05da719048
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
9.5 KiB
9.5 KiB
Sprint 124 - Policy & Reasoning
Last updated: November 28, 2025. Implementation order is DOING → TODO → BLOCKED.
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
Policy.II
Dependency: Sprint 120.C - Policy.I (must land before this track). Focus: Policy & Reasoning focus on Policy (phase II).
| # | Task ID & handle | State | Key dependency / next step | Owners |
|---|---|---|---|---|
| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | DONE (2025-11-20) | Prep doc at docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md; captures evaluator constraints. |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions (Deps: POLICY-CONSOLE-23-001) | Policy Guild, Product Ops / src/Policy/StellaOps.Policy.Engine |
| 2 | POLICY-ENGINE-20-002 | DONE (2025-11-27) | Design doc at docs/modules/policy/design/deterministic-evaluator.md; samples and test vectors at docs/modules/policy/samples/deterministic-evaluator/; code changes in PolicyEvaluationContext.cs and PolicyExpressionEvaluator.cs |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 3 | POLICY-ENGINE-20-003 | DONE (2025-11-27) | SelectionJoin models, PurlEquivalence table, and SelectionJoinService implemented in src/Policy/StellaOps.Policy.Engine/SelectionJoin/ |
Policy Guild, Concelier Core Guild, Excititor Core Guild / src/Policy/StellaOps.Policy.Engine |
| 4 | POLICY-ENGINE-20-004 | DONE (2025-11-27) | Materialization writer implemented in src/Policy/StellaOps.Policy.Engine/Materialization/ with EffectiveFinding models, append-only history, tenant scoping, and trace references |
Policy Guild, Platform Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 5 | POLICY-ENGINE-20-005 | DONE (2025-11-27) | Determinism guard implemented in src/Policy/StellaOps.Policy.Engine/DeterminismGuard/ with static analyzer (ProhibitedPatternAnalyzer), runtime sandbox (DeterminismGuardService, EvaluationScope), and guarded evaluator integration (GuardedPolicyEvaluator) |
Policy Guild, Security Engineering / src/Policy/StellaOps.Policy.Engine |
| 6 | POLICY-ENGINE-20-006 | DONE (2025-11-27) | Incremental orchestrator implemented in src/Policy/StellaOps.Policy.Engine/IncrementalOrchestrator/ with PolicyChangeEvent models (advisory/VEX/SBOM change types), IncrementalPolicyOrchestrator (batching, deduplication, retry logic), and IncrementalOrchestratorBackgroundService (continuous processing, metrics) |
Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine |
| 7 | POLICY-ENGINE-20-007 | DONE (2025-11-27) | Structured traces implemented in src/Policy/StellaOps.Policy.Engine/Telemetry/ with RuleHitTrace.cs (trace models, statistics), RuleHitTraceCollector.cs (sampling controls, exporters), and ExplainTraceExport.cs (JSON/NDJSON/Text/Markdown export formats) |
Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 8 | POLICY-ENGINE-20-008 | DONE (2025-11-28) | Unit test suites added in src/Policy/__Tests/StellaOps.Policy.Engine.Tests/ for DeterminismGuard, SelectionJoin, IncrementalOrchestrator, Materialization, and Telemetry components (99 tests passing) |
Policy Guild, QA Guild / src/Policy/StellaOps.Policy.Engine |
| 9 | POLICY-ENGINE-20-009 | DONE (2025-11-28) | MongoDB schemas implemented in src/Policy/StellaOps.Policy.Engine/Storage/Mongo/ with document classes (PolicyDocuments.cs, PolicyRunDocument.cs, EffectiveFindingDocument.cs, PolicyAuditDocument.cs), options (PolicyEngineMongoOptions.cs), context (PolicyEngineMongoContext.cs), migrations (EnsurePolicyCollectionsMigration.cs, EnsurePolicyIndexesMigration.cs, EffectiveFindingCollectionInitializer.cs), migration runner, and tenant enforcement (TenantFilterBuilder.cs) |
Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 10 | POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes (Deps: POLICY-ENGINE-20-009) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 11 | POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims (Deps: POLICY-ENGINE-27-001) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (POST /policy/eval/batch) returning determinations + rationale chain for sets of (artifact,purl,version,advisory) tuples; support pagination and cost budgets (Deps: POLICY-ENGINE-27-004) |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-27-004 | DONE (2025-10-19) | Completed in Sprint 120; see archived tasks note. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation (Deps: POLICY-ENGINE-29-001) | Policy Guild, Findings Ledger Guild / src/Policy/StellaOps.Policy.Engine |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-28 | POLICY-ENGINE-20-009: Completed MongoDB storage layer - document schemas for policies, policy_revisions, policy_bundles, policy_runs, effective_finding_, effective_finding_history_, and policy_audit collections. Created PolicyEngineMongoOptions.cs (connection/collection configuration with TTL settings), PolicyEngineMongoContext.cs (database access with read/write concerns), migration infrastructure (IPolicyEngineMongoMigration, PolicyEngineMigrationRunner, PolicyEngineMongoInitializer), EnsurePolicyCollectionsMigration.cs (creates base collections), EnsurePolicyIndexesMigration.cs (indexes for policies, revisions, bundles, runs, audit), EffectiveFindingCollectionInitializer.cs (dynamic per-policy collection creation with indexes), TenantFilterBuilder.cs (tenant enforcement utilities), and ServiceCollectionExtensions.cs (DI registration). Status → DONE. |
Implementer |
| 2025-11-28 | POLICY-ENGINE-20-008: Completed unit test suites - DeterminismGuardTests.cs (static analyzer, runtime sandbox, guarded evaluator), SelectionJoinTests.cs (PURL equivalence, tuple resolution, VEX overlay), IncrementalOrchestratorTests.cs (event processing, deduplication, priority batching), MaterializationTests.cs (deterministic IDs, content hashing), TelemetryTests.cs (trace factory, statistics, sampling). 99 tests passing. Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-007: Completed structured traces - RuleHitTrace.cs (trace models, factory, statistics aggregation), RuleHitTraceCollector.cs (sampling controls with VEX/severity-aware rates, incident mode, exporters), ExplainTraceExport.cs (JSON/NDJSON/Text/Markdown formats, builder pattern). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-006: Completed incremental orchestrator - PolicyChangeEvent.cs (change event models with factory for advisory/VEX/SBOM changes, deterministic content hashing, batching), IncrementalPolicyOrchestrator.cs (event processing with idempotency, retry logic, priority-based batching), IncrementalOrchestratorBackgroundService.cs (continuous processing with metrics). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-005: Completed determinism guard - DeterminismViolation.cs (violation models/options), ProhibitedPatternAnalyzer.cs (static analysis with regex patterns for DateTime.Now, Random, Guid.NewGuid, HttpClient, File.Read, etc.), DeterminismGuardService.cs (runtime sandbox with EvaluationScope, DeterministicTimeProvider), GuardedPolicyEvaluator.cs (integration layer). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-004: Completed materialization writer - EffectiveFindingModels.cs (document schema), EffectiveFindingWriter.cs (upsert + append-only history). Tenant-scoped collections, trace references, content hash deduplication. Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-003: Completed selection joiners - SelectionJoinModels.cs (tuple models), PurlEquivalence.cs (equivalence table with package key extraction), SelectionJoinService.cs (deterministic batching, multi-index lookup). Status → DONE. |
Implementer |
| 2025-11-27 | POLICY-ENGINE-20-002: Completed. Created design doc, sample config, test vectors. Added EvaluationTimestamp/now for deterministic timestamps. Status → DONE. |
Implementer |
| 2025-11-20 | Published deterministic evaluator prep note (docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md); set PREP-POLICY-ENGINE-20-002 to DONE. |
Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-25 | Reconciled POLICY-ENGINE-27-004 as DONE (completed 2025-10-19 in Sprint 120); added to Delivery Tracker for traceability. | Project Mgmt |