git.stella-ops.org/docs/implplan/ADVISORY_PROCESSING_REPORT_20251220.md

Advisory Processing Report — 2025-12-20

Role: Product Manager Date: 2025-12-20 Status: ANALYZED

---

Executive Summary

Reviewed 7 unprocessed advisories and 12 moat documents from docs/product-advisories/unprocessed/. After cross-referencing with existing sprints, archived advisories, and implemented code, identified 3 new epic-level initiatives and 5 enhancement opportunities for existing features.

---

1. Advisories Reviewed

File	Date	Primary Topic	Status
Reimagining Proof‑Linked UX in Security Workflows	2025-12-16	Narrative-First Triage UX	ALREADY PROCESSED
Reachability Drift Detection	2025-12-17	Call graph drift between versions	NEW - ACTIONABLE
Designing Explainable Triage and Proof‑Linked Evidence	2025-12-18	Evidence-linked approvals	OVERLAPS w/ 12/16
Branch · UX patterns worth borrowing	2025-12-20	Competitor UX analysis	REFERENCE ONLY
Testing strategy	2025-12-20	E2E testing strategy	NEW - ACTIONABLE
Moat #1 (Security Delta)	2025-12-19	Delta Verdicts as governance	NEW - STRATEGIC
Moat - Exception management	2025-12-20	Auditable exceptions	NEW - ACTIONABLE
Moat - Signed Replayable Verdicts	2025-12-20	Verdict attestations	PARTIAL OVERLAP
Moat - Knowledge Snapshots	2025-12-20	Time-travel replay	NEW - ACTIONABLE
Moat - Risk Budgets	2025-12-20	Diff-aware release gates	PARTIAL OVERLAP

---

2. Cross-Reference with Existing Work

2.1 Already Implemented (Do Not Duplicate)

Topic	Existing Implementation	Location
Proof Ledger	ProofLedgerViewComponent	Sprint 3500.0004.0002 T1
Reachability Explain	ReachabilityExplainWidget	Sprint 3500.0004.0002 T3
Score Comparison	ScoreComparisonComponent	Sprint 3500.0004.0002 T4
Proof Replay	ProofReplayDashboard	Sprint 3500.0004.0002 T5
Material Risk Changes	MaterialRiskChangeDetector	Scanner.SmartDiff.Detection
VEX Lattice Merge	Excititor module	src/Excititor
Unknowns Registry	UnknownsService	Sprint 3500.0002.0002
Call Graph Extraction	DotNetCallGraphExtractor, JavaCallGraphExtractor	Sprint 3500.0003.x
Semantic Entrypoints	Sprint 0411	EntryTrace module
Temporal/Mesh Analysis	Sprint 0412	EntryTrace module
Binary Intelligence	Sprint 0414	EntryTrace module
Risk Scoring	Sprint 0415	EntryTrace module

2.2 Gaps Identified (New Work Required)

Gap	Advisory Source	Priority	Complexity
Reachability Drift Detection	17-Dec advisory	HIGH	HIGH
Exception Objects (Auditable)	Moat Exception mgmt	HIGH	MEDIUM
Knowledge Snapshots + Time-Travel	Moat Knowledge Snapshots	HIGH	HIGH
Delta Verdict Attestations	Moat #1	MEDIUM	MEDIUM
Offline E2E Test Suite	Testing strategy	MEDIUM	MEDIUM
Code Change Facts Table	17-Dec advisory	MEDIUM	LOW
Path Viewer UI Enhancement	17-Dec advisory	LOW	LOW

---

3. Recommended New Epics

Epic 3800: Reachability Drift Detection

Justification: The 17-Dec advisory identifies that reachability can change between versions even when vulnerability count stays the same. This is a significant moat differentiator.

What's Missing (per advisory gap analysis):

• scanner.code_changes table for AST-level diff facts
• scanner.call_graph_snapshots for per-scan graph cache
• DriftCauseExplainer service to attribute causes to code changes
• Cross-scan function-level drift (state drift exists, function-level doesn't)

Scope:

• Sprint 3800.0001.0001: Schema + Code Changes Table
• Sprint 3800.0001.0002: Call Graph Snapshot Service
• Sprint 3800.0002.0001: Drift Cause Explainer
• Sprint 3800.0002.0002: UI Integration

Estimated Duration: 4 weeks

---

Epic 3900: Exception Management as Auditable Objects

Justification: The moat advisory explicitly states "Exception Objects" should be first-class, governed decisions — not .ignore files or UI toggles. This is critical for enterprise customers.

What's Missing:

• policy.exceptions table with full governance fields
• Exception lifecycle (proposed → approved → active → expired → revoked)
• Scope constraints (artifact digest, purl, environment)
• Time-bounded expiry enforcement
• Approval workflow integration
• Signed exception attestations

Scope:

• Sprint 3900.0001.0001: Schema + Exception Object Model
• Sprint 3900.0001.0002: Exception API (CRUD + approval workflow)
• Sprint 3900.0002.0001: Policy Engine Integration
• Sprint 3900.0002.0002: UI + Audit Pack Export

Estimated Duration: 4 weeks

---

Epic 4000: Knowledge Snapshots + Time-Travel Replay

Justification: Multiple advisories emphasize that replayability requires pinned knowledge state (vuln feeds, VEX, policies). Current replay works for scores but not for full "time-travel" to a past knowledge state.

What's Missing:

• Content-addressed knowledge snapshot bundles
• Snapshot manifest with feed digests + policy versions
• Time-travel replay API that loads historical snapshots
• Evidence that the same inputs produce the same verdict

Scope:

• Sprint 4000.0001.0001: Knowledge Snapshot Model + Storage
• Sprint 4000.0001.0002: Snapshot Creation Service
• Sprint 4000.0002.0001: Time-Travel Replay API
• Sprint 4000.0002.0002: Verification + Audit Integration

Estimated Duration: 4 weeks

---

4. Enhancement Opportunities (Existing Features)

4.1 Delta Verdict Attestations

Current State: Score proofs exist and are signed via DSSE. Material risk changes are detected.

Enhancement: Create a formal "Delta Verdict" attestation that wraps:

• Baseline snapshot digest
• Target snapshot digest
• Delta categories (SBOM/VEX/Reachability/Decision changes)
• Policy outcome with explanation
• Signed envelope

Effort: ~1 sprint (add to existing attestation infrastructure)

---

4.2 Offline E2E Test Suite

Current State: Integration tests exist (Sprint 3500.0004.0003). Air-gap tests are ad-hoc.

Enhancement: Formalize per the Testing Strategy advisory:

• Offline bundle spec (bundle.json with digests)
• No-egress CI jobs
• SBOM round-trip tests (Syft → cosign → Grype)
• Router backpressure chaos tests

Effort: ~1 sprint

---

4.3 VEX Conflict Studio UI

Current State: VEX merge happens in Excititor with lattice logic. No UI for conflict visualization.

Enhancement: Per UX advisory, add side-by-side VEX conflict view:

• Left: Vendor statement + provenance
• Right: Internal statement + provenance
• Middle: Merge result + rule that decided
• Evidence hooks checklist

Effort: ~1 sprint

---

5. Recommendations

Immediate Actions (Next 2 Weeks)

1. Create Sprint files for Epic 3800 (Reachability Drift) — highest impact moat
2. Archive processed advisories — move 16-Dec and 18-Dec to archive (already processed)
3. Update moat.md — sync key-features with new moat explanations

Medium-Term (Next 4 Weeks)

4. Create Sprint files for Epic 3900 (Exception Objects)
5. Create Sprint files for Epic 4000 (Knowledge Snapshots)
6. Add Delta Verdict attestation to existing proof infrastructure

Deferred (Roadmap)

7. Offline E2E test formalization
8. VEX Conflict Studio UI
9. Fleet-level blast radius visualization

---

6. Decision Required

Question for Stakeholders: Which epic should be prioritized first?

Option	Epic	Business Value	Technical Risk
A	3800 Reachability Drift	HIGH (differentiator)	MEDIUM
B	3900 Exception Objects	HIGH (enterprise)	LOW
C	4000 Knowledge Snapshots	MEDIUM (audit)	HIGH

Recommendation: Start with Epic 3900 (Exception Objects) due to lower risk and clear enterprise demand, then Epic 3800 (Reachability Drift) for moat differentiation.

---

Appendix: Files to Archive

These advisories have been processed or are reference-only:

docs/product-advisories/unprocessed/16-Dec-2025 - Reimagining Proof‑Linked UX in Security Workflows.md
  → Already processed (Status: PROCESSED in file)

docs/product-advisories/unprocessed/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md
  → Overlaps with 16-Dec, consolidate

docs/product-advisories/unprocessed/20-Dec-2025 - Branch · UX patterns worth borrowing from top scanners.md
  → Reference only, no actionable tasks

---

Report Generated By: StellaOps Agent (Product Manager Role) Next Step: Await stakeholder decision on epic prioritization