7040984215
- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
14 KiB
14 KiB
Sprint 401 – Reachability Evidence Chain
Window: November 11 – November 22, 2025
Theme: Finish the provable reachability pipeline (graph CAS → replay → DSSE → policy/UI) so Sprint 402 can focus on polish.
Wave coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
|---|---|---|---|---|
| 401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 140 Runtime & Signals; Sprint 185 – Replay Core; Sprint 186 – Scanner Record Mode; Sprint 187 – Evidence Locker & CLI Integration | TODO | Foundation work (Sprint 400) is still in flight; advance only after Scanner record mode emits replay manifests and Evidence Locker APIs exist. |
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| GRAPH-CAS-401-001 | TODO | Finalize richgraph schema (richgraph-v1), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under cas://reachability/graphs/{sha256}. Update Scanner Worker adapters + fixtures. |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) |
| GAP-SYM-007 | TODO | Extend reachability evidence schema/DTOs with demangled symbol hints, symbol.source, confidence, and optional code_block_hash; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. |
Scanner Worker Guild & Docs Guild (src/Scanner/StellaOps.Scanner.Models, docs/modules/scanner/architecture.md, docs/reachability/function-level-evidence.md) |
| SCAN-REACH-401-009 | TODO | Ship .NET/JVM symbolizers and call-graph generators (roots, edges, framework adapters), merge results into component-level reachability manifests, and back them with golden fixtures. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker, src/Scanner/__Libraries) |
| SCANNER-NATIVE-401-015 | TODO | Stand up StellaOps.Scanner.Symbols.Native + StellaOps.Scanner.CallGraph.Native (ELF/PE readers, demanglers, probabilistic carving) and publish FuncNode/CallEdge CAS bundles consumed by reachability graphs. |
Scanner Worker Guild (src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native, src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native) |
| SYMS-SERVER-401-011 | TODO | Deliver StellaOps.Symbols.Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, and deterministic debugId indexing; publish health/manifest APIs (spec: docs/specs/SYMBOL_MANIFEST_v1.md). |
Symbols Guild (src/Symbols/StellaOps.Symbols.Server) |
| SYMS-CLIENT-401-012 | TODO | Ship StellaOps.Symbols.Client SDK (resolve/upload APIs, platform key derivation for ELF/PDB/Mach-O/JVM/Node, disk LRU cache) and integrate with Scanner.Symbolizer/runtime probes (ref. docs/specs/SYMBOL_MANIFEST_v1.md). |
Symbols Guild (src/Symbols/StellaOps.Symbols.Client, src/Scanner/StellaOps.Scanner.Symbolizer) |
| SYMS-INGEST-401-013 | TODO | Build symbols ingest CLI to emit DSSE-signed SymbolManifest v1, upload blobs, and register Rekor entries; document GitLab/Gitea pipeline usage. |
Symbols Guild, DevOps Guild (src/Symbols/StellaOps.Symbols.Ingestor.Cli, docs/specs/SYMBOL_MANIFEST_v1.md) |
| SIGNALS-RUNTIME-401-002 | TODO | Ship /signals/runtime-facts ingestion for NDJSON (and gzip) batches, dedupe hits, and link runtime evidence CAS URIs to callgraph nodes. Include retention + RBAC tests. |
Signals Guild (src/Signals/StellaOps.Signals) |
| RUNTIME-PROBE-401-010 | TODO | Implement lightweight runtime probes (EventPipe/.NET, JFR/JVM) that capture method enter events for the target components, package them as CAS traces, and feed them into the Signals ingestion pipeline. | Runtime Signals Guild (src/Signals/StellaOps.Signals.Runtime, ops/probes) |
| SIGNALS-SCORING-401-003 | TODO | Extend ReachabilityScoringService with deterministic scoring (static path +0.50, runtime hits +0.30/+0.10 sink, guard penalties, reflection penalty, floor 0.05), persist reachability labels (reachable/conditional/unreachable) and expose /graphs/{scanId} CAS lookups. |
Signals Guild (src/Signals/StellaOps.Signals) |
| REPLAY-401-004 | TODO | Bump replay manifest to v2 (feeds, analyzers, policies), have ReachabilityReplayWriter enforce CAS registration + hash sorting, and add deterministic tests to tests/reachability/StellaOps.Reachability.FixtureTests. |
BE-Base Platform Guild (src/__Libraries/StellaOps.Replay.Core) |
| AUTH-REACH-401-005 | TODO | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing through Authority + Signer, and mirror statements to Rekor (including PQ variants where required). | Authority & Signer Guilds (src/Authority/StellaOps.Authority, src/Signer/StellaOps.Signer) |
| POLICY-VEX-401-006 | TODO | Policy Engine consumes reachability facts, applies the deterministic score/label buckets (≥0.80 reachable, 0.30–0.79 conditional, <0.30 unreachable), emits OpenVEX with call-path proofs, and updates SPL schema with reachability.state/confidence predicates and suppression gates. |
Policy Guild (src/Policy/StellaOps.Policy.Engine, src/Policy/__Libraries/StellaOps.Policy) |
| POLICY-VEX-401-010 | TODO | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata, and publish artifacts following the bench playbook. |
Policy Guild (src/Policy/StellaOps.Policy.Engine/Vex, docs/modules/policy/architecture.md, docs/benchmarks/vex-evidence-playbook.md) |
| UI-CLI-401-007 | TODO | Implement CLI stella graph explain + UI explain drawer showing signed call-path, predicates, runtime hits, and DSSE pointers; include counterfactual controls. |
UI & CLI Guilds (src/Cli/StellaOps.Cli, src/UI/StellaOps.UI) |
| QA-DOCS-401-008 | TODO | Wire reachbench-2025-expanded fixtures into CI, document CAS layouts + replay steps in docs/reachability/DELIVERY_GUIDE.md, and publish operator runbook for runtime ingestion. |
QA & Docs Guilds (docs, tests/README.md) |
| GAP-SIG-003 | TODO | Finish /signals/runtime-facts ingestion, add CAS-backed runtime storage, extend scoring to lattice states (Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed), and emit signals.fact.updated events. Document retention/RBAC. |
Signals Guild (src/Signals/StellaOps.Signals, docs/reachability/function-level-evidence.md) |
| SIG-STORE-401-016 | TODO | Introduce shared reachability store collections (func_nodes, call_edges, cve_func_hits), indexes, and repository APIs so Scanner/Signals/Policy can reuse canonical function data. |
Signals Guild · BE-Base Platform Guild (src/Signals/StellaOps.Signals, src/__Libraries/StellaOps.Replay.Core) |
| GAP-REP-004 | TODO | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | BE-Base Platform Guild (src/__Libraries/StellaOps.Replay.Core, docs/replay/DETERMINISTIC_REPLAY.md) |
| GAP-POL-005 | TODO | Ingest reachability facts into Policy Engine, expose reachability.state/confidence in SPL/API, enforce auto-suppress (<0.30) rules, and generate OpenVEX evidence blocks referencing graph hashes + runtime facts with policy thresholds. |
Policy Guild (src/Policy/StellaOps.Policy.Engine, docs/modules/policy/architecture.md, docs/reachability/function-level-evidence.md) |
| GAP-VEX-006 | TODO | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI --evidence=graph/--threshold plus Notify template updates. |
Policy, Excititor, UI, CLI & Notify Guilds (docs/modules/excititor/architecture.md, src/Cli/StellaOps.Cli, src/UI/StellaOps.UI, docs/09_API_CLI_REFERENCE.md) |
| GAP-DOC-008 | TODO | Publish the cross-module function-level evidence guide, update API/CLI references with the new code_id fields, and add OpenVEX/replay samples under samples/reachability/**. |
Docs Guild (docs/reachability/function-level-evidence.md, docs/09_API_CLI_REFERENCE.md, docs/api/policy.md) |
| CLI-VEX-401-011 | TODO | Add `stella decision export | verify |
| SIGN-VEX-401-018 | TODO | Extend Signer predicate catalog with stella.ops/vexDecision@v1, enforce payload policy, and plumb DSSE/Rekor integration for policy decisions. |
Signing Guild (src/Signer/StellaOps.Signer, docs/modules/signer/architecture.md) |
| BENCH-AUTO-401-019 | TODO | Create automation to populate bench/findings/**, run baseline scanners (Trivy/Syft/Grype/Snyk/Xray), compute FP/MTTD/repro metrics, and update results/summary.csv. |
Benchmarks Guild (docs/benchmarks/vex-evidence-playbook.md, scripts/bench/**) |
| DOCS-VEX-401-012 | TODO | Maintain the VEX Evidence Playbook, publish repo templates/README, and document verification workflows for operators. | Docs Guild (docs/benchmarks/vex-evidence-playbook.md, bench/README.md) |
| SYMS-BUNDLE-401-014 | TODO | Produce deterministic symbol bundles for air-gapped installs (`symbols bundle create | verify |
| DOCS-RUNBOOK-401-017 | TODO | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | Docs Guild · Ops Guild (docs/runbooks/reachability-runtime.md, docs/reachability/DELIVERY_GUIDE.md) |
| POLICY-LIB-401-001 | TODO | Extract the policy DSL parser/compiler into StellaOps.PolicyDsl, add the lightweight syntax (default action + inline rules), and expose PolicyEngineFactory/SignalContext APIs for reuse. |
Policy Guild (src/Policy/StellaOps.PolicyDsl, docs/policy/dsl.md) |
| POLICY-LIB-401-002 | TODO | Ship unit-test harness + sample policy/default.dsl (table-driven cases) and wire stella policy lint/simulate to the shared library. |
Policy Guild, CLI Guild (tests/Policy/StellaOps.PolicyDsl.Tests, policy/default.dsl, docs/policy/lifecycle.md) |
| POLICY-ENGINE-401-003 | TODO | Replace in-service DSL compilation with the shared library, support both legacy stella-dsl@1 packs and the new inline syntax, and keep determinism hashes stable. |
Policy Guild (src/Policy/StellaOps.Policy.Engine, docs/modules/policy/architecture.md) |
| CLI-EDITOR-401-004 | TODO | Enhance stella policy CLI verbs (edit/lint/simulate) to edit Git-backed .dsl files, run local coverage tests, and commit SemVer metadata. |
CLI Guild (src/Cli/StellaOps.Cli, docs/policy/lifecycle.md) |
| DOCS-DSL-401-005 | TODO | Refresh docs/policy/dsl.md + lifecycle docs with the new syntax, signal dictionary (trust_score, reachability, etc.), authoring workflow, and safety rails (shadow mode, coverage tests). |
Docs Guild (docs/policy/dsl.md, docs/policy/lifecycle.md) |
| DSSE-LIB-401-020 | TODO | Package StellaOps.Attestor.Envelope primitives into a reusable StellaOps.Attestation library with InTotoStatement, IAuthoritySigner, DSSE pre-auth helpers, and .NET-friendly APIs for build agents. |
Attestor Guild · Platform Guild (src/Attestor/StellaOps.Attestation, src/Attestor/StellaOps.Attestor.Envelope) |
| DSSE-CLI-401-021 | TODO | Ship a stella attest CLI (or sample StellaOps.Attestor.Tool) plus GitLab/GitHub workflow snippets that emit DSSE per build step (scan/package/push) using the new library and Authority keys. |
CLI Guild · DevOps Guild (src/Cli/StellaOps.Cli, scripts/ci/attest-*, docs/modules/attestor/architecture.md) |
| DSSE-DOCS-401-022 | TODO | Document the build-time attestation walkthrough (docs/ci/dsse-build-flow.md): models, helper usage, Authority integration, storage conventions, and verification commands, aligning with the advisory. |
Docs Guild · Attestor Guild (docs/ci/dsse-build-flow.md, docs/modules/attestor/architecture.md) |
| REACH-LATTICE-401-023 | TODO | Define the reachability lattice model (ReachState, EvidenceKind, MitigationKind, scoring policy) in Scanner docs + code; ensure evidence joins write to the event graph schema. |
Scanner Guild · Policy Guild (docs/reachability/lattice.md, docs/modules/scanner/architecture.md, src/Scanner/StellaOps.Scanner.WebService) |
| UNCERTAINTY-SCHEMA-401-024 | TODO | Extend Signals findings with uncertainty.states[], entropy fields, and riskScore; emit FindingUncertaintyUpdated events and persist evidence per docs. |
Signals Guild (src/Signals/StellaOps.Signals, docs/uncertainty/README.md) |
| UNCERTAINTY-SCORER-401-025 | TODO | Implement the entropy-aware risk scorer (riskScore = base × reach × trust × (1 + entropyBoost)) and wire it into finding writes. |
Signals Guild (src/Signals/StellaOps.Signals.Application, docs/uncertainty/README.md) |
| UNCERTAINTY-POLICY-401-026 | TODO | Update policy guidance (Concelier/Excitors) with uncertainty gates (U1/U2/U3), sample YAML rules, and remediation actions. | Policy Guild · Concelier Guild (docs/policy/dsl.md, docs/uncertainty/README.md) |
| UNCERTAINTY-UI-401-027 | TODO | Surface uncertainty chips/tooltips in the Console (React UI) + CLI output (risk score + entropy states). | UI Guild · CLI Guild (src/UI/StellaOps.UI, src/Cli/StellaOps.Cli, docs/uncertainty/README.md) |
| PROV-INLINE-401-028 | DOING | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using StellaOps.Provenance.Mongo. |
Authority Guild · Feedser Guild (docs/provenance/inline-dsse.md, src/__Libraries/StellaOps.Provenance.Mongo) |
| PROV-BACKFILL-401-029 | TODO | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest. | Platform Guild (docs/provenance/inline-dsse.md, scripts/publish_attestation_with_provenance.sh) |
| PROV-INDEX-401-030 | TODO | Deploy provenance indexes (events_by_subject_kind_provenance, etc.) and expose compliance/replay queries. |
Platform Guild · Ops Guild (docs/provenance/inline-dsse.md, ops/mongo/indices/events_provenance_indices.js) |
Use
docs/reachability/DELIVERY_GUIDE.mdfor architecture context, dependencies, and acceptance tests.