9253620833
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Temp commit to debug
79 KiB
79 KiB
Sprint 110 - Ingestion & Evidence
Status Snapshot (2025-11-04)
- Advisory AI – 5 of 11 tasks are DONE (AIAI-31-001, AIAI-31-002, AIAI-31-003, AIAI-31-010, AIAI-31-011); orchestration pipeline (AIAI-31-004) and host wiring (AIAI-31-004A) remain TODO while downstream guardrails, CLI, and observability tracks (AIAI-31-004B/004C and AIAI-31-005 through AIAI-31-009) stay TODO pending cache/guardrail implementation and WebService/Worker hardening.
- 2025-11-04: AIAI-31-002 and AIAI-31-003 shipped with deterministic SBOM context client wiring (
AddSbomContexttyped HTTP client) and toolset integration; WebService/Worker now invoke the orchestrator with SBOM-backed simulations and emit initial metrics. - 2025-11-03: AIAI-31-002 landed the configurable HTTP client + DI defaults; retriever now resolves data via
/v1/sbom/context, retaining a null fallback until SBOM service ships. - 2025-11-03: Follow-up: SBOM guild to deliver base URL/API key and run an Advisory AI smoke retrieval once SBOM-AIAI-31-001 endpoints are live.
- 2025-11-04: AIAI-31-002 and AIAI-31-003 shipped with deterministic SBOM context client wiring (
- Concelier – CONCELIER-CORE-AOC-19-004 is the only in-flight Concelier item; air-gap, console, attestation, and Link-Not-Merge tasks remain TODO, and several connector upgrades still carry overdue October due dates.
- Excititor – Excititor WebService, console, policy, and observability tracks are all TODO and hinge on Link-Not-Merge schema delivery plus trust-provenance connectors (SUSE/Ubuntu) progressing in section 110.C.
- Mirror – Mirror Creator track (MIRROR-CRT-56-001 through MIRROR-CRT-58-002) has not started; DSSE signing, OCI bundle, and scheduling integrations depend on the deterministic bundle assembler landing first.
Blockers & Overdue Follow-ups
CONCELIER-GRAPH-21-001,CONCELIER-GRAPH-21-002, andCONCELIER-GRAPH-21-005remain BLOCKED awaitingCONCELIER-POLICY-20-002outputs and Cartographer schema (CARTO-GRAPH-21-002), keeping downstream Excititor graph consumers on hold.EXCITITOR-GRAPH-21-001,EXCITITOR-GRAPH-21-002, andEXCITITOR-GRAPH-21-005stay BLOCKED until the same Cartographer/Link-Not-Merge prerequisites are delivered.- Connector provenance updates
FEEDCONN-ICSCISA-02-012(due 2025-10-23) andFEEDCONN-KISA-02-008(due 2025-10-24) plus coordination itemsFEEDMERGE-COORD-02-901/FEEDMERGE-COORD-02-902/FEEDMERGE-COORD-02-903(due 2025-10-21 through 2025-10-24) are past due and need scheduling. - Mirror evidence work remains blocked until
MIRROR-CRT-56-001ships; align Export Center (EXPORT-OBS-51-001) and AirGap time anchor (AIRGAP-TIME-57-001) owners for kickoff.
[Ingestion & Evidence] 110.A) AdvisoryAI Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on AdvisoryAI.
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| AIAI-31-001 | DONE (2025-11-02) | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-002 | DONE (2025-11-04) | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). Dependencies: SBOM-VULN-29-001. | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-003 | DONE (2025-11-04) | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. Dependencies: AIAI-31-001..002. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-004 | DONE (2025-11-04) | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). Dependencies: AIAI-31-001..003, AUTH-VULN-29-001. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
| AIAI-31-004A | DONE (2025-11-04) | Wire orchestrator into WebService/Worker, expose API + queue contract, emit metrics, stub cache. Dependencies: AIAI-31-004, AIAI-31-002. | Advisory AI Guild, Platform Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) |
2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (
/api/v1/advisory/plan,/api/v1/advisory/queue), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator. 2025-11-04: SBOM base address now flows viaSbomContextClientOptions.BaseAddress, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs. AIAI-31-004B | TODO | Implement prompt assembler, guardrails, cache persistence, DSSE provenance, golden outputs. Dependencies: AIAI-31-004A, DOCS-AIAI-31-003, AUTH-AIAI-31-004. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-004C | TODO | Deliver CLIstella advise runcommand, renderer, docs, CLI golden tests. Dependencies: AIAI-31-004B, CLI-AIAI-31-003. | Advisory AI Guild, CLI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) DOCS-AIAI-31-002 | DONE (2025-11-03) | Author/docs/advisory-ai/architecture.mddetailing RAG pipeline, deterministic tooling, caching, model profiles. Dependencies: AIAI-31-004. | Docs Guild, Advisory AI Guild (docs/TASKS.md) DOCS-AIAI-31-001 | DONE (2025-11-03) | Publish/docs/advisory-ai/overview.mdcovering capabilities, guardrails, RBAC personas, and offline posture. | Docs Guild, Advisory AI Guild (docs/TASKS.md) DOCS-AIAI-31-003 | DONE (2025-11-03) | Write/docs/advisory-ai/api.mdcovering endpoints, schemas, errors, rate limits, and imposed-rule banner. Dependencies: DOCS-AIAI-31-002. | Docs Guild, Advisory AI Guild (docs/TASKS.md) DOCS-AIAI-31-004 | BLOCKED (2025-11-03) | Create/docs/advisory-ai/console.mdwith screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001. | Docs Guild, Console Guild (docs/TASKS.md) DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish/docs/advisory-ai/cli.mdcovering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) DOCS-AIAI-31-006 | BLOCKED (2025-11-03) | Update/docs/policy/assistant-parameters.mdcovering temperature, token limits, ranking weights, TTLs. Dependencies: POLICY-ENGINE-31-001. | Docs Guild, Policy Guild (docs/TASKS.md) DOCS-AIAI-31-007 | BLOCKED (2025-11-03) | Write/docs/security/assistant-guardrails.mddetailing redaction, injection defense, logging. Dependencies: AIAI-31-005. | Docs Guild, Security Guild (docs/TASKS.md) DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish/docs/sbom/remediation-heuristics.md(feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs/TASKS.md) DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create/docs/runbooks/assistant-ops.mdfor warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs/TASKS.md) 2025-11-03: DOCS-AIAI-31-003 moved to DOING – drafting Advisory AI API reference (endpoints, rate limits, error model) for sprint 110. 2025-11-04: AIAI-31-005 DONE – guardrail pipeline redacts secrets, enforces citation/injection policies, emits block counters, and tests (AdvisoryGuardrailPipelineTests) cover redaction + citation validation. 2025-11-03: DOCS-AIAI-31-003 marked DONE –docs/advisory-ai/api.mdpublished with scopes, request/response schemas, rate limits, and error catalogue (Docs Guild). 2025-11-03: DOCS-AIAI-31-001 marked DONE –docs/advisory-ai/overview.mdpublished with value, personas, guardrails, observability, and roadmap checklists (Docs Guild). 2025-11-03: DOCS-AIAI-31-002 marked DONE –docs/advisory-ai/architecture.mdpublished describing pipeline, deterministic tooling, caching, and profile governance (Docs Guild). 2025-11-03: DOCS-AIAI-31-004 marked BLOCKED – Console widgets/endpoints (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) still pending; cannot document UI flows yet. 2025-11-03: DOCS-AIAI-31-005 marked BLOCKED – CLI implementation (stella advise run, CLI-VULN-29-001, CLI-VEX-30-001) plus AIAI-31-004C not shipped; doc blocked until commands exist. 2025-11-03: DOCS-AIAI-31-006 marked BLOCKED – Advisory AI parameter knobs (POLICY-ENGINE-31-001) absent; doc deferred. 2025-11-03: DOCS-AIAI-31-007 marked BLOCKED – Guardrail implementation (AIAI-31-005) incomplete. 2025-11-03: DOCS-AIAI-31-008 marked BLOCKED – Waiting on SBOM heuristics delivery (SBOM-AIAI-31-001). 2025-11-03: DOCS-AIAI-31-009 marked BLOCKED – DevOps runbook inputs (DEVOPS-AIAI-31-001) outstanding. AIAI-31-005 | DONE (2025-11-04) | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. Dependencies: AIAI-31-004. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-006 | DONE (2025-11-04) | Expose REST API endpoints (/advisory/ai/*) with RBAC, rate limits, OpenAPI schemas, and batching support. Dependencies: AIAI-31-004..005. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) 2025-11-03: Shipped/api/v1/advisory/{task}execution and/api/v1/advisory/outputs/{cacheKey}retrieval endpoints with guardrail integration, provenance hashes, and metrics (RBAC & rate limiting still pending Authority scope delivery). AIAI-31-007 | TODO | Instrument metrics (advisory_ai_latency,guardrail_blocks,validation_failures,citation_coverage), logs, and traces; publish dashboards/alerts. Dependencies: AIAI-31-004..006. | Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-010 | DONE (2025-11-02) | Implement Concelier advisory raw document provider mapping CSAF/OSV payloads into structured chunks for retrieval. Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-011 | DONE (2025-11-02) | Implement Excititor VEX document provider to surface structured VEX statements for retrieval. Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-CORE-AOC-19-002. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
2025-11-02: AIAI-31-004 kicked off orchestration pipeline design – establishing deterministic task sequence (summary/conflict/remediation) and cache key strategy. 2025-11-02: AIAI-31-004 orchestration prerequisites documented in docs/modules/advisory-ai/orchestration-pipeline.md (tasks 004A/004B/004C). 2025-11-02: AIAI-31-003 moved to DOING – beginning deterministic tooling (comparators, dependency analysis) while awaiting SBOM context client. Semantic & EVR comparators shipped; toolset interface published for orchestrator adoption. 2025-11-04: AIAI-31-004 DONE – orchestrator composes evidence (structured/vector/SBOM) with stable cache keys, metadata, and hashing; tests keep determinism enforced. 2025-11-02: Structured + vector retrievers landed with deterministic CSAF/OSV/Markdown chunkers, deterministic hash embeddings, and unit coverage for sample advisories. 2025-11-02: SBOM context request/result models finalized; retriever tests now validate environment-flag toggles and dependency-path dedupe. SBOM guild to wire real context service client. 2025-11-04: AIAI-31-002 completed –
AddSbomContexttyped client registered in WebService/Worker, BaseAddress/tenant headers sourced from configuration, and retriever HTTP-mapping tests extended. 2025-11-04: AIAI-31-003 completed – deterministic toolset integrated with orchestrator cache, property/range tests broadened, and dependency analysis outputs now hashed for replay. 2025-11-04: AIAI-31-004A ongoing – WebService/Worker queue wiring emits initial metrics, SBOM context hashing feeds cache keys, and replay docs updated ahead of guardrail implementation.
[Ingestion & Evidence] 110.B) Concelier.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Concelier (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-AIAI-31-001 Paragraph anchors |
TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-002 Structured fields |
TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. Dependencies: CONCELIER-AIAI-31-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIAI-31-003 Advisory AI telemetry |
TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. Dependencies: CONCELIER-AIAI-31-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. Dependencies: AIRGAP-IMP-57-002, MIRROR-CRT-56-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-56-002 Bundle catalog linking |
TODO | Persist bundle_id, merkle_root, and time anchor references on observations/linksets for provenance. Dependencies: CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001. |
Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-001 Sealed-mode source restrictions |
TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. Dependencies: CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-57-002 Staleness annotations |
TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. Dependencies: CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-AIRGAP-58-001 Portable advisory evidence |
TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. Dependencies: CONCELIER-OBS-53-001, EVID-OBS-54-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-001 ScanResults attestation inputs |
TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). Dependencies: ATTEST-TYPES-72-001. | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ATTEST-73-002 Transparency metadata |
TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. Dependencies: CONCELIER-ATTEST-73-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CONSOLE-23-001 Advisory aggregation views |
TODO | Expose /console/advisories endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. Dependencies: CONCELIER-LNM-21-201, CONCELIER-LNM-21-202. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-002 Dashboard deltas API |
TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. Dependencies: CONCELIER-CONSOLE-23-001, CONCELIER-LNM-21-203. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CONSOLE-23-003 Search fan-out helpers |
TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. Dependencies: CONCELIER-CONSOLE-23-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-CORE-AOC-19-004 Remove ingestion normalization |
DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only. 2025-10-29 19:05Z: Audit completed for AdvisoryRawService/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under docs/dev/aoc-normalization-removal-notes.md (pending commit).2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory. 2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in docs/dev/raw-linkset-backfill-plan.md. Dependencies: CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Extend Concelier smoke/e2e fixtures to configure requiredTenants and assert cross-tenant rejection with updated Authority tokens. Dependencies: AUTH-AOC-19-002. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.II Depends on: Sprint 110.B - Concelier.I Summary: Ingestion & Evidence focus on Concelier (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-GRAPH-21-001 SBOM projection enrichment |
BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-21-002 Change events |
BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. Dependencies: CONCELIER-GRAPH-21-001. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-GRAPH-24-101 Advisory summary API |
TODO | Expose /advisories/summary returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. Dependencies: CONCELIER-GRAPH-21-002. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-GRAPH-28-102 Evidence batch API |
TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. Dependencies: CONCELIER-GRAPH-24-101. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-001 Advisory observation schema |
TODO | Introduce immutable advisory_observations model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. DOCS-LNM-22-001 blocked pending this deliverable. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-002 Linkset builder |
TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces advisory_linksets with confidence + conflict annotations. Docs note: unblock DOCS-LNM-22-001 once builder lands. Dependencies: CONCELIER-LNM-21-001. |
Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-003 Conflict annotator |
TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. Dependencies: CONCELIER-LNM-21-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-004 Merge code removal |
TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. Dependencies: CONCELIER-LNM-21-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-005 Event emission |
TODO | Emit advisory.linkset.updated events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. Dependencies: CONCELIER-LNM-21-004. |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-LNM-21-101 Observations collections |
TODO | Provision advisory_observations and advisory_linksets collections with hashed shard keys, TTL for ingest metadata, and required indexes (aliases, purls, observation_ids). Dependencies: CONCELIER-LNM-21-005. |
Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-102 Migration tooling |
TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. Dependencies: CONCELIER-LNM-21-101. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-103 Blob/store wiring |
TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. Dependencies: CONCELIER-LNM-21-102. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-LNM-21-201 Observation APIs |
TODO | Add REST endpoints for advisory observations (GET /advisories/observations) with filters (alias, purl, source), pagination, and tenancy enforcement. Dependencies: CONCELIER-LNM-21-103. |
Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export endpoints (/advisories/linksets/{id}, /advisories/by-purl/{purl}, /advisories/linksets/{id}/export, /evidence) with correlation/conflict payloads and ERR_AGG_* mapping. Dependencies: CONCELIER-LNM-21-201. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-LNM-21-203 Ingest events |
TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. Dependencies: CONCELIER-LNM-21-202. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.III Depends on: Sprint 110.B - Concelier.II Summary: Ingestion & Evidence focus on Concelier (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-OAS-61-001 Spec coverage |
TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-61-002 Examples library |
TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. Dependencies: CONCELIER-OAS-61-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-62-001 SDK smoke tests |
TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. Dependencies: CONCELIER-OAS-61-002. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OAS-63-001 Deprecation headers |
TODO | Implement deprecation header support and timeline events for retiring endpoints. Dependencies: CONCELIER-OAS-62-001. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-50-001 Telemetry adoption |
TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-51-001 Metrics & SLOs |
TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. Dependencies: CONCELIER-OBS-50-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-52-001 Timeline events |
TODO | Emit timeline_event records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. Dependencies: CONCELIER-OBS-51-001. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-53-001 Evidence snapshots |
TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. Dependencies: CONCELIER-OBS-52-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. Dependencies: CONCELIER-OBS-53-001. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-OBS-55-001 Incident mode hooks |
TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. Dependencies: CONCELIER-OBS-54-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-001 Source registry integration |
TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-32-002 Worker SDK adoption |
TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. Dependencies: CONCELIER-ORCH-32-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-33-001 Control hook compliance |
TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. Dependencies: CONCELIER-ORCH-32-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-ORCH-34-001 Backfill + ledger linkage |
TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. Dependencies: CONCELIER-ORCH-33-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-001 Policy selection endpoints |
TODO | Add batch advisory lookup APIs (/policy/select/advisories, /policy/select/vex) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.IV Depends on: Sprint 110.B - Concelier.III Summary: Ingestion & Evidence focus on Concelier (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-POLICY-20-002 Linkset enrichment for policy |
TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. Dependencies: CONCELIER-POLICY-20-001. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-20-003 Selection cursors |
TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. Dependencies: CONCELIER-POLICY-20-002. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-POLICY-23-001 Evidence indexes |
TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. Dependencies: CONCELIER-POLICY-20-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-POLICY-23-002 Event guarantees |
TODO | Ensure advisory.linkset.updated emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). Dependencies: CONCELIER-POLICY-23-001. |
Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-001 CVSS/KEV providers |
TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. Dependencies: RISK-ENGINE-67-001. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-66-002 Fix availability signals |
TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. Dependencies: CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-67-001 Source coverage metrics |
TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. Dependencies: CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-68-001 Policy Studio integration |
TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). Dependencies: POLICY-RISK-68-001. | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-RISK-69-001 Notification hooks |
TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). Dependencies: CONCELIER-RISK-66-002. | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-SIG-26-001 Vulnerable symbol exposure |
TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. Dependencies: SIGNALS-24-002. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-STORE-AOC-19-005 Raw linkset backfill |
TODO (2025-11-04) | Plan and execute advisory_observations rawLinkset backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in docs/dev/raw-linkset-backfill-plan.md. Dependencies: CONCELIER-CORE-AOC-19-004. |
Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) |
CONCELIER-TEN-48-001 Tenant-aware linking |
TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting merge=false; update events with tenant context. Dependencies: AUTH-TEN-47-001. |
Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) |
CONCELIER-VEXLENS-30-001 Advisory rationale bridges |
TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. Dependencies: CONCELIER-VULN-29-001, VEXLENS-30-005. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-001 Advisory key canonicalization |
TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into advisory_key, persist links[], expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. Dependencies: CONCELIER-LNM-21-001. |
Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-VULN-29-002 Evidence retrieval API |
TODO | Provide /vuln/evidence/advisories/{advisory_key} returning raw advisory docs with provenance, filtering by tenant and source. Dependencies: CONCELIER-VULN-29-001, VULN-API-29-003. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.V Depends on: Sprint 110.B - Concelier.IV Summary: Ingestion & Evidence focus on Concelier (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-VULN-29-004 Observability enhancements |
TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. Dependencies: CONCELIER-VULN-29-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-001 Mirror import APIs |
TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-56-002 Airgap status surfaces |
TODO | Add staleness metadata and bundle provenance to advisory APIs (/advisories/observations, /advisories/linksets). Dependencies: CONCELIER-WEB-AIRGAP-56-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-57-001 Error remediation |
TODO | Map sealed-mode violations to AIRGAP_EGRESS_BLOCKED responses with user guidance. Dependencies: CONCELIER-WEB-AIRGAP-56-002. |
Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AIRGAP-58-001 Import timeline emission |
TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. Dependencies: CONCELIER-WEB-AIRGAP-57-001. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-002 AOC observability |
TODO | Emit ingestion_write_total, aoc_violation_total, latency histograms, and tracing spans (ingest.fetch/transform/write, aoc.guard). Wire structured logging to include tenant, source vendor, upstream id, and content hash. |
Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-003 Schema/guard unit tests |
TODO | Add unit tests covering schema validation failures, forbidden field rejections (ERR_AOC_001/002/006/007), idempotent upserts, and supersedes chains using deterministic fixtures. Dependencies: CONCELIER-WEB-AOC-19-002. |
QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-AOC-19-004 End-to-end ingest verification |
TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. Dependencies: CONCELIER-WEB-AOC-19-003. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-001 /.well-known/openapi |
DONE (2025-11-02) | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-61-002 Error envelope migration |
TODO | Ensure all API responses use standardized error envelope; update controllers/tests. Dependencies: CONCELIER-WEB-OAS-61-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-62-001 Examples expansion |
TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. Dependencies: CONCELIER-WEB-OAS-61-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OAS-63-001 Deprecation headers |
TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. Dependencies: CONCELIER-WEB-OAS-62-001. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (tenant_id, route, decision_effect), and add correlation IDs to responses. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-51-001 Observability APIs |
TODO | Surface ingest health metrics, queue depth, and SLO status via /obs/concelier/health endpoint for Console widgets, with caching and tenant partitioning. Dependencies: CONCELIER-WEB-OBS-50-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE stream /obs/concelier/timeline bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. Dependencies: CONCELIER-WEB-OBS-51-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VI Depends on: Sprint 110.B - Concelier.V Summary: Ingestion & Evidence focus on Concelier (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
CONCELIER-WEB-OBS-53-001 Evidence locker integration |
TODO | Add /evidence/advisories/* routes invoking evidence locker snapshots, verifying tenant scopes (evidence:read), and returning signed manifest metadata. Dependencies: CONCELIER-WEB-OBS-52-001. |
Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-54-001 Attestation exposure |
TODO | Provide /attestations/advisories/* read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. Dependencies: CONCELIER-WEB-OBS-53-001. |
Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
CONCELIER-WEB-OBS-55-001 Incident mode toggles |
TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. Dependencies: CONCELIER-WEB-OBS-54-001. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) |
| FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | TODO (due 2025-10-21) – Map CCCS advisories into the new advisory_observations.affected.versions[] structure, preserving each upstream range with provenance anchors (cccs:{serial}:{index}) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.2025-10-29: docs/dev/normalized-rule-recipes.md now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with UPDATE_CCCS_FIXTURES=1. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md) |
| FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | TODO (due 2025-10-22) – Translate product.Versions phrases (e.g., 2023.1 bis 2024.2, alle) into comparison helpers for advisory_observations.affected.versions[], capturing provenance (certbund:{advisoryId}:{vendor}) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md) |
| FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | TODO (due 2025-10-21) – Emit Cisco SemVer ranges into advisory_observations.affected.versions[] with provenance identifiers (cisco:{productId}) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md) |
| FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | DONE (2025-11-03) – Promote existing firmware/semver data into advisory_observations.affected.versions[] entries with deterministic comparison keys and provenance identifiers (ics-cisa:{advisoryId}:{product}). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.2025-10-29: Follow docs/dev/normalized-rule-recipes.md §2 to build observation version entries and log failures without invoking the retired merge helpers.2025-11-03: Completed – connector now normalizes semver ranges with provenance notes, RSS fallback content clears the AOC guard, and end-to-end Fetch/Parse/Map integration tests pass. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md) |
| FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | DONE (2025-11-04) – Define comparison helpers for Hangul-labelled firmware ranges (XFU 1.0.1.0084 ~ 2.0.1.0034) and map them into advisory_observations.affected.versions[] with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema.2025-11-03: Analysis in progress – auditing existing mapper output/fixtures ahead of implementing firmware range normalization and provenance wiring. 2025-11-03: SemVer normalization helper wired through KisaMapper with provenance slugs + vendor extensions; integration tests updated and green, follow-up capture for additional Hangul exclusivity markers queued before completion.2025-11-03: Extended connector tests to cover single-ended ( 이상, 초과, 이하, 미만) and non-numeric phrases, verifying normalized rule types (gt, gte, lt, lte) and fallback behaviour; broader corpus review remains before transitioning to DONE.2025-11-03: Captured the top 10 detailDos.do?IDX= pages into seed-data/kisa/html/ via scripts/kisa_capture_html.py; JSON endpoint (rssDetailData.do?IDX=…) now returns error pages, so connector updates must parse the embedded HTML or secure authenticated API access before closing.2025-11-04: Fetch + parse pipeline now consumes the HTML detail pages end to end (metadata persisted, DOM parser extracts vendor/product ranges); fixtures/tests operate on the HTML snapshots to guard normalized SemVer + vendor extension expectations and severity extraction. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md) |
| FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | DONE (2025-11-04) – Delivered SourceStateSeeder CLI + processor APIs, Mongo fixtures, and MSRC runbook updates. Seeds raw docs + cursor state deterministically; tests cover happy/path/idempotent flows (dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Common.Tests/... – note: requires libcrypto.so.1.1 when running Mongo2Go locally). |
Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md) |
| FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | TODO (due 2025-10-21) – Confirm Cccs/Cisco version-provenance updates land, capture LinksetVersionCoverage dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.2025-10-29: Observation metrics now surface version_entries_total/missing_version_entries_total; include screenshots for both when closing this task. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | TODO (due 2025-10-23) – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files. 2025-10-29: docs/dev/normalized-rule-recipes.md (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models. Dependencies: FEEDMERGE-COORD-02-901. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | TODO (due 2025-10-24) – Pair with KISA team on proposed firmware comparison helper (kisa.build or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. Dependencies: FEEDMERGE-COORD-02-902. |
FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| Fixture validation sweep | QA | DONE (2025-11-04) – Regenerated RHSA CSAF goldens via scripts/update-redhat-fixtures.sh (sets UPDATE_GOLDENS=1) and re-ran connector tests dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests.csproj --no-restore to confirm snapshot parity. |
None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md) |
| Link-Not-Merge version provenance coordination | BE-Merge | DONE (2025-11-04) – Published connector status tracker + follow-up IDs in docs/dev/normalized-rule-recipes.md, enabled Normalized version rules missing diagnostics in Merge, and aligned dashboards on LinksetVersionCoverage. Remaining gaps (ACSC/CCCS/CERTBUND/Cisco/RU-BDU) documented as upstream data deficiencies awaiting feed updates. Dependencies: CONCELIER-LNM-21-203. |
CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-001 | DONE (2025-11-03) | Draft no-merge migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation.2025-11-03: Authored docs/migration/no-merge.md covering rollout phases, backfill/validation checklists, and rollback guidance; shared artefact owners. |
BE-Merge, Architecture Guild (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.B) Concelier.VII Depends on: Sprint 110.B - Concelier.VI Summary: Ingestion & Evidence focus on Concelier (phase VII).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MERGE-LNM-21-002 | DOING (2025-11-03) | Refactor or retire AdvisoryMergeService and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.2025-11-03: Began dependency audit and call-site inventory ahead of deprecation plan; cataloging service registrations/tests referencing merge APIs. |
BE-Merge (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
| MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. Dependencies: MERGE-LNM-21-002. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.I Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Excititor (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-AIAI-31-001 Justification enrichment |
TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-002 VEX chunk API |
TODO | Provide /vex/evidence/chunks endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. Dependencies: EXCITITOR-AIAI-31-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIAI-31-003 Telemetry |
TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. Dependencies: EXCITITOR-AIAI-31-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-AIRGAP-56-001 Mirror ingestion adapters |
TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-56-002 Bundle provenance |
TODO | Persist bundle metadata on VEX observations/linksets with provenance references. Dependencies: EXCITITOR-AIRGAP-56-001. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-001 Sealed-mode enforcement |
TODO | Block non-mirror connectors in sealed mode and surface remediation errors. Dependencies: EXCITITOR-AIRGAP-56-002. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-57-002 Staleness annotations |
TODO | Annotate VEX statements with staleness metrics and expose via API. Dependencies: EXCITITOR-AIRGAP-57-001. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-AIRGAP-58-001 Portable VEX evidence |
TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. Dependencies: EXCITITOR-AIRGAP-57-002. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-ATTEST-01-003 – Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) – Continuing implementation: build IVexAttestationVerifier, wire metrics/logging, and add regression tests. Draft plan in EXCITITOR-ATTEST-01-003-plan.md (2025-10-19) guides scope; updating with worknotes as progress lands.2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. |
EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md) |
EXCITITOR-ATTEST-73-001 VEX attestation payloads |
TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. Dependencies: EXCITITOR-ATTEST-01-003. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ATTEST-73-002 Chain provenance |
TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. Dependencies: EXCITITOR-ATTEST-73-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
| EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints | Team Excititor Connectors – MSRC | TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md) |
| EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment | Team Excititor Connectors – Oracle | TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw VexClaim batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. |
Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
| EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. Dependencies: EXCITITOR-CONN-STELLA-07-002. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.II Depends on: Sprint 110.C - Excititor.I Summary: Ingestion & Evidence focus on Excititor (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md) |
| EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md) |
EXCITITOR-CONSOLE-23-001 VEX aggregation views |
TODO | Expose /console/vex endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-LNM-21-202. |
Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-002 Dashboard VEX deltas |
TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. Dependencies: EXCITITOR-CONSOLE-23-001, EXCITITOR-LNM-21-203. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CONSOLE-23-003 VEX search helpers |
TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. Dependencies: EXCITITOR-CONSOLE-23-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-CORE-AOC-19-002 VEX linkset extraction |
TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into linkset, capturing reconciled-from metadata for traceability. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-003 Idempotent VEX raw upsert |
TODO | Enforce (vendor, upstreamId, contentHash, tenant) uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. Dependencies: EXCITITOR-CORE-AOC-19-002. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-004 Remove ingestion consensus |
TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. Dependencies: EXCITITOR-CORE-AOC-19-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-CORE-AOC-19-013 Authority tenant scope smoke coverage |
TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. Dependencies: EXCITITOR-CORE-AOC-19-004. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-001 Inspector linkouts |
BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-002 Overlay enrichment |
BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. Dependencies: EXCITITOR-GRAPH-21-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-GRAPH-21-005 Inspector indexes |
BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. Dependencies: EXCITITOR-GRAPH-21-002. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-GRAPH-24-101 VEX summary API |
TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. Dependencies: EXCITITOR-GRAPH-21-005. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-GRAPH-24-102 Evidence batch API |
TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. Dependencies: EXCITITOR-GRAPH-24-101. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-001 VEX observation model |
TODO | Define immutable vex_observations schema capturing raw statements, product PURLs, justification, and AOC metadata. DOCS-LNM-22-002 blocked pending this schema. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.III Depends on: Sprint 110.C - Excititor.II Summary: Ingestion & Evidence focus on Excititor (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-LNM-21-002 Linkset correlator |
TODO | Build correlation pipeline combining alias + product PURL signals to form vex_linksets with confidence metrics. Docs waiting to finalize VEX aggregation guide. Dependencies: EXCITITOR-LNM-21-001. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-003 Conflict annotator |
TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for DOCS-LNM-22-002. Dependencies: EXCITITOR-LNM-21-002. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-004 Merge removal |
TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. Dependencies: EXCITITOR-LNM-21-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-005 Event emission |
TODO | Emit vex.linkset.updated events for downstream consumers with delta descriptions and tenant context. Dependencies: EXCITITOR-LNM-21-004. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-LNM-21-101 Observations collections |
TODO | Provision vex_observations/vex_linksets collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. Dependencies: EXCITITOR-LNM-21-005. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-102 Migration/backfill |
TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. Dependencies: EXCITITOR-LNM-21-101. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-LNM-21-201 Observation APIs |
TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. Dependencies: EXCITITOR-LNM-21-102. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-202 Linkset APIs |
TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to ERR_AGG_*. Dependencies: EXCITITOR-LNM-21-201. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-LNM-21-203 Event publishing |
TODO | Publish vex.linkset.updated events, document schema, and ensure idempotent delivery. Dependencies: EXCITITOR-LNM-21-202. |
Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-OAS-61-001 Spec coverage |
TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-61-002 Example catalog |
TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. Dependencies: EXCITITOR-OAS-61-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-62-001 SDK smoke tests |
TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. Dependencies: EXCITITOR-OAS-61-002. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OAS-63-001 Deprecation headers |
TODO | Add deprecation metadata and notifications for legacy VEX routes. Dependencies: EXCITITOR-OAS-62-001. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-50-001 Telemetry adoption |
TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-51-001 Metrics & SLOs |
TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. Dependencies: EXCITITOR-OBS-50-001. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.IV Depends on: Sprint 110.C - Excititor.III Summary: Ingestion & Evidence focus on Excititor (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-OBS-52-001 Timeline events |
TODO | Emit timeline_event entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. Dependencies: EXCITITOR-OBS-51-001. |
Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-53-001 Evidence snapshots |
TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. Dependencies: EXCITITOR-OBS-52-001. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-54-001 Attestation & verification |
TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. Dependencies: EXCITITOR-OBS-53-001. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-OBS-55-001 Incident mode |
TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. Dependencies: EXCITITOR-OBS-54-001. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-ORCH-32-001 Worker SDK adoption |
TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-33-001 Control compliance |
TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. Dependencies: EXCITITOR-ORCH-32-001. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
EXCITITOR-ORCH-34-001 Backfill & circuit breaker |
TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. Dependencies: EXCITITOR-ORCH-33-001. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) |
| EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals | Team Excititor Policy | BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md) |
EXCITITOR-POLICY-20-001 Policy selection endpoints |
TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. Dependencies: EXCITITOR-POLICY-02-002. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-POLICY-20-002 Scope-aware linksets |
TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. Dependencies: EXCITITOR-POLICY-20-001. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-20-003 Selection cursors |
TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. Dependencies: EXCITITOR-POLICY-20-002. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-POLICY-23-001 Evidence indexes |
TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. Dependencies: EXCITITOR-POLICY-20-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-POLICY-23-002 Event guarantees |
TODO | Ensure vex.linkset.updated events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. Dependencies: EXCITITOR-POLICY-23-001. |
Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-001 VEX gate provider |
TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-66-002 Reachability inputs |
TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. Dependencies: EXCITITOR-RISK-66-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.V Depends on: Sprint 110.C - Excititor.IV Summary: Ingestion & Evidence focus on Excititor (phase V).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
EXCITITOR-RISK-67-001 Explainability metadata |
TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. Dependencies: EXCITITOR-RISK-66-002. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-RISK-68-001 Policy Studio integration |
TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. Dependencies: EXCITITOR-RISK-67-001. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-SIG-26-001 Vendor exploitability hints |
TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-STORE-AOC-19-001 vex_raw schema validator |
TODO | Define Mongo JSON schema for vex_raw enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-002 idempotency unique index |
TODO | Create (source.vendor, upstream.upstream_id, upstream.content_hash, tenant) unique index with backfill checker, updating migrations + bootstrapper for offline installs. Dependencies: EXCITITOR-STORE-AOC-19-001. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-003 append-only migration plan |
TODO | Migrate legacy consensus collections to _backup_*, seed supersedes chain for raw docs, and document rollback path + dry-run verification. Dependencies: EXCITITOR-STORE-AOC-19-002. |
Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-STORE-AOC-19-004 validator deployment docset |
TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. Dependencies: EXCITITOR-STORE-AOC-19-003. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) |
EXCITITOR-TEN-48-001 Tenant-aware VEX linking |
TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) |
EXCITITOR-VEXLENS-30-001 VEX evidence enrichers |
TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-001 VEX key canonicalization |
TODO | Canonicalize (lossless) VEX advisory/product keys (map to advisory_key, capture product scopes); expose original sources in links[]; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-002 Evidence retrieval |
TODO | Provide /vuln/evidence/vex/{advisory_key} returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. Dependencies: EXCITITOR-VULN-29-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-VULN-29-004 Observability |
TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. Dependencies: EXCITITOR-VULN-29-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. Dependencies: EXCITITOR-WEB-AIRGAP-56-001. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. Dependencies: EXCITITOR-WEB-AIRGAP-56-002. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.C) Excititor.VI Depends on: Sprint 110.C - Excititor.V Summary: Ingestion & Evidence focus on Excititor (phase VI).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. Dependencies: EXCITITOR-WEB-AIRGAP-57-001. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-001 Raw VEX ingestion APIs |
TODO | Implement POST /ingest/vex, GET /vex/raw*, and POST /aoc/verify endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-002 AOC observability + metrics |
TODO | Export metrics (ingestion_write_total, aoc_violation_total, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. Dependencies: EXCITITOR-WEB-AOC-19-001. |
Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-003 Guard + schema test harness |
TODO | Add unit/integration tests for schema validation, forbidden field rejection (ERR_AOC_001/006/007), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. Dependencies: EXCITITOR-WEB-AOC-19-002. |
QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-AOC-19-004 Batch ingest validation |
TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI aoc verify compatibility. Document load test/runbook updates. Dependencies: EXCITITOR-WEB-AOC-19-003. |
Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-001 | TODO | Implement /.well-known/openapi discovery endpoint with spec version metadata. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. Dependencies: EXCITITOR-WEB-OAS-61-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. Dependencies: EXCITITOR-WEB-OAS-61-002. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
| EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. Dependencies: EXCITITOR-WEB-OAS-62-001. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-50-001 Telemetry adoption |
TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-51-001 Observability health endpoints |
TODO | Implement /obs/excititor/health summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. Dependencies: EXCITITOR-WEB-OBS-50-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-52-001 Timeline streaming |
TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. Dependencies: EXCITITOR-WEB-OBS-51-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-53-001 Evidence APIs |
TODO | Expose /evidence/vex/* endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. Dependencies: EXCITITOR-WEB-OBS-52-001. |
Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-54-001 Attestation APIs |
TODO | Add /attestations/vex/* endpoints returning DSSE verification state, builder identity, and chain-of-custody links. Dependencies: EXCITITOR-WEB-OBS-53-001. |
Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
EXCITITOR-WEB-OBS-55-001 Incident mode toggles |
TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. Dependencies: EXCITITOR-WEB-OBS-54-001. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) |
[Ingestion & Evidence] 110.D) Mirror Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on Mirror.
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. Dependencies: EXPORT-OBS-51-001. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (root, snapshot, timestamp, targets). Dependencies: MIRROR-CRT-56-001, PROV-OBS-53-001. |
Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. Dependencies: MIRROR-CRT-56-001. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (meta/time-anchor.json) sourced from trusted authority. Dependencies: MIRROR-CRT-56-002, AIRGAP-TIME-57-001. |
Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
| MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | verify` commands with content selection flags, delta mode, and dry-run verification. Dependencies: MIRROR-CRT-56-002, CLI-AIRGAP-56-001. |
| MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md
2025-11-04: AIAI-31-004A DONE – WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via
dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore.
2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.