Files

StellaOps Bot 7792749bb4 feat: Add archived advisories and implement smart-diff as a core evidence primitive

- Introduced new advisory documents for archived superseded advisories, including detailed descriptions of features already implemented or covered by existing sprints.
- Added "Smart-Diff as a Core Evidence Primitive" advisory outlining the treatment of SBOM diffs as first-class evidence objects, enhancing vulnerability verdicts with deterministic replayability.
- Created "Visual Diffs for Explainable Triage" advisory to improve user experience in understanding policy decisions and reachability changes through visual diffs.
- Implemented "Weighted Confidence for VEX Sources" advisory to rank conflicting vulnerability evidence based on freshness and confidence, facilitating better decision-making.
- Established a signer module charter detailing the mission, expectations, key components, and signing modes for cryptographic signing services in StellaOps.
- Consolidated overlapping concepts from triage UI, visual diffs, and risk budget visualization advisories into a unified specification for better clarity and implementation tracking.

2025-12-26 13:01:43 +02:00

25-Dec-2025 - Implementing Diff‑Aware Release Gates.md

feat: Add archived advisories and implement smart-diff as a core evidence primitive

2025-12-26 13:01:43 +02:00

26-Dec-2026 - Diff‑Aware Releases and Auditable Exceptions.md

feat: Add archived advisories and implement smart-diff as a core evidence primitive

2025-12-26 13:01:43 +02:00

26-Dec-2026 - Reachability as Cryptographic Proof.md

feat: Add archived advisories and implement smart-diff as a core evidence primitive

2025-12-26 13:01:43 +02:00

26-Dec-2026 - Smart‑Diff as a Core Evidence Primitive.md

feat: Add archived advisories and implement smart-diff as a core evidence primitive

2025-12-26 13:01:43 +02:00

README.md

feat: Add archived advisories and implement smart-diff as a core evidence primitive

2025-12-26 13:01:43 +02:00

README.md

Archived Superseded Advisories

Archived: 2025-12-26 Reason: Concepts already implemented or covered by existing sprints

Advisory Status

These advisories described features that are already substantially implemented in the codebase or covered by existing sprint files.

Advisory	Status	Superseded By
`25-Dec-2025 - Implementing Diff‑Aware Release Gates.md`	SUPERSEDED	SPRINT_20251226_001_BE through 006_DOCS
`26-Dec-2026 - Diff‑Aware Releases and Auditable Exceptions.md`	SUPERSEDED	SPRINT_20251226_003_BE_exception_approval.md
`26-Dec-2026 - Smart‑Diff as a Core Evidence Primitive.md`	SUPERSEDED	Existing DeltaVerdict library
`26-Dec-2026 - Reachability as Cryptographic Proof.md`	SUPERSEDED	Existing ProofChain library + SPRINT_007/009/010/011

Existing Implementation

The following components already implement the advisory concepts:

DeltaVerdict & DeltaComputer

src/Policy/__Libraries/StellaOps.Policy/Deltas/DeltaVerdict.cs
src/Policy/__Libraries/StellaOps.Policy/Deltas/DeltaComputer.cs
src/__Libraries/StellaOps.DeltaVerdict/ (complete library)

Exception Management

src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Models/ExceptionEntity.cs
src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionAdapter.cs
src/Policy/__Libraries/StellaOps.Policy.Exceptions/ (complete library)

ProofChain & Reachability Proofs

src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ (complete library):
- Statements/ReachabilityWitnessStatement.cs - Entry→sink proof chains
- Statements/ReachabilitySubgraphStatement.cs - Minimal subgraph attestation
- Statements/ProofSpineStatement.cs - Merkle-aggregated proof bundles
- Predicates/ReachabilitySubgraphPredicate.cs - Subgraph predicate
- Identifiers/ContentAddressedIdGenerator.cs - Content-addressed IDs
- Merkle/DeterministicMerkleTreeBuilder.cs - Merkle tree construction
- Signing/ProofChainSigner.cs - DSSE signing
- Verification/VerificationPipeline.cs - Proof verification
src/__Libraries/StellaOps.Replay.Core/ReplayManifest.cs - Replay manifests

Covering Sprints

docs/implplan/SPRINT_20251226_001_BE_cicd_gate_integration.md - Gate endpoints, CI/CD
docs/implplan/SPRINT_20251226_002_BE_budget_enforcement.md - Risk budget automation
docs/implplan/SPRINT_20251226_003_BE_exception_approval.md - Exception workflows (21 tasks)
docs/implplan/SPRINT_20251226_004_FE_risk_dashboard.md - Side-by-side UI
docs/implplan/SPRINT_20251226_005_SCANNER_reachability_extractors.md - Language extractors
docs/implplan/SPRINT_20251226_006_DOCS_advisory_consolidation.md - Documentation
docs/implplan/SPRINT_20251226_007_BE_determinism_gaps.md - Determinism gaps, metrics (25 tasks)
docs/implplan/SPRINT_20251226_009_SCANNER_funcproof.md - FuncProof generation (18 tasks)
docs/implplan/SPRINT_20251226_010_SIGNALS_runtime_stack.md - eBPF stack capture (17 tasks)
docs/implplan/SPRINT_20251226_011_BE_auto_vex_downgrade.md - Auto-VEX from runtime (16 tasks)

Remaining Gaps Added to Sprints

Minor gaps from these advisories were added to existing sprints:

Added to SPRINT_20251226_003_BE_exception_approval.md:

EXCEPT-16: Auto-revalidation job
EXCEPT-17: Re-review gate flip on failure
EXCEPT-18: Exception inheritance (repo→image→env)
EXCEPT-19: Conflict surfacing for shadowed exceptions
EXCEPT-20: OCI-attached exception attestation
EXCEPT-21: CLI export command

Added to SPRINT_20251226_007_BE_determinism_gaps.md:

DET-GAP-21: Proof generation rate metric
DET-GAP-22: Median proof size metric
DET-GAP-23: Replay success rate metric
DET-GAP-24: Proof dedup ratio metric
DET-GAP-25: "Unknowns" burn-down tracking

Cross-References

If you arrived here via a broken link, see:

docs/implplan/SPRINT_20251226_*.md for implementation tasks
src/Policy/__Libraries/StellaOps.Policy/Deltas/ for delta computation
src/__Libraries/StellaOps.DeltaVerdict/ for verdict models

README.md Unescape Escape

Archived Superseded Advisories

Advisory Status

Existing Implementation

DeltaVerdict & DeltaComputer

Exception Management

ProofChain & Reachability Proofs

Covering Sprints

Remaining Gaps Added to Sprints

Cross-References

README.md