stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
ba4c935182406c64d22111f005ecd9528bc27250
git.stella-ops.org/docs/implplan/SPRINT_142_sbomservice.md
master ae69b1a8a1 feat: Add documentation and task tracking for Sprints 508 to 514 in Ops & Offline 
- Created detailed markdown files for Sprints 508 (Ops Offline Kit), 509 (Samples), 510 (AirGap), 511 (Api), 512 (Bench), 513 (Provenance), and 514 (Sovereign Crypto Enablement) outlining tasks, dependencies, and owners.
- Introduced a comprehensive Reachability Evidence Delivery Guide to streamline the reachability signal process.
- Implemented unit tests for Advisory AI to block known injection patterns and redact secrets.
- Added AuthoritySenderConstraintHelper to manage sender constraints in OpenIddict transactions.
2025-11-08 23:18:28 +02:00

4.9 KiB
Raw Blame History

Sprint 142 - Runtime & Signals · 140.B) SbomService

Active items only. Completed/historic work now resides in docs/implplan/archived_sprints_tasks.md (updated 2025-11-08).

[Runtime & Signals] 140.B) SbomService Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner Summary: Runtime & Signals focus on SBOM Service — projections, APIs, and orchestrator integration.

Task ID State Task description Owners (Source)
SBOM-AIAI-31-001 TODO Provide GET /sbom/paths?purl=... and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-AIAI-31-002 TODO Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. Dependencies: SBOM-AIAI-31-001. SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-CONSOLE-23-001 TODO Provide Console-focused SBOM catalog API (/console/sboms) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-CONSOLE-23-002 TODO Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. Dependencies: SBOM-CONSOLE-23-001. SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-32-001 TODO Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-33-001 TODO Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. Dependencies: SBOM-ORCH-32-001. SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-34-001 TODO Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. Dependencies: SBOM-ORCH-33-001. SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-001 BLOCKED (2025-10-27) Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement.
2025-10-27: Awaiting projection schema from Concelier (CONCELIER-GRAPH-21-001) before finalizing API payloads and fixtures.		 SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-002 BLOCKED (2025-10-27) Emit change events (sbom.version.created) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. Dependencies: SBOM-SERVICE-21-001.
2025-10-27: Blocked until SBOM-SERVICE-21-001 defines projection schema and endpoints.		 SBOM Service Guild, Scheduler Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-003 BLOCKED (2025-10-27) Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. Dependencies: SBOM-SERVICE-21-002.
2025-10-27: Depends on base projection schema (SBOM-SERVICE-21-001) which is blocked.		 SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-004 BLOCKED (2025-10-27) Wire observability: metrics (sbom_projection_seconds, sbom_projection_size), traces, structured logs with tenant info; set alerts for backlog. Dependencies: SBOM-SERVICE-21-003.
2025-10-27: Projection pipeline not in place yet; will follow once SBOM-SERVICE-21-001 unblocks.		 SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-23-001 TODO Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. Dependencies: SBOM-SERVICE-21-004. SBOM Service Guild, Policy Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-23-002 TODO Emit sbom.asset.updated events when metadata changes; ensure idempotent payloads and documentation. Dependencies: SBOM-SERVICE-23-001. SBOM Service Guild, Platform Events Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-VULN-29-001 TODO Emit inventory evidence with scope, runtime_flag, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-VULN-29-002 TODO Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. Dependencies: SBOM-VULN-29-001. SBOM Service Guild, Findings Ledger Guild (src/SbomService/StellaOps.SbomService/TASKS.md)