Files

Docs CI / lint-and-preview (push) Has been cancelled

Details

Add LDAP Distinguished Name Helper and Credential Audit Context

- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.

2025-11-09 12:21:38 +02:00

5.7 KiB

Raw Blame History

Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I

Active items only. Completed/historic work now resides in docs/implplan/archived_sprints_tasks.md (updated 2025-11-08).

[Ingestion & Evidence] 110.C) Excititor.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Excititor (phase I).

Prep: Read docs/modules/excititor/architecture.md and the relevant Excititor AGENTS.md files (per component directory) before working any tasks below; this preserves the guidance that previously lived in the component boards.

Task ID State Task description Owners (Source)

EXCITITOR-AIAI-31-001 Justification enrichment DOING (2025-11-09) Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)

EXCITITOR-AIAI-31-002 VEX chunk API TODO Provide /vex/evidence/chunks endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. Dependencies: EXCITITOR-AIAI-31-001. Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)

EXCITITOR-AIAI-31-003 Telemetry TODO Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. Dependencies: EXCITITOR-AIAI-31-002. Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService)

EXCITITOR-AIRGAP-56-001 Mirror ingestion adapters TODO Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-AIRGAP-56-002 Bundle provenance TODO Persist bundle metadata on VEX observations/linksets with provenance references. Dependencies: EXCITITOR-AIRGAP-56-001. Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-AIRGAP-57-001 Sealed-mode enforcement TODO Block non-mirror connectors in sealed mode and surface remediation errors. Dependencies: EXCITITOR-AIRGAP-56-002. Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-AIRGAP-57-002 Staleness annotations TODO Annotate VEX statements with staleness metrics and expose via API. Dependencies: EXCITITOR-AIRGAP-57-001. Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-AIRGAP-58-001 Portable VEX evidence TODO Package VEX evidence segments into portable evidence bundles linked to timeline. Dependencies: EXCITITOR-AIRGAP-57-002. Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-ATTEST-01-003 – Verification suite & observability Team Excititor Attestation TODO (2025-11-06) – Continuing implementation: build IVexAttestationVerifier, wire metrics/logging, and add regression tests. Draft plan in EXCITITOR-ATTEST-01-003-plan.md (2025-10-19) guides scope; updating with worknotes as progress lands.
2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.
2025-11-05 14:35Z: Resuming with diagnostics/observability deliverables (typed diagnostics record, ActivitySource wiring, metrics dimensions) before WebService/Worker integration.
2025-11-06 07:12Z: Worker & web service suites pass with new diagnostics (dotnet test via staged libssl1.1); export envelope context exposed publicly for mirror bundle publishing.
2025-11-06 07:55Z: Paused—automation for OpenSSL shim tracked under DEVOPS-OPENSSL-11-001/002. EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation)

EXCITITOR-ATTEST-73-001 VEX attestation payloads TODO Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. Dependencies: EXCITITOR-ATTEST-01-003. Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-ATTEST-73-002 Chain provenance TODO Expose linkage from VEX statements to subject/product for chain of custody graph. Dependencies: EXCITITOR-ATTEST-73-001. Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)

EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints Team Excititor Connectors – MSRC TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF)

EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment Team Excititor Connectors – Oracle TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF)

EXCITITOR-CONN-STELLA-07-002 TODO Parse mirror bundles into raw VexClaim batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror)

EXCITITOR-CONN-STELLA-07-003 TODO Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. Dependencies: EXCITITOR-CONN-STELLA-07-002. Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror)

Task ID	State	Task description	Owners (Source)
EXCITITOR-AIAI-31-001 `Justification enrichment`	DOING (2025-11-09)	Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations.	Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIAI-31-002 `VEX chunk API`	TODO	Provide `/vex/evidence/chunks` endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. Dependencies: EXCITITOR-AIAI-31-001.	Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIAI-31-003 `Telemetry`	TODO	Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. Dependencies: EXCITITOR-AIAI-31-002.	Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters`	TODO	Add mirror-based VEX ingestion, preserving statement digests and bundle IDs.	Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-56-002 `Bundle provenance`	TODO	Persist bundle metadata on VEX observations/linksets with provenance references. Dependencies: EXCITITOR-AIRGAP-56-001.	Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement`	TODO	Block non-mirror connectors in sealed mode and surface remediation errors. Dependencies: EXCITITOR-AIRGAP-56-002.	Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-57-002 `Staleness annotations`	TODO	Annotate VEX statements with staleness metrics and expose via API. Dependencies: EXCITITOR-AIRGAP-57-001.	Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-AIRGAP-58-001 `Portable VEX evidence`	TODO	Package VEX evidence segments into portable evidence bundles linked to timeline. Dependencies: EXCITITOR-AIRGAP-57-002.	Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-ATTEST-01-003 – Verification suite & observability	Team Excititor Attestation	TODO (2025-11-06) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands. 2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. 2025-11-05 14:35Z: Resuming with diagnostics/observability deliverables (typed diagnostics record, ActivitySource wiring, metrics dimensions) before WebService/Worker integration. 2025-11-06 07:12Z: Worker & web service suites pass with new diagnostics (`dotnet test` via staged libssl1.1); export envelope context exposed publicly for mirror bundle publishing. 2025-11-06 07:55Z: Paused—automation for OpenSSL shim tracked under `DEVOPS-OPENSSL-11-001/002`.	EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation)
EXCITITOR-ATTEST-73-001 `VEX attestation payloads`	TODO	Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. Dependencies: EXCITITOR-ATTEST-01-003.	Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-ATTEST-73-002 `Chain provenance`	TODO	Expose linkage from VEX statements to subject/product for chain of custody graph. Dependencies: EXCITITOR-ATTEST-73-001.	Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints	Team Excititor Connectors – MSRC	TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration.	EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF)
EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment	Team Excititor Connectors – Oracle	TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion.	EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF)
EXCITITOR-CONN-STELLA-07-002	TODO	Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting.	Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror)
EXCITITOR-CONN-STELLA-07-003	TODO	Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. Dependencies: EXCITITOR-CONN-STELLA-07-002.	Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror)

5.7 KiB Raw Blame History Unescape Escape

Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I

5.7 KiB

Raw Blame History