stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
885ce86af47f000b1f8e5e44b9b2ab919c1f2021
git.stella-ops.org/docs/implplan/SPRINT_122_excititor_iv.md
StellaOps Bot 885ce86af4
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add VEX Lens CI and Load Testing Plan 
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.
2025-12-02 07:18:28 +02:00

5.2 KiB
Raw Blame History

Sprint 122 - Ingestion & Evidence · 110.C) Excititor.IV

Topic & Scope

  • Ingestion & Evidence focus on Excititor (phase IV) with policy-facing VEX APIs and risk feeds while staying aggregation-only.
  • Maintain deterministic replay (timeline, evidence, attestations) and orchestrator compliance for workers.
  • Working directory: src/Excititor (Core, WebService, Worker).

Dependencies & Concurrency

  • Upstream: Policy Engine API contract (advisory_key schema, batching rules); Risk feed envelope; orchestrator worker SDK (delivered); Evidence Locker manifest format (delivered).
  • Concurrency: Policy endpoints and scope/linkset enrichments are interdependent; risk feed depends on policy API outputs.
  • Peers: Policy Engine, Risk Engine for contract finalization.

Documentation Prerequisites

  • docs/modules/excititor/architecture.md
  • docs/modules/excititor/implementation_plan.md
  • Excititor component AGENTS.md (Core, WebService, Worker)
  • docs/ingestion/aggregation-only-contract.md

Delivery Tracker

# Task ID Status Key dependency / next step Owners Task Definition
1 EXCITITOR-OBS-52-001 DONE (2025-11-27) After OBS-51 metrics baseline; schema defined. Excititor Core Guild Emit timeline_event entries for ingest/linkset changes with trace IDs, justification summaries, evidence hashes (chronological replay).
2 EXCITITOR-OBS-53-001 DONE (2025-11-27) Depends on 52-001; locker format aligned. Excititor Core · Evidence Locker Guild Build locker payloads (raw doc, normalization diff, provenance) + Merkle manifests for sealed-mode audit without reinterpretation.
3 EXCITITOR-OBS-54-001 DONE (2025-11-27) Depends on 53-001; provenance tooling integrated. Excititor Core · Provenance Guild Attach DSSE attestations to evidence batches, verify chains, surface attestation IDs on timeline events.
4 EXCITITOR-ORCH-32-001 DONE (2025-11-27) Orchestrator worker endpoints available. Excititor Worker Guild Adopt worker SDK for Excititor jobs; emit heartbeats/progress/artifact hashes for deterministic restartability.
5 EXCITITOR-ORCH-33-001 DONE (2025-11-27) Depends on 32-001. Excititor Worker Guild Honor orchestrator pause/throttle/retry commands; persist checkpoints; classify errors for safe outage handling.
6 EXCITITOR-POLICY-20-001 DONE (2025-12-01) Implemented /policy/v1/vex/lookup batching advisory_key + PURL with tenant enforcement; aggregation-only. Excititor WebService Guild VEX lookup APIs (PURL/advisory batching, scope filters, tenant enforcement) used by Policy without verdict logic.
7 EXCITITOR-POLICY-20-002 DONE (2025-12-01) Scope metadata persisted in linksets/events; API responses emit stored scope; remaining backfill optional. Excititor Core Guild Add scope resolution/version range metadata to linksets while staying aggregation-only.
8 EXCITITOR-RISK-66-001 BLOCKED (2025-12-01) Blocked on 20-002 outputs and Risk feed envelope. Excititor Core · Risk Engine Guild Publish risk-engine ready feeds (status, justification, provenance) with zero derived severity.

Execution Log

Date (UTC) Update Owner
2025-11-27 Marked OBS-52/53/54, ORCH-32/33 DONE after timeline/locker/attestation/orchestrator delivery. Implementer
2025-12-01 Normalized sprint file to standard template; set POLICY-20-001/20-002 and RISK-66-001 to BLOCKED pending Policy/Risk contracts (advisory_key schema, feed envelope). Project Mgmt
2025-12-01 Implemented policy VEX lookup endpoint (/policy/v1/vex/lookup) with advisory/PURL batching, canonicalization, and tenant enforcement; marked POLICY-20-001 DONE. Implementer
2025-12-01 Persisted canonical scope metadata on linksets/events (core + Mongo mapping), surfaced scope on list/detail APIs from stored scope; fixed policy endpoint tenant resolution/metadata mapping. POLICY-20-002 set to DONE. Implementer
2025-12-01 Updated test harness StubAirgapImportStore to implement new IAirgapImportStore methods; rebuilt WebService tests (policy filter reports no matching tests as PolicyEndpointsTests are excluded from project). Implementer
2025-12-02 Stabilized WebService test host with UseTestServer + TestHost package; full Excititor WebService test suite passes (PolicyEndpointsTests remain excluded/skipped). Implementer

Decisions & Risks

  • Decisions
    • Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.
    • Worker orchestration stays feature-flagged; falls back to local mode if orchestrator unavailable.
  • Risks & Mitigations
    • Policy contract delays block API shape → Keep tasks BLOCKED; proceed once contract lands; reuse Concelier/Vuln canonicalization if applicable.
    • Risk feed envelope unknown → Mirror Risk Engine schema as soon as published; stage behind feature flag.
    • WebService PolicyEndpointsTests excluded due to host-binding flake in CI runner → keep coverage via unit/core tests; re-enable once in-memory host binding is stable.

Next Checkpoints

  • Await Policy/Risk contract publication; unblock POLICY-20-001/002 and RISK-66-001 upon receipt.