add end-to-end automation for /runtime/events + /policy/runtime. Runtime policy integration test + CLI-aligned fixture assert confidence, metadata JSON, and Rekor verification; docs note shared contract.
SCANNER-EVENTS-15-201 DONE (2025-10-20) Scanner WebService Guild NOTIFY-QUEUE-15-401 Emit scanner.report.ready and scanner.scan.completed events (bus adapters + tests). Event envelopes published to queue with schemas; fixtures committed; Notify consumption test passes.
SCANNER-EVENTS-16-301 BLOCKED (2025-10-26) Scanner WebService Guild ORCH-SVC-38-101, NOTIFY-SVC-38-001 Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). Tests assert envelope schema + orchestrator publish; Notifier consumer harness passes; docs updated with new event contract. Blocked by .NET 10 preview OpenAPI/Auth dependency drift preventing dotnet test completion.
SCANNER-EVENTS-16-302 DOING (2025-10-26) Scanner WebService Guild SCANNER-EVENTS-16-301 Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. Links section covers UI/API targets; downstream consumers validated; docs/samples updated.
SCANNER-RUNTIME-17-401 DONE (2025-10-25) Scanner WebService Guild SCANNER-RUNTIME-12-301, ZASTAVA-OBS-17-005, SCANNER-EMIT-17-701, POLICY-RUNTIME-17-201 Persist runtime build-id observations and expose them via /runtime/events + policy joins for debug-symbol correlation. Runtime events store normalized digests + build IDs with supporting indexes, runtime policy responses surface buildIds, tests/docs updated, and CLI/API consumers can derive debug-store paths deterministically.

Graph Explorer v1 (Sprint 21)

ID Status Owner(s) Depends on Description Exit Criteria
SCANNER-GRAPH-21-001 TODO Scanner WebService Guild, Cartographer Guild CARTO-GRAPH-21-007, SCHED-WEB-21-001 Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. Endpoint documented; integration tests cover Cartographer workflow; unauthorized access blocked.

Link-Not-Merge v1

ID Status Owner(s) Depends on Description Exit Criteria
SCANNER-LNM-21-001 TODO Scanner WebService Guild, Policy Guild POLICY-ENGINE-40-001 Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. API schema updated; clients regenerated; integration tests cover multiple source severities.
SCANNER-LNM-21-002 TODO Scanner WebService Guild, UI Guild SCANNER-LNM-21-001 Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. Endpoint documented; UI integration passes; RBAC/tenancy enforced.

Notes

  • 2025-10-19: Sprint 9 streaming + policy endpoints (SCANNER-WEB-09-103, SCANNER-POLICY-09-105/106/107) landed with SSE/JSONL, OpenAPI, signed report coverage documented in docs/09_API_CLI_REFERENCE.md.
  • 2025-10-20: Re-ran dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj --filter FullyQualifiedName~ReportsEndpointsTests to confirm DSSE/report regressions stay green after backlog sync.
  • 2025-10-20: SCANNER-RUNTIME-12-301 underway /runtime/events ingest hitting Mongo with TTL + token-bucket rate limiting; integration tests (RuntimeEndpointsTests) green and docs updated with batch contract.
  • 2025-10-20: Follow-ups SCANNER-RUNTIME-12-303/304/305 track canonical verdict integration, attestation verification, and cross-guild fixture validation for runtime APIs.
  • 2025-10-21: Hardened progress streaming determinism by sorting data payload keys within ScanProgressStream; added regression ProgressStreamDataKeysAreSortedDeterministically ensuring JSONL ordering.
  • 2025-10-24: /policy/runtime now streams through PolicyPreviewService + attestation verifier; CLI and webhook fixtures updated alongside Zastava observer batching completion.
  • 2025-10-26: SCANNER-EVENTS-16-302 populates orchestrator link payloads (UI, API report lookup, policy revision, attestation) pending cross-service integration; samples/tests updated.
  • 2025-10-26: Coordinate with Gateway + Console owners to confirm final API/UX paths for report, policy revision, and attestation links before promoting SCANNER-EVENTS-16-301 out of BLOCKED.
  • 2025-10-26: SCANNER-EVENTS-16-301 emitting new orchestrator envelopes; solution-wide dotnet test currently blocked by preview Microsoft.AspNetCore.OpenApi APIs and missing StellaOps.Auth dependency wiring. JSON Schemas validated via ajv; service-level verification pending SDK alignment.