stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ba4c935182406c64d22111f005ecd9528bc27250
git.stella-ops.org/src/Web/StellaOps.Web/TASKS.md
master 536f6249a6
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00

25 KiB
Raw Blame History

TASKS — Epic 1: Aggregation-Only Contract

ID Status Owner(s) Depends on Notes
WEB-AOC-19-001 Shared AOC guard primitives DONE (2025-11-07) BE-Base Platform Guild Provide AOCForbiddenKeys, guard middleware/interceptor hooks, and error types (AOCError, AOCViolationCode) for ingestion services. Publish sample usage + analyzer to ensure guard registered.

2025-10-26: Introduced StellaOps.Aoc library with forbidden key list, guard result/options, and baseline write guard + tests. Middleware/analyzer wiring still pending. 2025-10-30: Added StellaOps.Aoc.AspNetCore helpers (AddAocGuard, AocHttpResults) and switched Concelier WebService to the shared problem-details mapper; analyzer wiring remains pending. 2025-10-30: Published docs/aoc/guard-library.md covering registration patterns, endpoint filters, and error mapping for ingestion services. 2025-11-06: Added RequireAocGuard route helper, wired Concelier advisory ingestion endpoint to the shared filter, refreshed docs, and introduced extension tests. 2025-11-07: Enforced allowed top-level field detection (ERR_AOC_007), introduced the shared AocError DTO/HTTP response payload, updated docs, and expanded test coverage. | WEB-AOC-19-002 Provenance & signature helpers | TODO | BE-Base Platform Guild | WEB-AOC-19-001 | Ship ProvenanceBuilder, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. | | WEB-AOC-19-003 Analyzer + test fixtures | TODO | QA Guild, BE-Base Platform Guild | WEB-AOC-19-001 | Author Roslyn analyzer preventing ingestion modules from writing forbidden keys without guard, and provide shared test fixtures for guard validation used by Concelier/Excititor service tests. | Docs alignment (2025-10-26): Analyzer expectations detailed in docs/ingestion/aggregation-only-contract.md §3/5; CI integration tracked via DEVOPS-AOC-19-001.

Policy Engine v2

ID Status Owner(s) Depends on Notes
WEB-POLICY-20-001 Policy endpoints TODO BE-Base Platform Guild, Policy Guild POLICY-ENGINE-20-001, POLICY-ENGINE-20-004 Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement.
WEB-POLICY-20-002 Pagination & filters TODO BE-Base Platform Guild WEB-POLICY-20-001 Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics.
WEB-POLICY-20-003 Error mapping TODO BE-Base Platform Guild, QA Guild WEB-POLICY-20-001 Map engine errors to ERR_POL_* responses with consistent payloads and contract tests; expose correlation IDs in headers.
WEB-POLICY-20-004 Simulate rate limits TODO Platform Reliability Guild WEB-POLICY-20-001, WEB-POLICY-20-002 Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers.

Graph Explorer v1

ID Status Owner(s) Depends on Notes
WEB-GRAPH-21-001 Graph endpoints BLOCKED (2025-10-27) BE-Base Platform Guild, Graph Platform Guild GRAPH-API-28-003, AUTH-VULN-24-001 Add gateway routes for graph versions/viewport/node/path/diff/export endpoints with tenant enforcement, scope checks, and streaming responses; proxy Policy Engine diff toggles without inline logic. Adopt StellaOpsScopes constants for RBAC enforcement.

2025-10-27: Graph API gateway cant proxy until upstream Graph service (GRAPH-API-28-003) and Authority scope update (AUTH-VULN-24-001) publish stable contracts. | WEB-GRAPH-21-002 Request validation | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. | 2025-10-27: Blocked on WEB-GRAPH-21-001; request envelope still undefined. | WEB-GRAPH-21-003 Error mapping & exports | BLOCKED (2025-10-27) | BE-Base Platform Guild, QA Guild | WEB-GRAPH-21-001 | Map graph service errors to ERR_Graph_*, support GraphML/JSONL export streaming, and document rate limits. | 2025-10-27: Depends on core Graph proxy route definitions. | WEB-GRAPH-21-004 Overlay pass-through | BLOCKED (2025-10-27) | BE-Base Platform Guild, Policy Guild | WEB-GRAPH-21-001, POLICY-ENGINE-30-002 | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. | 2025-10-27: Requires base Graph routing plus Policy overlay schema (POLICY-ENGINE-30-002).

Graph Explorer (Sprint 28)

ID Status Owner(s) Depends on Notes
WEB-GRAPH-24-001 Gateway proxy refresh TODO BE-Base Platform Guild GRAPH-API-28-001, AUTH-GRAPH-21-001 Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic.
WEB-GRAPH-24-004 Telemetry aggregation TODO BE-Base Platform Guild, Observability Guild WEB-GRAPH-24-001, DEVOPS-GRAPH-28-003 Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy.

Link-Not-Merge v1

ID Status Owner(s) Depends on Notes
WEB-LNM-21-001 Advisory observation endpoints TODO BE-Base Platform Guild, Concelier WebService Guild CONCELIER-LNM-21-201 Surface new /advisories/* APIs through gateway with caching, pagination, and RBAC enforcement (advisory:read).
WEB-LNM-21-002 VEX observation endpoints TODO BE-Base Platform Guild, Excititor WebService Guild EXCITITOR-LNM-21-201 Expose /vex/* read APIs with evidence routes and export handlers; map ERR_AGG_* codes.
WEB-LNM-21-003 Policy evidence aggregation TODO BE-Base Platform Guild, Policy Guild POLICY-ENGINE-40-001 Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component.

Policy Engine + Editor v1 (Epic 5)

ID Status Owner(s) Depends on Notes
WEB-POLICY-23-001 Policy pack CRUD BLOCKED (2025-10-29) BE-Base Platform Guild, Policy Guild POLICY-GATEWAY-18-001..002 Implement API endpoints for creating/listing/fetching policy packs and revisions (/policy/packs, /policy/packs/{id}/revisions) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.)
WEB-POLICY-23-002 Activation & scope BLOCKED (2025-10-29) BE-Base Platform Guild POLICY-GATEWAY-18-003 Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.)
WEB-POLICY-23-003 Simulation & evaluation TODO BE-Base Platform Guild POLICY-ENGINE-50-002 Provide /policy/simulate and /policy/evaluate endpoints with streaming responses, rate limiting, and error mapping.
WEB-POLICY-23-004 Explain retrieval TODO BE-Base Platform Guild POLICY-ENGINE-50-006 Expose explain history endpoints (/policy/runs, /policy/runs/{id}) including decision tree, sources consulted, and AOC chain.

Graph & Vuln Explorer v1

ID Status Owner(s) Depends on Notes
WEB-GRAPH-24-001 Graph endpoints TODO BE-Base Platform Guild, SBOM Service Guild SBOM-GRAPH-24-002 Implement /graph/assets/* endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping while acting as a pure proxy.
WEB-GRAPH-24-004 AOC enrichers TODO BE-Base Platform Guild WEB-GRAPH-24-001 Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints.

StellaOps Console (Sprint 23)

ID Status Owner(s) Depends on Notes
WEB-CONSOLE-23-001 Global posture endpoints TODO BE-Base Platform Guild, Product Analytics Guild CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, POLICY-CONSOLE-23-001, SBOM-CONSOLE-23-001, SCHED-CONSOLE-23-001 Provide consolidated /console/dashboard and /console/filters APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints.
CONSOLE-VULN-29-001 Vulnerability workspace DOING (2025-11-08) Console Guild, BE-Base Platform Guild WEB-CONSOLE-23-001, CONCELIER-GRAPH-21-001 Build /console/vuln/* endpoints and filters surfacing tenant-scoped findings with policy/VEX badges, deterministic pagination, and a11y-friendly metadata so Docs can capture UI workflows.

2025-11-08: Engaging filter/badge implementation plus /console/vuln/search DTOs now that Signals + Scheduler prerequisites exist; deliver payloads for DOCS-AIAI-31-004 screenshots. 2025-11-08: Drafted HTTP contract + samples in docs/api/console/workspaces.md so Docs/UI can exercise GET /console/vuln/findings before backend lands. | CONSOLE-VEX-30-001 VEX evidence workspace | DOING (2025-11-08) | Console Guild, BE-Base Platform Guild | WEB-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001 | Provide /console/vex/* APIs streaming VEX statements, justification summaries, and advisory links with filter/sort options plus SSE hooks for background refresh. | 2025-11-08: Spiking SSE controller + /console/vex/events feed to keep Advisory AI console doc work unblocked and coordinate with Scheduler Signals dependencies. 2025-11-08: SSE contract + sample NDJSON (docs/api/console/samples/vex-statement-sse.ndjson) published; awaiting backend scaffolding to hook Scheduler streams. | WEB-CONSOLE-23-002 Live status & SSE proxy | TODO | BE-Base Platform Guild, Scheduler Guild | SCHED-CONSOLE-23-001, DEVOPS-CONSOLE-23-001 | Expose /console/status polling endpoint and /console/runs/{id}/stream SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. | | WEB-CONSOLE-23-003 Evidence export orchestrator | TODO | BE-Base Platform Guild, Policy Guild | EXPORT-CONSOLE-23-001, POLICY-CONSOLE-23-001 | Add /console/exports POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. | | WEB-CONSOLE-23-004 Global search router | TODO | BE-Base Platform Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, SBOM-CONSOLE-23-001 | Implement /console/search endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. | | WEB-CONSOLE-23-005 Downloads manifest API | TODO | BE-Base Platform Guild, DevOps Guild | DOWNLOADS-CONSOLE-23-001, DEVOPS-CONSOLE-23-002 | Serve /console/downloads JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. |

Policy Studio (Sprint 27)

ID Status Owner(s) Depends on Notes
WEB-POLICY-27-001 Policy registry proxy TODO BE-Base Platform Guild, Policy Registry Guild REGISTRY-API-27-001, AUTH-POLICY-27-001 Surface Policy Registry APIs (/policy/workspaces, /policy/versions, /policy/reviews, /policy/registry) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles.
WEB-POLICY-27-002 Review & approval routes TODO BE-Base Platform Guild WEB-POLICY-27-001, REGISTRY-API-27-006 Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out.
WEB-POLICY-27-003 Simulation orchestration endpoints TODO BE-Base Platform Guild, Scheduler Guild REGISTRY-API-27-005, SCHED-CONSOLE-27-001 Expose quick/batch simulation endpoints with SSE progress (/policy/simulations/{runId}/stream), cursor-based result pagination, and manifest download routes.
WEB-POLICY-27-004 Publish & promote controls TODO BE-Base Platform Guild, Security Guild REGISTRY-API-27-007, REGISTRY-API-27-008, AUTH-POLICY-27-002 Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events.
WEB-POLICY-27-005 Policy Studio telemetry TODO BE-Base Platform Guild, Observability Guild WEB-POLICY-27-001..004, TELEMETRY-CONSOLE-27-001 Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console.

Exceptions v1 (Epic 7)

ID Status Owner(s) Depends on Notes
WEB-EXC-25-001 Exceptions CRUD & workflow TODO BE-Base Platform Guild POLICY-ENGINE-70-002, AUTH-EXC-25-001 Implement /exceptions API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging.
WEB-EXC-25-002 Policy integration surfaces TODO BE-Base Platform Guild POLICY-ENGINE-70-001 Extend /policy/effective and /policy/simulate responses to include exception metadata and accept overrides for simulations.
WEB-EXC-25-003 Notifications & events TODO BE-Base Platform Guild, Platform Events Guild WEB-EXC-25-001 Publish exception.* events, integrate with notification hooks, enforce rate limits.

Reachability v1

ID Status Owner(s) Depends on Notes
WEB-SIG-26-001 Signals proxy endpoints TODO BE-Base Platform Guild, Signals Guild SIGNALS-24-001 Surface /signals/callgraphs, /signals/facts read/write endpoints with pagination, ETags, and RBAC.
WEB-SIG-26-002 Reachability joins TODO BE-Base Platform Guild WEB-SIG-26-001, POLICY-ENGINE-80-001 Extend /policy/effective and /vuln/explorer responses to include reachability scores/states and allow filtering.
WEB-SIG-26-003 Simulation hooks TODO BE-Base Platform Guild WEB-SIG-26-002, POLICY-ENGINE-80-001 Add reachability override parameters to /policy/simulate and related APIs for what-if analysis.

Vulnerability Explorer (Sprint 29)

ID Status Owner(s) Depends on Notes
WEB-VULN-29-001 Vuln API routing TODO BE-Base Platform Guild VULN-API-29-001, AUTH-VULN-29-001 Expose /vuln/* endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging.
WEB-VULN-29-002 Ledger proxy headers TODO BE-Base Platform Guild, Findings Ledger Guild WEB-VULN-29-001, LEDGER-29-002 Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff.
WEB-VULN-29-003 Simulation + export routing TODO BE-Base Platform Guild VULN-API-29-005, VULN-API-29-008 Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting.
WEB-VULN-29-004 Telemetry aggregation TODO BE-Base Platform Guild, Observability Guild WEB-VULN-29-001..003, DEVOPS-VULN-29-003 Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards.
WEB-VEX-30-007 VEX consensus routing TODO BE-Base Platform Guild, VEX Lens Guild VEXLENS-30-007, AUTH-VULN-24-001 Route /vex/consensus APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic.

Advisory AI (Sprint 31)

ID Status Owner(s) Depends on Notes
WEB-AIAI-31-001 API routing TODO BE-Base Platform Guild AIAI-31-006, AUTH-VULN-29-001 Route /advisory/ai/* endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers.
WEB-AIAI-31-002 Batch orchestration TODO BE-Base Platform Guild AIAI-31-006 Provide batching job handlers and streaming responses for CLI automation with retry/backoff.
WEB-AIAI-31-003 Telemetry & audit TODO BE-Base Platform Guild, Observability Guild WEB-AIAI-31-001, DEVOPS-AIAI-31-001 Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics.

Orchestrator Dashboard

ID Status Owner(s) Depends on Notes
WEB-ORCH-32-001 Read-only routing TODO BE-Base Platform Guild ORCH-SVC-32-003, AUTH-ORCH-32-001 Expose `/orchestrator/sources
WEB-ORCH-33-001 Control + backfill actions TODO BE-Base Platform Guild WEB-ORCH-32-001, ORCH-SVC-33-001, AUTH-ORCH-33-001 Add POST action routes (`pause
WEB-ORCH-34-001 Quotas & telemetry TODO BE-Base Platform Guild WEB-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging.

Export Center

ID Status Owner(s) Depends on Notes
WEB-EXPORT-35-001 Export routing TODO BE-Base Platform Guild EXPORT-SVC-35-006, AUTH-EXPORT-35-001 Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks.
WEB-EXPORT-36-001 Distribution endpoints TODO BE-Base Platform Guild WEB-EXPORT-35-001, EXPORT-SVC-36-004 Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation.
WEB-EXPORT-37-001 Scheduling & verification TODO BE-Base Platform Guild WEB-EXPORT-36-001, EXPORT-SVC-37-003 Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs.

Notifications Studio (Epic 11)

ID Status Owner(s) Depends on Notes
WEB-NOTIFY-38-001 Gateway routing TODO BE-Base Platform Guild NOTIFY-SVC-38-004, AUTH-NOTIFY-38-001 Route notifier APIs (/notifications/*) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging.
WEB-NOTIFY-39-001 Digest & simulation endpoints TODO BE-Base Platform Guild WEB-NOTIFY-38-001, NOTIFY-SVC-39-001..003 Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging.
WEB-NOTIFY-40-001 Escalations & localization TODO BE-Base Platform Guild WEB-NOTIFY-39-001, NOTIFY-SVC-40-001..003 Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation.

Containerized Distribution (Epic 13)

ID Status Owner(s) Depends on Notes
WEB-CONTAINERS-44-001 Config discovery & quickstart flag TODO BE-Base Platform Guild COMPOSE-44-001 Expose /welcome state, config discovery endpoint (safe values), and QUICKSTART_MODE handling for Console banner; add /health/liveness, /health/readiness, /version if missing.
WEB-CONTAINERS-45-001 Helm readiness support TODO BE-Base Platform Guild HELM-45-001 Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports.
WEB-CONTAINERS-46-001 Air-gap hardening TODO BE-Base Platform Guild DEPLOY-AIRGAP-46-001 Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior.

Authority-Backed Scopes & Tenancy (Epic 14)

ID Status Owner(s) Depends on Notes
WEB-TEN-47-001 Auth middleware TODO BE-Base Platform Guild AUTH-TEN-47-001 Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints.
WEB-TEN-48-001 Tenant context propagation TODO BE-Base Platform Guild WEB-TEN-47-001 Set DB session stella.tenant_id, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata.
WEB-TEN-49-001 ABAC & audit API TODO BE-Base Platform Guild, Policy Guild POLICY-TEN-48-001 Integrate optional ABAC overlay with Policy Engine, expose /audit/decisions API, and support service token minting endpoints.

Observability & Forensics (Epic 15)

ID Status Owner(s) Depends on Notes
WEB-OBS-50-001 Telemetry core adoption TODO BE-Base Platform Guild, Observability Guild TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 Integrate StellaOps.Telemetry.Core into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews.
WEB-OBS-51-001 Observability health endpoints TODO BE-Base Platform Guild WEB-OBS-50-001, TELEMETRY-OBS-51-001 Implement /obs/health and /obs/slo aggregations, pulling metrics from Prometheus/collector APIs, including burn-rate signals and exemplar links for Console widgets.
WEB-OBS-52-001 Trace & log proxies TODO BE-Base Platform Guild WEB-OBS-50-001, TIMELINE-OBS-52-003 Deliver /obs/trace/:id and /obs/logs proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs.
WEB-OBS-54-001 Evidence & attestation bridges TODO BE-Base Platform Guild EVID-OBS-54-001, PROV-OBS-54-001 Provide /evidence/* and /attestations/* pass-through endpoints, enforce timeline:read, evidence:read, attest:read scopes, append provenance headers, and surface verification summaries.
WEB-OBS-55-001 Incident mode controls TODO BE-Base Platform Guild, Ops Guild WEB-OBS-50-001, TELEMETRY-OBS-55-001, DEVOPS-OBS-55-001 Add /obs/incident-mode API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks.
WEB-OBS-56-001 Sealed status surfaces TODO BE-Base Platform Guild, AirGap Guild WEB-OBS-50-001, AIRGAP-CTL-56-002 Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets.

SDKs & OpenAPI (Epic 17)

ID Status Owner(s) Depends on Notes
WEB-OAS-61-001 Discovery endpoint TODO BE-Base Platform Guild OAS-61-002 Implement GET /.well-known/openapi returning gateway spec with version metadata, cache headers, and signed ETag.
WEB-OAS-61-002 Standard error envelope TODO BE-Base Platform Guild APIGOV-61-001 Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include error.code.
WEB-OAS-62-001 Pagination & idempotency alignment TODO BE-Base Platform Guild WEB-OAS-61-002 Normalize all endpoints to cursor pagination, expose Idempotency-Key support, and document rate-limit headers.
WEB-OAS-63-001 Deprecation support TODO BE-Base Platform Guild, API Governance Guild APIGOV-63-001 Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes.

Risk Profiles (Epic 18)

ID Status Owner(s) Depends on Notes
WEB-RISK-66-001 Risk API routing TODO BE-Base Platform Guild, Policy Guild POLICY-RISK-67-002 Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting.
WEB-RISK-66-002 Explainability downloads TODO BE-Base Platform Guild, Risk Engine Guild RISK-ENGINE-68-002 Add signed URL handling for explanation blobs and enforce scope checks.
WEB-RISK-67-001 Risk status endpoint TODO BE-Base Platform Guild WEB-RISK-66-001 Provide aggregated risk stats (/risk/status) for Console dashboards (counts per severity, last computation).
WEB-RISK-68-001 Notification hooks TODO BE-Base Platform Guild, Notifications Guild NOTIFY-RISK-66-001 Emit events on severity transitions via gateway to notifier bus with trace metadata.