stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd78523564bb268967f604801b431d72ffbb1103
git.stella-ops.org/docs/product/advisory-translation-20260304.md

8.0 KiB
Raw Blame History

Advisory Translation Register (2026-03-04 Batch)

This register maps advisories received between 2026-02-28 and 2026-03-04 to code-backed gaps, active implementation sprints, and module documentation commitments.

Batch scope:

  • 2026-02-28 advisories: 3
  • 2026-03-01 advisories: 2
  • 2026-03-04 advisories: 6
  • Total advisories translated: 11

Topic Clusters

Cluster ID Topic Included Advisories
CL-01 Trace lineage and smart-diff evidence chain 2026-02-28 - Auditor-first differentiator mocks, 2026-03-04 - Smart-diff and binary provenance chain, 2026-03-04 - Smart-diff algorithm knobs and delta_manifest recipe, 2026-03-04 - Trace-to-source lineage and reproducible replay harness, 2026-03-04 - Unified call-stack analyzer and micro-witness schema
CL-02 Deterministic signed scoring and explainability UX 2026-03-04 - Deterministic scoring formula and DSSE vectors, 2026-03-04 - Signed-score explainability UI pattern, 2026-02-28 - Auditor-first differentiator mocks
CL-03 Auditable unknown and VEX lifecycle 2026-03-01 - Auditable unknown VEX lifecycle design, 2026-02-28 - Closing Stella's top product and roadmap gaps
CL-04 Federation and remediation marketplace moat execution 2026-02-28 - Five concrete moats with measurable milestones, 2026-03-01 - Three dominant vendor architecture patterns, 2026-02-28 - Closing Stella's top product and roadmap gaps

Confirmed Code-Backed Gaps

Gap ID Module Evidence Gap Summary
SCN-001 Scanner src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs DeltaCompareService still uses placeholder compare logic and GetComparisonAsync returns null.
SCN-002 Scanner src/Scanner/StellaOps.Scanner.WebService/Endpoints/ActionablesEndpoints.cs Actionables output is demo/sample data rather than findings-derived recommendations.
SCN-003 Scanner src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Builder/ChangeTraceBuilder.cs BuildPlaceholderTrace path is still active with TODO integration notes.
SCN-004 Scanner src/Scanner/__Libraries/StellaOps.Scanner.Runtime/Ingestion/TraceIngestionService.cs GetTracesForScanAsync is TODO and always returns an empty list.
SCN-005 Scanner src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Stack/ReachabilityResultFactory.cs Exploitable verdicts return placeholder Unknown() instead of affected PathWitness results.
SCN-006 Scanner/Web src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScoreReplayEndpoints.cs, src/Web/StellaOps.Web/src/app/core/api/proof.client.ts Replay route contract mismatch (/score/{scanId}/... vs /scans/{scanId}/score/...) and missing aligned score-history path contract.
SCN-007 Scanner src/Scanner/StellaOps.Scanner.WebService/Services/DeterministicScoringService.cs Deterministic score is hash projection only, without factorized explainability contract.
VEX-001 VexLens src/VexLens/StellaOps.VexLens/Models/NormalizedVexModels.cs, src/VexLens/StellaOps.VexLens.Core/Normalization/VexLensNormalizer.cs Unknown status is not first-class in normalized enum path and defaults collapse to under_investigation.
UNK-001 Unknowns src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/Postgres/Repositories/PostgresUnknownRepository.cs, src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/EfCore/Repositories/UnknownEfRepository.cs Provenance-hints persistence/query methods are unimplemented (NotImplementedException).
POL-001 Policy src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyModels.cs, src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs Score policy schema requires policyId but runtime model omits it.
TEL-001 Telemetry src/Telemetry/StellaOps.Telemetry.Federation/Consent/ConsentManager.cs, src/Telemetry/StellaOps.Telemetry.Federation/Bundles/FederatedTelemetryBundleBuilder.cs Federation DSSE envelope generation is placeholder in consent and bundle paths.
REM-001 Remediation src/Remediation/StellaOps.Remediation.WebService/Endpoints/RemediationSourceEndpoints.cs Marketplace source endpoints are stubs; create/update returns 501 NotImplemented.
FE-001 Web src/Web/StellaOps.Web/src/app/features/security/vulnerability-detail-page.component.ts Security detail page uses hardcoded vulnerability data payload.
FE-002 Web src/Web/StellaOps.Web/src/app/features/security-risk/vulnerability-detail-page.component.ts Security-risk detail page remains placeholder-only (CVE-UNKNOWN route fallback).
FE-003 Web src/Web/StellaOps.Web/src/app/core/api/proof.client.ts and test tree inspection No dedicated FE test coverage exists for score replay client and vulnerability detail page contracts.

Advisory to Sprint Mapping

Advisory Primary Sprint(s)
2026-02-28 - Auditor-first differentiator mocks SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion, SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment, SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring
2026-02-28 - Five concrete moats with measurable milestones SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion, SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening, SPRINT_20260304_308_Remediation_marketplace_sources_api_completion
2026-02-28 - Closing Stella's top product and roadmap gaps SPRINT_20260304_304_Unknowns_provenance_hints_persistence_completion, SPRINT_20260304_305_VexLens_unknown_lifecycle_and_merge_determinism, SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening
2026-03-01 - Auditable unknown VEX lifecycle design SPRINT_20260304_304_Unknowns_provenance_hints_persistence_completion, SPRINT_20260304_305_VexLens_unknown_lifecycle_and_merge_determinism, SPRINT_20260304_306_Policy_score_policy_contract_consistency
2026-03-01 - Three dominant vendor architecture patterns SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening, SPRINT_20260304_308_Remediation_marketplace_sources_api_completion
2026-03-04 - Deterministic scoring formula and DSSE vectors SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment, SPRINT_20260304_306_Policy_score_policy_contract_consistency, SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring
2026-03-04 - Smart-diff algorithm knobs and delta_manifest recipe SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion
2026-03-04 - Smart-diff and binary provenance chain SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion
2026-03-04 - Trace-to-source lineage and reproducible replay harness SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion, SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment
2026-03-04 - Unified call-stack analyzer and micro-witness schema SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion, SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring
2026-03-04 - Signed-score explainability UI pattern SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment, SPRINT_20260304_309_FE_signed_score_and_vulnerability_detail_wiring

Module Documentation Commitments

  • docs/modules/scanner/architecture.md
  • docs/modules/scanner/design/change-trace-architecture.md
  • docs/modules/vex-lens/architecture.md
  • docs/modules/unknowns/architecture.md
  • docs/modules/policy/architecture.md
  • docs/modules/telemetry/architecture.md
  • docs/modules/web/architecture.md
  • docs/modules/remediation/architecture.md

Translation Status

  • All advisories from the 2026-02-28 through 2026-03-04 batch are translated into active sprint scope.
  • Advisory files are archived under docs-archived/product/advisories/ with archive log ARCHIVE_LOG_20260304.md.
  • Open advisories directory status is reset to "no open advisories for this batch".