75c2bcafce
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values. - Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context. - Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events. - Introduced AuthorityAuditSink for persisting audit records with structured logging. - Added CryptoPro related classes for certificate resolution and signing operations.
4.1 KiB
4.1 KiB
Sprint 123 - Policy & Reasoning
Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
Policy.I
Dependency: Sprint 110.A - AdvisoryAI (must land before this track). Focus: Policy & Reasoning focus on Policy (phase I).
| # | Task ID & handle | State | Key dependency / next step | Owners |
|---|---|---|---|---|
| 1 | EXPORT-CONSOLE-23-001 | TODO | Build evidence bundle/export generator producing signed manifests, CSV/JSON replay endpoints, and trace attachments; integrate with scheduler jobs and expose progress telemetry | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 2 | POLICY-AIRGAP-56-001 | TODO | Support policy pack imports from Mirror Bundles, track bundle_id metadata, and ensure deterministic caching |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 3 | POLICY-AIRGAP-56-002 | TODO | Export policy sub-bundles (stella policy bundle export) with DSSE signatures for outbound transfer (Deps: POLICY-AIRGAP-56-001) |
Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine |
| 4 | POLICY-AIRGAP-57-001 | TODO | Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface AIRGAP_EGRESS_BLOCKED errors with remediation (Deps: POLICY-AIRGAP-56-002) |
Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 5 | POLICY-AIRGAP-57-002 | TODO | Annotate rule explanations with staleness information and fallback data (cached EPSS, vendor risk) (Deps: POLICY-AIRGAP-57-001) | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine |
| 6 | POLICY-AIRGAP-58-001 | TODO | Emit notifications when policy packs near staleness thresholds or missing required bundles (Deps: POLICY-AIRGAP-57-002) | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine |
| 7 | POLICY-AOC-19-001 | TODO | Add Roslyn/CI lint preventing ingestion projects from referencing Policy merge/severity helpers; block forbidden writes at compile time | Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
| 8 | POLICY-AOC-19-002 | TODO | Enforce effective_finding_* write gate ensuring only Policy Engine identity can create/update materializations (Deps: POLICY-AOC-19-001) |
Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy |
| 9 | POLICY-AOC-19-003 | TODO | Update readers/processors to consume only content.raw, identifiers, and linkset. Remove dependencies on legacy normalized fields and refresh fixtures (Deps: POLICY-AOC-19-002) |
Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
| 10 | POLICY-AOC-19-004 | TODO | Add regression tests ensuring policy derived outputs remain deterministic when ingesting revised raw docs (supersedes) and when violations occur (Deps: POLICY-AOC-19-003) | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy |
| 11 | POLICY-ATTEST-73-001 | TODO | Introduce VerificationPolicy object: schema, persistence, versioning, and lifecycle | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ATTEST-73-002 | TODO | Provide Policy Studio editor with validation, dry-run simulation, and version diff (Deps: POLICY-ATTEST-73-001) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ATTEST-74-001 | TODO | Integrate verification policies into attestor verification pipeline with caching and waiver support (Deps: POLICY-ATTEST-73-002) | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
| 14 | POLICY-ATTEST-74-002 | TODO | Surface policy evaluations in Console verification reports with rule explanations (Deps: POLICY-ATTEST-74-001) | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine |
| 15 | POLICY-CONSOLE-23-001 | TODO | Optimize findings/explain APIs for Console: cursor-based pagination at scale, global filter parameters (severity bands, policy version, time window), rule trace summarization, and aggregation hints for dashboard cards. Ensure deterministic ordering and expose provenance refs | Policy Guild, BE-Base Platform Guild / src/Policy/StellaOps.Policy.Engine |