git.stella-ops.org/SPRINTS_IMPLEMENTION_PLAN.md

StellaOps Multi-Sprint Implementation Plan (Agile Track)

This plan translates the current SPRINTS.md (read the file if you have not) backlog into parallel-friendly execution clusters. Each sprint is decomposed into groups that can run concurrently without stepping on the same directories. For every group we capture:

• Tasks (ID · est. effort · path)
• Acceptance metrics (quantitative targets to reduce rework)
• Gate artifacts required before dependent groups can start

Durations are estimated work sizes (1 d ≈ one focused engineer day). Milestones are gated by artifacts—not calendar dates—to keep us agile and adaptable to competitor pressure.

---

Sprint 9 – Scanner Core Foundations (ID: SP9, ~3 w)

Group SP9-G1 — Core Contracts & Observability (src/StellaOps.Scanner.Core) ~1 w

• Tasks:
  • SCANNER-CORE-09-501 · 3 d · /src/StellaOps.Scanner.Core/TASKS.md
  • SCANNER-CORE-09-502 · 2 d · same path
  • SCANNER-CORE-09-503 · 2 d · same path
• Acceptance metrics: DTO round-trip tests stable; middleware adds ≤5 µs per call.
• Gate SP9-G1 → WebService: scanner-core-contracts.md snippet plus ScannerCoreContractsTests green.

Group SP9-G2 — Queue Backbone (src/StellaOps.Scanner.Queue) ~1 w

• Tasks: SCANNER-QUEUE-09-401 (3 d), -402 (2 d), -403 (2 d) · /src/StellaOps.Scanner.Queue/TASKS.md
• Acceptance: dequeue latency p95 ≤20 ms at 40 rps; chaos test retains leases.
• Gate: Redis/NATS adapters docs + QueueLeaseIntegrationTests passing.
• Status: DONE (2025-10-19) – Gate satisfied via Redis/NATS adapter docs and QueueLeaseIntegrationTests run under fake clock.

Group SP9-G3 — Storage Backbone (src/StellaOps.Scanner.Storage) ~1 w

• Tasks: SCANNER-STORAGE-09-301 (3 d), -302 (2 d), -303 (2 d)
• Acceptance: majority write/read ≤50 ms; TTL verified.
• Gate: migrations checked in; StorageDualWriteFixture passes.
• Status: DONE (2025-10-19) – Mongo bootstrapper + migrations committed; MinIO dual-write service wired; StorageDualWriteFixture green on Mongo2Go.

Group SP9-G4 — WebService Host & Policy Surfacing (src/StellaOps.Scanner.WebService) ~1.2 w

• Tasks: SCANNER-WEB-09-101 (2 d), -102 (3 d), -103 (2 d), -104 (2 d), SCANNER-POLICY-09-105 (3 d), SCANNER-POLICY-09-106 (4 d)
• Acceptance: /api/v1/scans enqueue p95 ≤50 ms under synthetic load; policy validation errors actionable; /reports response signed.
• Gate SP9-G4 → SP10/SP11: /reports OpenAPI frozen; sample signed envelope committed in samples/api/reports/.
• Status: IN PROGRESS (2025-10-19) – Minimal host and /api/v1/scans endpoints delivered (SCANNER-WEB-09-101/102 done); progress streaming and policy/report surfaces remain.

Group SP9-G5 — Worker Host (src/StellaOps.Scanner.Worker) ~1 w

• Tasks: SCANNER-WORKER-09-201 (3 d), -202 (3 d), -203 (2 d), -204 (2 d), -205 (1 d)
• Acceptance: job lease never drops <3× heartbeat; progress events deterministic.
• Gate: WorkerBasicScanScenario integration recorded + optional live queue smoke validation.
• Status: DONE (2025-10-19) – Host bootstrap, heartbeat jitter clamp, deterministic stage pipeline, metrics, and Redis-backed smoke harness landed; WorkerBasicScanScenarioTests and RedisWorkerSmokeTests (flagged) green.

Group SP9-G6 — Buildx Plug-in (src/StellaOps.Scanner.Sbomer.BuildXPlugin) ~0.8 w

• Tasks: SP9-BLDX-09-001 (3 d), SP9-BLDX-09-002 (2 d), SP9-BLDX-09-003 (2 d), SP9-BLDX-09-004 (2 d), SP9-BLDX-09-005 (1 d)
• Acceptance: build-time overhead ≤300 ms/layer on 4 vCPU; CAS handshake reliable in CI sample.
• Gate: buildx demo workflow artifact + quickstart doc + determinism regression guard in CI.
• Status: DONE (2025-10-19) — manifest+CAS scaffold, descriptor/Attestor hand-off, GitHub/Gitea determinism workflows, quickstart update, and golden tests committed.

Group SP9-G7 — Policy Engine Core (src/StellaOps.Policy) ~1 w

• Tasks: POLICY-CORE-09-001 (2 d) ✅, -002 (3 d) ✅, -003 (3 d) ✅, -004 (3 d), -005 (4 d), -006 (2 d)
• Acceptance: policy parsing ≥200 files/s; preview diff response <200 ms for 500-component SBOM; quieting logic audited.
• Gate: policy-schema@1 published; revision digests stored; preview API doc updated.

Group SP9-G8 — DevOps Early Guardrails (ops/devops) ~0.4 w

• Tasks: DEVOPS-HELM-09-001 (3 d) — DONE (2025-10-19)
• Acceptance: helm/compose profiles for dev/stage/airgap lint + dry-run clean; manifests pinned to digest.
• Gate: profiles merged under deploy/; install guide cross-link satisfied via deploy/compose/ bundles and docs/21_INSTALL_GUIDE.md.

Group SP9-G9 — Documentation & Events (docs/) ~0.4 w

• Tasks: DOCS-ADR-09-001 (2 d), DOCS-EVENTS-09-002 (2 d)
• Acceptance: ADR process broadcast; event schemas validated via CI.
• Gate: docs/adr/index.md linking template; docs/events/README.md referencing schemas.
• Status: DONE (2025-10-19) – ADR contribution guide + template updates merged, Docs CI Ajv validation wired, events catalog documented, guild announcement recorded.

---

Sprint 10 – Scanner Analyzers & SBOM (ID: SP10, ~4 w)

Group SP10-G1 — OS Analyzer Plug-ins (src/StellaOps.Scanner.Analyzers.OS) ~1 w

• Tasks: SCANNER-ANALYZERS-OS-10-201..207 (durations 2–3 d each)
• Acceptance: analyzer runtime <1.5 s/image; memory <250 MB.
• Gate: plug-ins packaged under plugins/scanner/analyzers/os/; determinism CI job green.

Group SP10-G2 — Language Analyzer Plug-ins (src/StellaOps.Scanner.Analyzers.Lang) ~1.5 w

• Tasks: SCANNER-ANALYZERS-LANG-10-301..309
• Acceptance: Node analyzer handles 10 k modules <2 s; Python memory <200 MB.
• Gate: golden outputs stored; plugin manifests present.

Group SP10-G3 — EntryTrace Plug-ins (src/StellaOps.Scanner.EntryTrace) ~0.8 w

• Tasks: SCANNER-ENTRYTRACE-10-401..407
• Acceptance: ≥95 % launcher resolution success on samples; unknown reasons enumerated.
• Gate: entrytrace plug-ins packaged; explainability doc updated.

Group SP10-G4 — SBOM Composition & BOM Index (src/StellaOps.Scanner.Diff + Emit) ~1 w

• Tasks: SCANNER-DIFF-10-501..503, SCANNER-EMIT-10-601..606
• Acceptance: BOM-Index emission <500 ms/image; diff output deterministic across runs.
• Gate SP10-G4 → SP16: docs/artifacts/bom-index/ schema + fixtures; tests BOMIndexGoldenIsStable & UsageFlagsAreAccurate green.

Group SP10-G5 — Cache Subsystem (src/StellaOps.Scanner.Cache) ~0.6 w

• Tasks: SCANNER-CACHE-10-101..104
• Acceptance: cache hit instrumentation validated; eviction keeps footprint <5 GB.
• Gate: cache configuration doc; integration test LayerCacheRoundTrip green.

Group SP10-G6 — Benchmarks & Samples (bench/, samples/, ops/devops) ~0.6 w

• Tasks: BENCH-SCANNER-10-001 (2 d), SAMPLES-10-001 (finish – 3 d), DEVOPS-PERF-10-001 (2 d)
• Acceptance: analyzer benchmark CSV published; perf CI guard ensures SBOM compose <5 s; sample SBOM/BOM-Index committed.
• Gate: bench results stored under bench/; samples/ populated; CI job added.

---

Sprint 11 – Signing Chain Bring-up (ID: SP11, ~3 w)

Group SP11-G1 — Authority Sender Constraints (src/StellaOps.Authority) ~0.8 w

• Tasks: AUTH-DPOP-11-001 (3 d), AUTH-MTLS-11-002 (2 d)
• Acceptance: DPoP nonce dance validated; mTLS tokens issued in ≤40 ms.
• Gate: updated Authority OpenAPI; QA scripts verifying DPoP/mTLS.

Group SP11-G2 — Signer Service (src/StellaOps.Signer) ~1.2 w

• Tasks: SIGNER-API-11-101 (4 d), SIGNER-REF-11-102 (2 d), SIGNER-QUOTA-11-103 (2 d)
• Acceptance: signing throughput ≥30 req/min; p95 latency ≤200 ms.
• Gate SP11-G2 → Attestor/UI: /sign/dsse OpenAPI frozen; signed DSSE bundle in repo; Rekor interop test passing.

Group SP11-G3 — Attestor Service (src/StellaOps.Attestor) ~1 w

• Tasks: ATTESTOR-API-11-201 (3 d), ATTESTOR-VERIFY-11-202 (2 d), ATTESTOR-OBS-11-203 (2 d)
• Acceptance: inclusion proof retrieval <500 ms; audit log coverage 100 %.
• Gate: Attestor API doc + verification script.

Group SP11-G4 — UI Attestation Hooks (src/StellaOps.UI) ~0.4 w

• Tasks: UI-ATTEST-11-005 (3 d)
• Acceptance: attestation panel renders within 200 ms; Rekor link verified.
• Gate SP11-G4 → SP13-G1: recorded UX walkthrough.

---

Sprint 12 – Runtime Guardrails (ID: SP12, ~3 w)

Group SP12-G1 — Zastava Core (src/StellaOps.Zastava.Core) ~0.8 w

• Tasks: ZASTAVA-CORE-12-201..204
• Acceptance: DTO tests stable; configuration docs produced.
• Gate: schema doc + logging helpers integrated.

Group SP12-G2 — Zastava Observer (src/StellaOps.Zastava.Observer) ~0.8 w

• Tasks: ZASTAVA-OBS-12-001..004
• Acceptance: observer memory <200 MB; event flush ≤2 s.
• Gate: sample runtime events stored; offline buffer test passes.

Group SP12-G3 — Zastava Webhook (src/StellaOps.Zastava.Webhook) ~0.6 w

• Tasks: ZASTAVA-WEBHOOK-12-101..103
• Acceptance: admission latency p95 ≤45 ms; cache TTL adhered to.
• Gate: TLS rotation procedure documented; readiness probe script.

Group SP12-G4 — Scanner Runtime APIs (src/StellaOps.Scanner.WebService) ~0.8 w

• Tasks: SCANNER-RUNTIME-12-301 (2 d), SCANNER-RUNTIME-12-302 (3 d)
• Acceptance: /runtime/events handles 500 events/sec; /policy/runtime output matches webhook decisions.
• Gate SP12-G4 → SP13/SP15: API documented, fixtures updated.

---

Sprint 13 – UX & CLI Experience (ID: SP13, ~2 w)

Group SP13-G1 — UI Shell & Panels (src/StellaOps.UI) ~1.6 w

• Tasks: UI-AUTH-13-001 (3 d), UI-SCANS-13-002 (4 d), UI-VEX-13-003 (3 d), UI-ADMIN-13-004 (2 d), UI-SCHED-13-005 (3 d), UI-NOTIFY-13-006 (3 d)
• Acceptance: Lighthouse ≥85; Scheduler/Notify panels function against mocked APIs.
• Gate: UI dev server fixtures committed; QA sign-off captured.

Group SP13-G2 — CLI Enhancements (src/StellaOps.Cli) ~0.8 w

• Tasks: CLI-RUNTIME-13-005 (3 d), CLI-OFFLINE-13-006 (3 d), CLI-PLUGIN-13-007 (2 d)
• Acceptance: runtime policy CLI completes <1 s for 10 images; offline kit commands resume downloads.
• Gate: CLI plugin manifest doc; smoke tests covering new verbs.

---

Sprint 14 – Release & Offline Ops (ID: SP14, ~2 w)

Group SP14-G1 — Release Automation (ops/devops) ~0.8 w

• Tasks: DEVOPS-REL-14-001 (4 d)
• Acceptance: reproducible build diff tool shows zero drift across two runs; signing pipeline green.
• Gate: signed manifest + provenance published.

Group SP14-G2 — Offline Kit Packaging (ops/offline-kit) ~0.6 w

• Tasks: DEVOPS-OFFLINE-14-002 (3 d)
• Acceptance: kit import <5 min with integrity verification CLI.
• Gate: kit doc updated; import script included.

Group SP14-G3 — Deployment Playbooks (ops/deployment) ~0.4 w

• Tasks: DEVOPS-OPS-14-003 (2 d)
• Acceptance: rollback drill recorded; compatibility matrix produced.
• Gate: playbook PR merged with Ops sign-off.

Group SP14-G4 — Licensing Token Service (ops/licensing) ~0.4 w

• Tasks: DEVOPS-LIC-14-004 (2 d)
• Acceptance: token service handles 100 req/min; revocation latency <60 s.
• Gate: monitoring dashboard links; failover doc.

---

Sprint 15 – Notify Foundations (ID: SP15, ~3 w)

Group SP15-G1 — Models & Storage (src/StellaOps.Notify.Models + Storage.Mongo) ~0.8 w

• Tasks: NOTIFY-MODELS-15-101 (2 d), -102 (2 d), -103 (1 d); NOTIFY-STORAGE-15-201 (3 d), -202 (2 d), -203 (1 d)
• Acceptance: rule CRUD latency <120 ms; delivery retention job verified.
• Gate: schema docs + fixtures published.

Group SP15-G2 — Engine & Queue (src/StellaOps.Notify.Engine + Queue) ~0.8 w

• Tasks: NOTIFY-ENGINE-15-301..304, NOTIFY-QUEUE-15-401..403
• Acceptance: rules evaluation ≥5k events/min; queue dead-letter <0.5 %.
• Gate: digest outputs committed; queue config doc updated.

Group SP15-G3 — WebService & Worker (src/StellaOps.Notify.WebService + Worker) ~0.8 w

• Tasks: NOTIFY-WEB-15-101..104, NOTIFY-WORKER-15-201..204
• Acceptance: API p95 <120 ms; worker delivery success ≥99 %.
• Gate: end-to-end fixture run producing delivery record.

Group SP15-G4 — Channel Plug-ins (src/StellaOps.Notify.Connectors.*) ~0.6 w

• Tasks: NOTIFY-CONN-SLACK-15-501..503, NOTIFY-CONN-TEAMS-15-601..603, NOTIFY-CONN-EMAIL-15-701..703, NOTIFY-CONN-WEBHOOK-15-801..803
• Acceptance: channel-specific retry policies verified; rate limits respected.
• Gate: plug-in manifests inside plugins/notify/**; test-send docs.

Group SP15-G5 — Events & Benchmarks (src/StellaOps.Scanner.WebService + bench) ~0.5 w

• Tasks: SCANNER-EVENTS-15-201 (2 d), BENCH-NOTIFY-15-001 (2 d)
• Acceptance: event emission latency <100 ms; throughput bench results stored.
• Gate: docs/events/samples/ contains sample payloads; bench CSV in repo.

---

Sprint 16 – Scheduler Intelligence (ID: SP16, ~4 w)

Group SP16-G1 — Models & Storage (src/StellaOps.Scheduler.Models + Storage.Mongo) ~1 w

• Tasks: SCHED-MODELS-16-101 (3 d), -102 (2 d), -103 (2 d); SCHED-STORAGE-16-201 (3 d), -202 (2 d), -203 (2 d)
• Acceptance: schedule CRUD latency <120 ms; run retention TTL enforced.
• Gate: schema doc + integration tests passing.

Group SP16-G2 — ImpactIndex & Queue (src/StellaOps.Scheduler.ImpactIndex + Queue + Bench) ~1.2 w

• Tasks: SCHED-IMPACT-16-300 (2 d, DOING), SCHED-IMPACT-16-301 (3 d), -302 (3 d), -303 (2 d); SCHED-QUEUE-16-401..403 (each 2 d); BENCH-IMPACT-16-001 (2 d)
• Acceptance: impact resolve 10k productKeys <300 ms hot; stub removed by sprint end.
• Gate: roaring snapshot stored; bench CSV published; removal plan for stub recorded.

Group SP16-G3 — Scheduler WebService (src/StellaOps.Scheduler.WebService) ~0.8 w

• Tasks: SCHED-WEB-16-101..104 (each 2 d)
• Acceptance: preview endpoint <250 ms; webhook security enforced.
• Gate: OpenAPI published; dry-run JSON fixtures stored.

Group SP16-G4 — Scheduler Worker (src/StellaOps.Scheduler.Worker) ~1 w

• Tasks: SCHED-WORKER-16-201 (3 d), -202 (2 d), -203 (3 d), -204 (2 d), -205 (2 d)
• Acceptance: planner fairness metrics captured; runner success ≥98 % across 1k sims.
• Gate: event emission to Notify verified; metrics dashboards live.

---

Sprint 17 – Symbol Intelligence & Forensics (ID: SP17, ~2.5 w)

Group SP17-G1 — Scanner Forensics (src/StellaOps.Scanner.Emit + WebService) ~1.2 w

• Tasks: SCANNER-EMIT-17-701 (4 d), SCANNER-RUNTIME-17-401 (3 d)
• Acceptance: forensic overlays add ≤150 ms per image; runtime API exposes symbol hints with feature flag.
• Gate: forensic SBOM samples committed; API doc updated.

Group SP17-G2 — Zastava Observability (src/StellaOps.Zastava.Observer) ~0.6 w

• Tasks: ZASTAVA-OBS-17-005 (3 d)
• Acceptance: new telemetry surfaces symbol diffs; observer CPU <10 % under load.
• Gate: Grafana dashboard export, alert thresholds defined.

Group SP17-G3 — Release Hardening (ops/devops) ~0.4 w

• Tasks: DEVOPS-REL-17-002 (2 d)
• Acceptance: deterministic build verifier job updated to include forensics artifacts.
• Gate: CI pipeline stage forensics-verify green.

Group SP17-G4 — Documentation (docs/) ~0.3 w

• Tasks: DOCS-RUNTIME-17-004 (2 d)
• Acceptance: runtime forensic guide published with troubleshooting.
• Gate: docs review sign-off; links added to UI help.

---

Integration Buffers

• INT-A (0.3 w, after SP10): Image → SBOM → BOM-Index → Scheduler preview → UI dry-run using fixtures.
• INT-B (0.3 w, after SP11 & SP15): SBOM → policy verdict → signed DSSE → Rekor entry → Notify delivery end-to-end.

Parallelisation Strategy

• SP9 core modules and SP11 authority upgrades can progress in parallel; scanner clients rely on feature flags while DPoP/mTLS hardening lands.
• SP10 SBOM emission may start alongside Scheduler ImpactIndex using samples/ fixtures; stub SCHED-IMPACT-16-300 keeps velocity while awaiting roaring index.
• Notify foundations (SP15) can begin once event schemas freeze (delivered in SP9-G9/SP12-G4), consuming canned events until Scanner emits live ones.
• UI (SP13) uses mocked endpoints early, decoupling front-end delivery from backend readiness.

Risk Registry

Risk ID	Description	Owner	Mitigation	Trigger
R1	BOM-Index memory blow-up on large fleets	Scheduler ImpactIndex Guild	Shard + mmap plan; monitor BENCH-IMPACT-16-001	RAM > 8 GB in bench
R2	Buildx plugin latency regression	BuildX Guild	DEVOPS-PERF-10-001 guard; fallback to post-build scan	Buildx job >300 ms/layer
R3	Notify digests flooding Slack	Notify Engine Guild	throttle defaults, BENCH-NOTIFY-15-001 coverage	Dropped messages >1 %
R4	Policy precedence confusion	Policy Guild	ADR, preview API, unit tests	Operator escalation about precedence
R5	ImpactIndex stub lingers	Scheduler ImpactIndex Guild	Track SCHED-IMPACT-16-300 removal in sprint review	Stub present past SP16
R6	Symbol forensics slows runtime	Scanner Emit Guild	Feature flag; perf tests in SP17-G1	Forensics adds >150 ms/image

Envelope & ADR Governance

• Event schemas (docs/events/*.json) versioned; producers must bump suffix on breaking changes.
• ADR template (docs/adr/0000-template.md) mandatory for BOM-Index format, event envelopes, DPoP nonce policy, Rekor migration.

---

Summary: The plan keeps high-impact artifacts (policy engine, BOM-Index, signing chain) on the critical path while unlocking parallel tracks (Notify, Scheduler, UI) through early schema freezes and fixtures. Integration buffers ensure cross-team touchpoints are validated continuously, supporting rapid iteration against competitive pressure.