git.stella-ops.org/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md

Sprint 0142_0001_0001 · Runtime & Signals — SBOM Service

Topic & Scope

• Runtime & Signals stream focusing on SBOM Service projections, APIs, and orchestrator integration to support Advisory AI, Console, Graph overlays, and Vuln Explorer consumers.
• Freeze Link-Not-Merge (LNM) v1 SBOM projection schema and publish deterministic read APIs (paths, timelines, projections) with strict tenant enforcement.
• Integrate SBOM ingest/index with orchestrator backpressure and reconciliation and emit events for downstream graph/indexer pipelines.
• Working directory: src/SbomService/StellaOps.SbomService.

Dependencies & Concurrency

• Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner).
• Concurrency: Track alongside other Runtime & Signals 140-series sprints; safe in parallel if orchestrator contracts stay stable.

Documentation Prerequisites

• docs/README.md
• docs/07_HIGH_LEVEL_ARCHITECTURE.md
• docs/modules/platform/architecture-overview.md
• docs/modules/sbomservice/architecture.md (module dossier).

Delivery Tracker

#	Task ID	Status	Key dependency / next step	Owners	Task Definition
1	SBOM-AIAI-31-001	DONE	Implemented /sbom/paths with env/blast-radius/runtime flags + cursor paging and /sbom/versions timeline; in-memory deterministic seed until storage wired.	SBOM Service Guild (src/SbomService/StellaOps.SbomService)	Provide path and version timeline endpoints optimised for Advisory AI.
2	SBOM-AIAI-31-002	DOING	Module charter added; continue metrics work and dashboards.	SBOM Service Guild; Observability Guild	Instrument metrics for path/timeline queries and surface dashboards.
3	SBOM-CONSOLE-23-001	DOING	Module charter added; continue /console/sboms implementation and schema/storage backing.	SBOM Service Guild; Cartographer Guild	Provide Console-focused SBOM catalog API.
4	SBOM-CONSOLE-23-002	TODO	Depends on SBOM-CONSOLE-23-001; cache-aware component lookup powering global search and Graph overlays; enforce tenant boundaries.	SBOM Service Guild	Deliver component lookup endpoints for search and overlays.
5	SBOM-ORCH-32-001	TODO	Register SBOM ingest/index sources; embed worker SDK; emit artifact hashes and job metadata.	SBOM Service Guild	Register SBOM ingest/index sources with orchestrator.
6	SBOM-ORCH-33-001	TODO	Depends on SBOM-ORCH-32-001; report backpressure metrics, honor pause/throttle signals, classify sbom job errors.	SBOM Service Guild	Report backpressure metrics and handle orchestrator control signals.
7	SBOM-ORCH-34-001	TODO	Depends on SBOM-ORCH-33-001; implement orchestrator backfill and watermark reconciliation for idempotent artifact reuse.	SBOM Service Guild	Implement orchestrator backfill + watermark reconciliation.
8	SBOM-SERVICE-21-001	BLOCKED	Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement.	SBOM Service Guild; Cartographer Guild	Link-Not-Merge v1 frozen schema and deterministic read API.
9	SBOM-SERVICE-21-002	TODO	Depends on SBOM-SERVICE-21-001; emit sbom.version.created change events and add replay/backfill tooling.	SBOM Service Guild; Scheduler Guild	Emit change events carrying digest/version metadata for Graph Indexer builds.
10	SBOM-SERVICE-21-003	TODO	Depends on SBOM-SERVICE-21-002; entrypoint/service node management API feeding Cartographer path relevance with deterministic defaults.	SBOM Service Guild	Provide entrypoint/service node management API.
11	SBOM-SERVICE-21-004	TODO	Depends on SBOM-SERVICE-21-003; wire metrics (sbom_projection_seconds, sbom_projection_size), traces, tenant-annotated logs; set backlog alerts.	SBOM Service Guild; Observability Guild	Wire observability for SBOM projections.
12	SBOM-SERVICE-23-001	TODO	Depends on SBOM-SERVICE-21-004; extend projections with asset metadata (criticality, owner, environment, exposure flags); update schema docs.	SBOM Service Guild; Policy Guild	Extend projections to include asset metadata.
13	SBOM-SERVICE-23-002	TODO	Depends on SBOM-SERVICE-23-001; emit sbom.asset.updated events with idempotent payloads; document envelopes.	SBOM Service Guild; Platform Events Guild	Emit asset metadata change events.
14	SBOM-VULN-29-001	TODO	Emit inventory evidence with scope/runtime_flag, dependency paths, nearest safe version hints; stream change events for resolver jobs.	SBOM Service Guild	Emit inventory evidence for vulnerability flows.
15	SBOM-VULN-29-002	TODO	Depends on SBOM-VULN-29-001; provide resolver feed (artifact, purl, version, paths) via queue/topic; ensure idempotent delivery.	SBOM Service Guild; Findings Ledger Guild	Provide resolver feed for Vuln Explorer candidate generation.

Action Tracker

Action	Owner(s)	Due	Status
Provide LNM v1 fixtures for SBOM projections.	Cartographer Guild	2025-11-18	Pending
Publish orchestrator control contract for pause/throttle/backfill signals.	Orchestrator Guild	2025-11-19	Pending
Create src/SbomService/AGENTS.md (roles, prerequisites, determinism/testing rules).	SBOM Service Guild · Module PM	2025-11-19	DONE

Execution Log

Date (UTC)	Update	Owner
2025-11-17	Normalised sprint to standard template and renamed from SPRINT_142_sbomservice.md; no scope changes.	Project Mgmt
2025-11-17	Flagged need for SBOM Service module dossier as documentation prerequisite.	Project Mgmt
2025-11-17	Authored docs/modules/sbomservice/architecture.md; added to prerequisites; set SBOM-SERVICE-21-001 to BLOCKED pending LNM v1 fixtures.	Project Mgmt
2025-11-17	Delivered Advisory AI path/timeline endpoints (/sbom/paths, /sbom/versions) with deterministic seed + tests; SBOM-AIAI-31-001 marked DONE.	SBOM Service
2025-11-17	Added latency/query metrics for Advisory AI endpoints; dashboards + cache-hit tracking to follow.	SBOM Service
2025-11-17	Implemented stub /console/sboms with filters, cursor paging, evaluation metadata; seeded deterministic catalog for UI/Console consumers.	SBOM Service
2025-11-17	Attempted dotnet test for SbomService.Tests; aborted ~45s due to repo-wide build churn.	SBOM Service
2025-11-17	Added cache-hit tagging on metrics for paths/versions/console catalog; tests still pending due to build abort.	SBOM Service
2025-11-18	Scoped builds (dotnet build on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun.	SBOM Service
2025-11-18	Additional targeted build of StellaOps.SbomService.csproj aborted (~48s) due to repo churn; testing still blocked.	SBOM Service
2025-11-18	Marked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 BLOCKED due to missing src/SbomService/AGENTS.md; implementation paused until charter is published.	Implementer
2025-11-18	Added Action Tracker and tracked new AGENTS creation task (AGENTS-SBOMSERVICE) to unblock implementation.	Implementer
2025-11-18	Added src/SbomService/AGENTS.md; unblocked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 (statuses set to DOING).	Implementer

Decisions & Risks

• LNM v1 fixtures due 2025-11-18 remain outstanding; SBOM-SERVICE-21-001 stays BLOCKED until fixtures land.
• Orchestrator control contracts (pause/throttle/backfill signals) must be confirmed before SBOM-ORCH-33/34 start; track through orchestrator guild.
• Keep docs/modules/sbomservice/architecture.md aligned with schema/event decisions made during implementation.
• Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
• Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
• Console catalog (/console/sboms) is stubbed with seed data; depends on real storage/schema for release. Tests not yet executed end-to-end due to build abort; rerun dotnet test once package reference duplicates are resolved.
• Local test run aborted due to long repository-wide build; rerun dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj -v q when build window is available to validate new endpoints.
• Metrics now include cache_hit tagging; dashboards remain outstanding. Test runs continue to abort due to long builds—schedule in a quiet window or build-only the SbomService solution subset before rerunning tests.
• Build/test runs for SbomService currently blocked by whole-solution churn; need a quiet window or targeted build of dependencies to validate endpoints and metrics.
• Component lookup endpoint is stubbed and tested locally in code, but validation is blocked until builds/tests can complete; keep SBOM-CONSOLE-23-002 open.
• AGENTS.md for src/SbomService added 2025-11-18; ensure implementers read before coding.

Next Checkpoints

Date (UTC)	Session	Goal	Owner(s)
2025-11-18	LNM v1 fixtures drop	Commit 4–6 canonical JSON fixtures for Link-Not-Merge v1; add-only evolution	Concelier Core · Cartographer · SBOM Service
2025-11-18	Scanner mock bundle v1 hash	Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches	Scanner Guild