stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
d233fa3529150d073cb25963b12412494f1cbf88
git.stella-ops.org/docs/implplan/archived/updates/tasks.md
StellaOps Bot e2e404e705
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
console-runner-image / build-runner-image (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
up
2025-12-14 16:24:16 +02:00

392 KiB
Raw Blame History

Closed sprint tasks archived from SPRINTS.md on 2025-10-19.

Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Models DONE (2025-10-12) Team Models & Merge Leads FEEDMODELS-SCHEMA-01-001 SemVer primitive range-style metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Models DONE (2025-10-11) Team Models & Merge Leads FEEDMODELS-SCHEMA-01-002 Provenance decision rationale field
Instructions to work:
AdvisoryProvenance now carries decisionReason and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/Concelier/__Libraries/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Models DONE (2025-10-11) Team Models & Merge Leads FEEDMODELS-SCHEMA-01-003 Normalized version rules collection
Instructions to work:
AffectedPackage.NormalizedVersions and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Models DONE (2025-10-12) Team Models & Merge Leads FEEDMODELS-SCHEMA-02-900 Range primitives for SemVer/EVR/NEVRA metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new NormalizedVersions representation so connectors finishing in Sprint 2 can emit consistent metadata.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Normalization DONE (2025-10-11) Team Normalization & Storage Backbone FEEDNORM-NORM-02-001 SemVer normalized rule emitter
Shared SemVerRangeRuleBuilder now outputs primitives + normalized rules per FASTER_MODELING_AND_NORMALIZATION.md; CVE/GHSA connectors consuming the API have verified fixtures.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-001 Normalized range dual-write + backfill
AdvisoryStore dual-writes flattened normalizedVersions when concelier.storage.enableSemVerStyle is set; migration 20251011-semver-style-backfill updates historical records and docs outline the rollout.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-002 Provenance decision reason persistence
Storage now persists provenance.decisionReason for advisories and merge events; tests cover round-trips.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-003 Normalized versions indexing
Bootstrapper seeds compound/sparse indexes for flattened normalized rules and docs/dev/mongo_indices.md documents query guidance.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-TESTS-02-004 Restore AdvisoryStore build after normalized versions refactor
Updated constructors/tests keep storage suites passing with the new feature flag defaults.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-ENGINE-01-002 Plumb Authority client resilience options
WebService wires authority.resilience.* into AddStellaOpsAuthClient and adds binding coverage via AuthorityClientResilienceOptionsAreBound.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-003 Author ops guidance for resilience tuning
Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-004 Document authority bypass logging patterns
Operator guides now call out route/status/subject/clientId/scopes/bypass/remote audit fields and SIEM triggers.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-005 Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority DONE (2025-10-11) Team WebService & Authority SEC3.HOST Rate limiter policy binding
Authority host now applies configuration-driven fixed windows to /token, /authorize, and /internal/*; integration tests assert 429 + Retry-After headers; docs/config samples refreshed for Docs guild diagrams.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority DONE (2025-10-11) Team WebService & Authority SEC3.BUILD Authority rate-limiter follow-through
Security.RateLimiting now fronts token/authorize/internal limiters; Authority + Configuration matrices (dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln, dotnet test src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj) passed on 2025-10-11; awaiting #authority-core broadcast.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority DONE (2025-10-14) Team Authority Platform & Security Guild AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.sln returns success.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard DONE (2025-10-11) Team WebService & Authority PLG6.DOC Plugin developer guide polish
Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-001 Fetch pipeline & state tracking
Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.
Team instructions: Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-002 VINCE note detail fetcher
Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-003 DTO & parser implementation
Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-004 Canonical mapping & range primitives
VINCE DTO aggregate flows through CertCcMapper, emitting vendor range primitives + normalized version rules that persist via _advisoryStore.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-12) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-005 Deterministic fixtures/tests
Snapshot harness refreshed 2025-10-12; certcc-*.snapshot.json regenerated and regression suite green without UPDATE flag drift.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-12) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-006 Telemetry & documentation
CertCcDiagnostics publishes summary/detail/parse/map metrics (meter StellaOps.Concelier.Connector.CertCc), README documents instruments, and log guidance captured for Ops on 2025-10-12.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-12) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-007 Connector test harness remediation
Harness now wires AddSourceCommon, resets FakeTimeProvider, and passes canned-response regression run dated 2025-10-12.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-008 Snapshot coverage handoff
Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-12) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-012 Schema sync & snapshot regen follow-up
Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-009 Detail/map reintegration plan
Staged reintegration plan published in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md; coordinates enablement with FEEDCONN-CERTCC-02-004.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc DONE (2025-10-12) Team Connector Resumption CERT/RedHat FEEDCONN-CERTCC-02-010 Partial-detail graceful degradation
Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat DONE (2025-10-11) Team Connector Resumption CERT/RedHat FEEDCONN-REDHAT-02-001 Fixture validation sweep
Instructions to work:
Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple DONE (2025-10-12) Team Vendor Apple Specialists FEEDCONN-APPLE-02-001 Canonical mapping & range primitives
Mapper emits SemVer rules (scheme=apple:*); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple DONE (2025-10-11) Team Vendor Apple Specialists FEEDCONN-APPLE-02-002 Deterministic fixtures/tests
Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple DONE (2025-10-11) Team Vendor Apple Specialists FEEDCONN-APPLE-02-003 Telemetry & documentation
Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple DONE (2025-10-12) Team Vendor Apple Specialists FEEDCONN-APPLE-02-004 Live HTML regression sweep
Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple DONE (2025-10-11) Team Vendor Apple Specialists FEEDCONN-APPLE-02-005 Fixture regeneration tooling
UPDATE_APPLE_FIXTURES=1 flow fetches & rewrites fixtures; README documents usage.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-GHSA-02-001 GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the NormalizedVersions array emitted by the models sprint, wiring provenance decisionReason where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling src/Tools/FixtureUpdater updates across connectors.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-OSV-02-003 OSV normalized versions & freshness
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-NVD-02-002 NVD normalized versions & timestamps
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-CVE-02-003 CVE normalized versions uplift
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-KEV-02-003 KEV normalized versions propagation
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-OSV-04-003 OSV parity fixture refresh
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-10) Team WebService & Authority FEEDWEB-DOCS-01-001 Document authority toggle & scope requirements
Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint).
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-003 Author ops guidance for resilience tuning
Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-004 Document authority bypass logging patterns
Audit logging guidance highlights route/status/subject/clientId/scopes/bypass/remote fields and SIEM alerts.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-12) Team WebService & Authority FEEDWEB-DOCS-01-005 Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-11) Team WebService & Authority FEEDWEB-OPS-01-006 Rename plugin drop directory to namespaced path
Build outputs, tests, and docs now target StellaOps.Concelier.PluginBinaries/StellaOps.Authority.PluginBinaries.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-11) Team WebService & Authority FEEDWEB-OPS-01-007 Authority resilience adoption
Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority DONE (2025-10-11) Team Authority Platform & Security Guild AUTHCORE-ENGINE-01-001 CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see docs/dev/authority-rate-limit-tuning-outline.md for continuing guidance).
Sprint 1 Stabilize In-Progress Foundations src/__Libraries/StellaOps.Cryptography DONE (2025-10-11) Team Authority Platform & Security Guild AUTHCRYPTO-ENGINE-01-001 SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in docs/dev/authority-rate-limit-tuning-outline.md).
Sprint 1 Stabilize In-Progress Foundations src/__Libraries/StellaOps.Cryptography DONE (2025-10-13) Team Authority Platform & Security Guild AUTHSEC-DOCS-01-002 SEC3.B — Published docs/security/rate-limits.md with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide.
Sprint 1 Stabilize In-Progress Foundations src/__Libraries/StellaOps.Cryptography DONE (2025-10-14) Team Authority Platform & Security Guild AUTHSEC-CRYPTO-02-001 SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements.
Sprint 1 Bootstrap & Replay Hardening src/__Libraries/StellaOps.Cryptography DONE (2025-10-14) Security Guild AUTHSEC-CRYPTO-02-004 SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration.
Sprint 1 Developer Tooling src/Cli/StellaOps.Cli DONE (2025-10-15) DevEx/CLI AUTHCLI-DIAG-01-001 Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.
CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests.
Sprint 1 Stabilize In-Progress Foundations src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard DONE (2025-10-11) Team Authority Platform & Security Guild AUTHPLUG-DOCS-01-001 PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export.
Sprint 2 Connector & Data Implementation Wave src/Concelier/__Libraries/StellaOps.Concelier.Normalization DONE (2025-10-12) Team Normalization & Storage Backbone FEEDNORM-NORM-02-001 SemVer normalized rule emitter
SemVerRangeRuleBuilder shipped 2025-10-12 with comparator/`
Sprint 2 Connector & Data Implementation Wave src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-001 Normalized range dual-write + backfill
Sprint 2 Connector & Data Implementation Wave src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-002 Provenance decision reason persistence
Sprint 2 Connector & Data Implementation Wave src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-02-003 Normalized versions indexing
Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption.
Sprint 2 Connector & Data Implementation Wave src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-11) Team Normalization & Storage Backbone FEEDMERGE-ENGINE-02-002 Normalized versions union & dedupe
Affected package resolver unions/dedupes normalized rules, stamps merge provenance with decisionReason, and tests cover the rollout.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-GHSA-02-001 GHSA normalized versions & provenance
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-GHSA-02-004 GHSA credits & ecosystem severity mapping
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-GHSA-02-005 GitHub quota monitoring & retries
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-GHSA-02-006 Production credential & scheduler rollout
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-GHSA-02-007 Credit parity regression fixtures
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-NVD-02-002 NVD normalized versions & timestamps
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-NVD-02-004 NVD CVSS & CWE precedence payloads
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd DONE (2025-10-12) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-NVD-02-005 NVD merge/export parity regression
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-OSV-02-003 OSV normalized versions & freshness
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-11) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-OSV-02-004 OSV references & credits alignment
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-12) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-OSV-02-005 Fixture updater workflow
Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit purl; conflict fixtures unchanged for invalid npm names. Verified via dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests, src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests, src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd.Tests, and backbone normalization/storage suites.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Acsc DONE (2025-10-12) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-ACSC-02-001 … 02-008 Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed).
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cccs DONE (2025-10-16) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-CCCS-02-001 … 02-008 Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under docs/modules/concelier/operations/connectors/cccs.md with fixtures validating EN/FR list handling.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertBund DONE (2025-10-15) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-CERTBUND-02-001 … 02-008 Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook docs/modules/concelier/operations/connectors/certbund.md captures locale guidance and offline packaging.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kisa DONE (2025-10-14) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-KISA-02-001 … 02-007 Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in docs/dev/kisa_connector_notes.md complete rollout.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Bdu DONE (2025-10-14) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-RUBDU-02-001 … 02-008 Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Nkcki DONE (2025-10-13) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-NKCKI-02-001 … 02-008 Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ics.Cisa DONE (2025-10-16) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-ICSCISA-02-001 … 02-011 Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Cisco DONE (2025-10-14) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-CISCO-02-001 … 02-007 OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed).
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Msrc DONE (2025-10-15) Team Connector Expansion Regional & Vendor Feeds FEEDCONN-MSRC-02-001 … 02-008 Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in docs/modules/concelier/operations/connectors/msrc.md.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve DONE (2025-10-15) Team Connector Support & Monitoring FEEDCONN-CVE-02-001 … 02-002 CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from seed-data/cve/ until live CVE Services credentials arrive.
Sprint 2 Connector & Data Implementation Wave src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev DONE (2025-10-12) Team Connector Support & Monitoring FEEDCONN-KEV-02-001 … 02-002 KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published.
Sprint 2 Connector & Data Implementation Wave docs DONE (2025-10-11) Team Docs & Knowledge Base FEEDDOCS-DOCS-01-001 Canonical schema docs refresh
Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes.
Sprint 2 Connector & Data Implementation Wave docs DONE (2025-10-11) Team Docs & Knowledge Base FEEDDOCS-DOCS-02-001 Concelier-SemVer Playbook
Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist.
Sprint 2 Connector & Data Implementation Wave docs DONE (2025-10-11) Team Docs & Knowledge Base FEEDDOCS-DOCS-02-002 Normalized versions query guide
Delivered Mongo index/query addendum with $unwind recipes, dedupe checks, and operational checklist.
Instructions to work:
DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-11) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-03-001 Canonical merger implementation
CanonicalMerger ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-11) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-03-002 Field precedence and tie-breaker map
Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.
Instructions to work:
Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Core Engine & Storage Analytics FEEDSTORAGE-DATA-03-001 Merge event provenance audit prep
Merge events now persist fieldDecisions and analytics-ready provenance snapshots.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Core Engine & Storage Analytics FEEDSTORAGE-DATA-02-001 Normalized range dual-write + backfill
Dual-write/backfill flag delivered; migration + options validated in tests.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-11) Team Core Engine & Storage Analytics FEEDSTORAGE-TESTS-02-004 Restore AdvisoryStore build after normalized versions refactor
Storage tests adjusted for normalized versions/decision reasons.
Instructions to work:
Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for NormalizedVersions + decisionReason so connectors can roll out safely.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-11) Team Merge & QA Enforcement FEEDMERGE-ENGINE-04-001 GHSA/NVD/OSV conflict rules
Merge pipeline consumes CanonicalMerger output prior to precedence merge.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-11) Team Merge & QA Enforcement FEEDMERGE-ENGINE-04-002 Override metrics instrumentation
Merge events capture per-field decisions; counters/logs align with conflict rules.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-11) Team Merge & QA Enforcement FEEDMERGE-ENGINE-04-003 Reference & credit union pipeline
Canonical merge preserves unions with updated tests.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-11) Team Merge & QA Enforcement FEEDMERGE-QA-04-001 End-to-end conflict regression suite
Added regression tests (AdvisoryMergeServiceTests) covering canonical + precedence flow.
Instructions to work:
Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md.
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Regression Fixtures FEEDCONN-GHSA-04-002 GHSA conflict regression fixtures
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd DONE (2025-10-12) Team Connector Regression Fixtures FEEDCONN-NVD-04-002 NVD conflict regression fixtures
Sprint 3 Conflict Resolution Integration & Communications src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-12) Team Connector Regression Fixtures FEEDCONN-OSV-04-002 OSV conflict regression fixtures
Instructions to work:
Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA.
Sprint 3 Conflict Resolution Integration & Communications docs DONE (2025-10-11) Team Documentation Guild Conflict Guidance FEEDDOCS-DOCS-05-001 Concelier Conflict Rules
Runbook published at docs/modules/concelier/operations/conflict-resolution.md; metrics/log guidance aligned with Sprint 3 merge counters.
Sprint 3 Conflict Resolution Integration & Communications docs DONE (2025-10-16) Team Documentation Guild Conflict Guidance FEEDDOCS-DOCS-05-002 Conflict runbook ops rollout
Ops review completed, alert thresholds applied, and change log appended in docs/modules/concelier/operations/conflict-resolution.md; task closed after connector signals verified.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/__Libraries/StellaOps.Concelier.Models DONE (2025-10-15) Team Models & Merge Leads FEEDMODELS-SCHEMA-04-001 Advisory schema parity (description/CWE/canonical metric)
Extend Advisory and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-15) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-04-003 Canonical merger parity for new fields
Teach CanonicalMerger to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-15) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-04-004 Reference normalization & freshness instrumentation cleanup
Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-15) Team Merge & QA Enforcement FEEDMERGE-ENGINE-04-004 Merge pipeline parity for new advisory fields
Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-15) Team Merge & QA Enforcement FEEDMERGE-ENGINE-04-005 Connector coordination for new advisory fields
GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json DONE (2025-10-15) Team Exporters JSON FEEDEXPORT-JSON-04-001 Surface new advisory fields in JSON exporter
Update schemas/offline bundle + fixtures once model/core parity lands.
2025-10-15: dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json.Tests validated canonical metric/CWE emission.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb DONE (2025-10-15) Team Exporters Trivy DB FEEDEXPORT-TRIVY-04-001 Propagate new advisory fields into Trivy DB package
Extend Bolt builder, metadata, and regression tests for the expanded schema.
2025-10-15: dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb.Tests confirmed canonical metric/CWE propagation.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-16) Team Connector Regression Fixtures FEEDCONN-GHSA-04-004 Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge.
Sprint 4 Schema Parity & Freshness Alignment src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv DONE (2025-10-16) Team Connector Expansion GHSA/NVD/OSV FEEDCONN-OSV-04-005 Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Core DONE (2025-10-15) Team Excititor Core & Policy EXCITITOR-CORE-01-001 Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Core DONE (2025-10-15) Team Excititor Core & Policy EXCITITOR-CORE-01-002 Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Core DONE (2025-10-15) Team Excititor Core & Policy EXCITITOR-CORE-01-003 Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-15) Team Excititor Policy EXCITITOR-POLICY-01-001 Established policy options & snapshot provider covering baseline weights/overrides.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-15) Team Excititor Policy EXCITITOR-POLICY-01-002 Policy evaluator now feeds consensus resolver with immutable snapshots.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-16) Team Excititor Policy EXCITITOR-POLICY-01-003 Author policy diagnostics, CLI/WebService surfacing, and documentation updates.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-16) Team Excititor Policy EXCITITOR-POLICY-01-004 Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-16) Team Excititor Policy EXCITITOR-POLICY-01-005 Add policy change tracking, snapshot digests, and telemetry/logging hooks.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo DONE (2025-10-15) Team Excititor Storage EXCITITOR-STORAGE-01-001 Mongo mapping registry plus raw/export entities and DI extensions in place.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo DONE (2025-10-16) Team Excititor Storage EXCITITOR-STORAGE-01-004 Build provider/consensus/cache class maps and related collections.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Export DONE (2025-10-15) Team Excititor Export EXCITITOR-EXPORT-01-001 Export engine delivers cache lookup, manifest creation, and policy integration.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Export DONE (2025-10-17) Team Excititor Export EXCITITOR-EXPORT-01-004 Connect export engine to attestation client and persist Rekor metadata.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Attestation DONE (2025-10-16) Team Excititor Attestation EXCITITOR-ATTEST-01-001 Implement in-toto predicate + DSSE builder providing envelopes for export attestation.
Sprint 5 Excititor Core Foundations src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions DONE (2025-10-17) Team Excititor Connectors EXCITITOR-CONN-ABS-01-001 Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker.
Sprint 5 Excititor Core Foundations src/Excititor/StellaOps.Excititor.WebService DONE (2025-10-17) Team Excititor WebService EXCITITOR-WEB-01-001 Scaffold minimal API host, DI, and /excititor/status endpoint integrating policy, storage, export, and attestation services.
Sprint 6 Excititor Ingest & Formats src/Excititor/StellaOps.Excititor.Worker DONE (2025-10-17) Team Excititor Worker EXCITITOR-WORKER-01-001 Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF DONE (2025-10-17) Team Excititor Formats EXCITITOR-FMT-CSAF-01-001 Implement CSAF normalizer foundation translating provider documents into VexClaim entries.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX DONE (2025-10-17) Team Excititor Formats EXCITITOR-FMT-CYCLONE-01-001 Implement CycloneDX VEX normalizer capturing analysis state and component references.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX DONE (2025-10-17) Team Excititor Formats EXCITITOR-FMT-OPENVEX-01-001 Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-001 Ship Red Hat CSAF provider metadata discovery enabling incremental pulls.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-002 Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-003 Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-004 Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-005 Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF DONE (2025-10-17) Team Excititor Connectors Red Hat EXCITITOR-CONN-RH-01-006 Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF DONE (2025-10-17) Team Excititor Connectors Cisco EXCITITOR-CONN-CISCO-01-001 Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF DONE (2025-10-17) Team Excititor Connectors Cisco EXCITITOR-CONN-CISCO-01-002 Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub DONE (2025-10-17) Team Excititor Connectors SUSE EXCITITOR-CONN-SUSE-01-001 Build Rancher VEX Hub discovery/subscription path with offline snapshot support.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF DONE (2025-10-17) Team Excititor Connectors MSRC EXCITITOR-CONN-MS-01-001 Deliver AAD onboarding/token cache for MSRC CSAF ingestion.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF DONE (2025-10-17) Team Excititor Connectors Oracle EXCITITOR-CONN-ORACLE-01-001 Implement Oracle CSAF catalogue discovery with CPU calendar awareness.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF DONE (2025-10-17) Team Excititor Connectors Ubuntu EXCITITOR-CONN-UBUNTU-01-001 Implement Ubuntu CSAF discovery and channel selection for USN ingestion.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest DONE (2025-10-18) Team Excititor Connectors OCI EXCITITOR-CONN-OCI-01-001 Wire OCI discovery/auth to fetch OpenVEX attestations for configured images.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest DONE (2025-10-18) Team Excititor Connectors OCI EXCITITOR-CONN-OCI-01-002 Attestation fetch & verify loop download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements.
Sprint 6 Excititor Ingest & Formats src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest DONE (2025-10-18) Team Excititor Connectors OCI EXCITITOR-CONN-OCI-01-003 Provenance metadata & policy hooks emit image, subject digest, issuer, and trust metadata for policy weighting/logging.
Sprint 6 Excititor Ingest & Formats src/Cli/StellaOps.Cli DONE (2025-10-18) DevEx/CLI EXCITITOR-CLI-01-001 Add excititor CLI verbs bridging to WebService with consistent auth and offline UX.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Core DONE (2025-10-19) Team Excititor Core & Policy EXCITITOR-CORE-02-001 Context signal schema prep extend consensus models with severity/KEV/EPSS fields and update canonical serializers.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Policy DONE (2025-10-19) Team Excititor Policy EXCITITOR-POLICY-02-001 Scoring coefficients & weight ceilings add α/β options, weight boosts, and validation guidance.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Attestation DONE (2025-10-16) Team Excititor Attestation EXCITITOR-ATTEST-01-002 Rekor v2 client integration ship transparency log client with retries and offline queue.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Core DONE (2025-10-18) Team Scanner Core SCANNER-CORE-09-501 Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with modules/scanner/architecture.md §3§4.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Core DONE (2025-10-18) Team Scanner Core SCANNER-CORE-09-502 Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Core DONE (2025-10-18) Team Scanner Core SCANNER-CORE-09-503 Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components.
Sprint 9 Scanner Build-time src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin DONE (2025-10-19) BuildX Guild SP9-BLDX-09-001 Buildx driver scaffold + handshake with Scanner.Emit (local CAS).
Sprint 9 Scanner Build-time src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin DONE (2025-10-19) BuildX Guild SP9-BLDX-09-002 OCI annotations + provenance hand-off to Attestor.
Sprint 9 Scanner Build-time src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin DONE (2025-10-19) BuildX Guild SP9-BLDX-09-003 CI demo: minimal SBOM push & backend report wiring.
Sprint 9 Scanner Build-time src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin DONE (2025-10-19) BuildX Guild SP9-BLDX-09-004 Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders.
Sprint 9 Scanner Build-time src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin DONE (2025-10-19) BuildX Guild SP9-BLDX-09-005 Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-18) Team Scanner WebService SCANNER-WEB-09-101 Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-18) Team Scanner WebService SCANNER-WEB-09-102 /api/v1/scans submission/status endpoints with deterministic IDs, validation, and cancellation support.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-19) Team Scanner WebService SCANNER-WEB-09-104 Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.Worker DONE (2025-10-19) Team Scanner Worker SCANNER-WORKER-09-201 Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.Worker DONE (2025-10-19) Team Scanner Worker SCANNER-WORKER-09-202 Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.Worker DONE (2025-10-19) Team Scanner Worker SCANNER-WORKER-09-203 Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.Worker DONE (2025-10-19) Team Scanner Worker SCANNER-WORKER-09-204 Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.Worker DONE (2025-10-19) Team Scanner Worker SCANNER-WORKER-09-205 Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE Policy Guild POLICY-CORE-09-001 Policy schema + binder + diagnostics.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE Policy Guild POLICY-CORE-09-002 Policy snapshot store + revision digests.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE Policy Guild POLICY-CORE-09-003 /policy/preview API (image digest → projected verdict diff).
Sprint 9 DevOps Foundations ops/devops DONE (2025-10-19) DevOps Guild DEVOPS-HELM-09-001 Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests.
Sprint 9 Docs & Governance docs DONE (2025-10-19) Docs Guild, DevEx DOCS-ADR-09-001 Establish ADR process and template.
Sprint 9 Docs & Governance docs DONE (2025-10-19) Docs Guild, Platform Events DOCS-EVENTS-09-002 Publish event schema catalog (docs/events/) for critical envelopes.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Storage DONE (2025-10-19) Team Scanner Storage SCANNER-STORAGE-09-301 Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Storage DONE (2025-10-19) Team Scanner Storage SCANNER-STORAGE-09-302 MinIO layout, immutability policies, client abstraction, and configuration binding.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Storage DONE (2025-10-19) Team Scanner Storage SCANNER-STORAGE-09-303 Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Queue DONE (2025-10-19) Team Scanner Queue SCANNER-QUEUE-09-401 Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Queue DONE (2025-10-19) Team Scanner Queue SCANNER-QUEUE-09-402 Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs.
Sprint 9 Scanner Core Foundations src/Scanner/__Libraries/StellaOps.Scanner.Queue DONE (2025-10-19) Team Scanner Queue SCANNER-QUEUE-09-403 Retry + dead-letter strategy with structured logs/metrics for offline deployments.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa DONE (2025-10-12) Team Connector Normalized Versions Rollout FEEDCONN-GHSA-02-001 GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the NormalizedVersions array emitted by the models sprint, wiring provenance decisionReason where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling src/Tools/FixtureUpdater updates across connectors.
Progress 2025-10-20: Coordination matrix + rollout dashboard refreshed; upcoming deadlines tracked (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) with escalation path documented in FEEDMERGE-COORD-02-900.
Sprint 1 Stabilize In-Progress Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-19) Team WebService & Authority FEEDWEB-OPS-01-006 Rename plugin drop directory to namespaced path
Build outputs now point at StellaOps.Concelier.PluginBinaries/StellaOps.Authority.PluginBinaries; defaults/docs/tests updated to reflect the new layout.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo DONE (2025-10-19) Team Excititor Storage EXCITITOR-STORAGE-02-001 Statement events & scoring signals immutable VEX statements store, consensus signal fields, and migration 20251019-consensus-signals-statements with tests (dotnet test src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj, dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj).
Sprint 7 Contextual Truth Foundations src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-19) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-07-001 Advisory event log & asOf queries surface immutable statements and replay capability.
Sprint 7 Contextual Truth Foundations src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-19) Concelier WebService Guild FEEDWEB-EVENTS-07-001 Advisory event replay API expose /concelier/advisories/{key}/replay with asOf filter, hex hashes, and conflict data.
Sprint 7 Contextual Truth Foundations src/Concelier/__Libraries/StellaOps.Concelier.Merge DONE (2025-10-20) BE-Merge FEEDMERGE-ENGINE-07-001 Conflict sets & explainers persist conflict materialization and replay hashes for merge decisions.
Sprint 8 Mongo strengthening src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-19) Team Normalization & Storage Backbone FEEDSTORAGE-MONGO-08-001 Causal-consistent Concelier storage sessions
Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads.
Sprint 8 Mongo strengthening src/Authority/StellaOps.Authority DONE (2025-10-19) Authority Core & Storage Guild AUTHSTORAGE-MONGO-08-001 Harden Authority Mongo usage
Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated.
Sprint 8 Mongo strengthening src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo DONE (2025-10-19) Team Excititor Storage EXCITITOR-STORAGE-MONGO-08-001 Causal consistency for Excititor repositories
Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj.
Sprint 8 Platform Maintenance src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo DONE (2025-10-19) Team Excititor Storage EXCITITOR-STORAGE-03-001 Statement backfill tooling shipped admin backfill endpoint, CLI hook (stellaops excititor backfill-statements), integration tests, and operator runbook (docs/dev/EXCITITOR_STATEMENT_BACKFILL.md).
Sprint 8 Mirror Distribution src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json DONE (2025-10-19) Concelier Export Guild CONCELIER-EXPORT-08-201 Mirror bundle + domain manifest produce signed JSON aggregates for *.stella-ops.org mirrors.
Sprint 8 Mirror Distribution src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb DONE (2025-10-19) Concelier Export Guild CONCELIER-EXPORT-08-202 Mirror-ready Trivy DB bundles mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync.
Sprint 8 Mirror Distribution src/Concelier/StellaOps.Concelier.WebService DONE (2025-10-20) Concelier WebService Guild CONCELIER-WEB-08-201 Mirror distribution endpoints expose domain-scoped index/download APIs with auth/quota.
Sprint 8 Mirror Distribution ops/devops DONE (2025-10-19) DevOps Guild DEVOPS-MIRROR-08-001 Managed mirror deployments for *.stella-ops.org Helm/Compose overlays, CDN, runbooks.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-20) Plugin Platform Guild, Authority Core PLUGIN-DI-08-003 Refactor Authority identity-provider registry to resolve scoped plugin services on-demand.
Introduce factory pattern aligned with scoped lifetimes decided in coordination workshop.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-20) Plugin Platform Guild, Authority Core PLUGIN-DI-08-004 Update Authority plugin loader to activate registrars with DI support and scoped service awareness.
Add two-phase initialization allowing scoped dependencies post-container build.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-20) Plugin Platform Guild, Authority Core PLUGIN-DI-08-005 Provide scoped-safe bootstrap execution for Authority plugins.
Implement scope-per-run pattern for hosted bootstrap tasks and document migration guidance.
Sprint 10 DevOps Security ops/devops DONE (2025-10-20) DevOps Guild DEVOPS-SEC-10-301 Address NU1902/NU1903 advisories for MongoDB.Driver 2.12.0 and SharpCompress 0.23.0; Wave0A prerequisites confirmed complete before remediation work.
Sprint 11 Signing Chain Bring-up src/Authority/StellaOps.Authority DONE (2025-10-20) Authority Core & Security Guild AUTH-DPOP-11-001 Implement DPoP proof validation + nonce handling for high-value audiences per architecture.
Sprint 15 Notify Foundations src/Notify/StellaOps.Notify.WebService DONE (2025-10-19) Notify WebService Guild NOTIFY-WEB-15-103 Delivery history & test-send endpoints.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-SLACK-15-502 Slack health/test-send support.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-TEAMS-15-602 Teams health/test-send support.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-TEAMS-15-604 Teams health endpoint metadata alignment.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-SLACK-15-503 Package Slack connector as restart-time plug-in (manifest + host registration).
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-TEAMS-15-603 Package Teams connector as restart-time plug-in (manifest + host registration).
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Email DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-EMAIL-15-703 Package Email connector as restart-time plug-in (manifest + host registration).
Sprint 15 Notify Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-20) Scanner WebService Guild SCANNER-EVENTS-15-201 Emit scanner.report.ready + scanner.scan.completed events.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook DONE (2025-10-20) Notify Connectors Guild NOTIFY-CONN-WEBHOOK-15-803 Package Webhook connector as restart-time plug-in (manifest + host registration).
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-20) Scheduler Models Guild SCHED-MODELS-16-103 Versioning/migration helpers for schedules/runs.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Queue DONE (2025-10-20) Scheduler Queue Guild SCHED-QUEUE-16-401 Queue abstraction + Redis Streams adapter.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Queue DONE (2025-10-20) Scheduler Queue Guild SCHED-QUEUE-16-402 NATS JetStream adapter with health probes.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex DONE (2025-10-20) Scheduler ImpactIndex Guild SCHED-IMPACT-16-300 STUB ImpactIndex ingest/query using fixtures (to be removed by SP16 completion).
This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 7 Contextual Truth Foundations docs DONE (2025-10-22) Docs Guild, Concelier WebService DOCS-CONCELIER-07-201 Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide).
Sprint 7 Contextual Truth Foundations src/Excititor/StellaOps.Excititor.WebService DONE (2025-10-20) Team Excititor WebService EXCITITOR-WEB-01-002 Ingest & reconcile endpoints scope-enforced /excititor/init, /excititor/ingest/run, /excititor/ingest/resume, /excititor/reconcile; regression via dotnet test … --filter FullyQualifiedName~IngestEndpointsTests.
Sprint 7 Contextual Truth Foundations src/Excititor/StellaOps.Excititor.WebService DONE (2025-10-20) Team Excititor WebService EXCITITOR-WEB-01-004 Resolve API & signed responses expose /excititor/resolve, return signed consensus/score envelopes, document auth.
Sprint 7 Contextual Truth Foundations src/Excititor/StellaOps.Excititor.Worker DONE (2025-10-21) Team Excititor Worker EXCITITOR-WORKER-01-004 TTL refresh & stability damper schedule re-resolve loops and guard against status flapping.
Sprint 7 Contextual Truth Foundations src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-21) Team Core Engine & Data Science FEEDCORE-ENGINE-07-002 Noise prior computation service learn false-positive priors and expose deterministic summaries.
Sprint 7 Contextual Truth Foundations src/Concelier/__Libraries/StellaOps.Concelier.Core DONE (2025-10-21) Team Core Engine & Storage Analytics FEEDCORE-ENGINE-07-003 Unknown state ledger & confidence seeding persist unknown flags, seed confidence bands, expose query surface.
Sprint 7 Contextual Truth Foundations src/Excititor/StellaOps.Excititor.WebService DONE (2025-10-19) Team Excititor WebService EXCITITOR-WEB-01-005 Mirror distribution endpoints expose download APIs for downstream Excititor instances.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Export DONE (2025-10-21) Team Excititor Export EXCITITOR-EXPORT-01-005 Score & resolve envelope surfaces include signed consensus/score artifacts in exports.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Export DONE (2025-10-21) Team Excititor Export EXCITITOR-EXPORT-01-006 Quiet provenance packaging attach quieted-by statement IDs, signers, justification codes to exports and attestations.
Sprint 7 Contextual Truth Foundations src/Excititor/__Libraries/StellaOps.Excititor.Export DONE (2025-10-21) Team Excititor Export EXCITITOR-EXPORT-01-007 Mirror bundle + domain manifest publish signed consensus bundles for mirrors.
Sprint 7 Contextual Truth Foundations src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror DONE (2025-10-21) Excititor Connectors Stella EXCITITOR-CONN-STELLA-07-001 Excititor mirror connector ingest signed mirror bundles and map to VexClaims with resume handling.
Sprint 7 Contextual Truth Foundations src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo DONE (2025-10-19) Team Normalization & Storage Backbone FEEDSTORAGE-DATA-07-001 Advisory statement & conflict collections provision Mongo schema/indexes for event-sourced merge.
Sprint 7 Contextual Truth Foundations src/Web/StellaOps.Web DONE (2025-10-21) UX Specialist, Angular Eng WEB1.TRIVY-SETTINGS-TESTS Add headless UI test run (ng test --watch=false) and document prerequisites once Angular tooling is chained up.
Sprint 8 Mirror Distribution src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror DONE (2025-10-20) BE-Conn-Stella FEEDCONN-STELLA-08-001 Concelier mirror connector fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support.
Sprint 8 Mirror Distribution src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror DONE (2025-10-20) BE-Conn-Stella FEEDCONN-STELLA-08-002 Map mirror payloads into canonical advisory DTOs with provenance referencing mirror domain + original source metadata.
Sprint 8 Mirror Distribution src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror DONE (2025-10-20) BE-Conn-Stella FEEDCONN-STELLA-08-003 Add incremental cursor + resume support (per-export fingerprint) and document configuration for downstream Concelier instances.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-21) Plugin Platform Guild PLUGIN-DI-08-001 Scoped service support in plugin bootstrap added dynamic plugin tests ensuring [ServiceBinding] metadata flows through plugin hosts and remains idempotent.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-20) Plugin Platform Guild, Authority Core PLUGIN-DI-08-002.COORD Authority scoped-service integration handshake
Workshop concluded 2025-10-20 15:0016:05UTC; decisions + follow-ups recorded in docs/dev/authority-plugin-di-coordination.md.
Sprint 8 Plugin Infrastructure src/__Libraries/StellaOps.Plugin DONE (2025-10-20) Plugin Platform Guild, Authority Core PLUGIN-DI-08-002 Authority plugin integration updates scoped identity-provider services with registry handles; regression coverage via scoped registrar/unit tests.
Sprint 8 Plugin Infrastructure src/Authority/StellaOps.Authority DONE (2025-10-20) Authority Core, Plugin Platform Guild AUTH-PLUGIN-COORD-08-002 Coordinate scoped-service adoption for Authority plug-in registrars
Workshop notes and follow-up backlog captured 2025-10-20 in docs/dev/authority-plugin-di-coordination.md.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-19) Team Scanner WebService SCANNER-WEB-09-103 Progress streaming (SSE/JSONL) with correlation IDs and ISO-8601 UTC timestamps, documented in API reference.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-19) Team Scanner WebService SCANNER-POLICY-09-105 Policy snapshot loader + schema + OpenAPI (YAML ignore rules, VEX include/exclude, vendor precedence).
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-19) Team Scanner WebService SCANNER-POLICY-09-106 /reports verdict assembly (Conselier+Excitor+Policy) + signed response envelope.
Sprint 9 Scanner Core Foundations src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-19) Team Scanner WebService SCANNER-POLICY-09-107 Expose score inputs, config version, and quiet provenance in /reports JSON and signed payload.
Sprint 9 DevOps Foundations ops/devops DONE (2025-10-21) DevOps Guild, Scanner WebService Guild DEVOPS-SCANNER-09-204 Surface SCANNER__EVENTS__* env config across Compose/Helm and document overrides.
Sprint 9 DevOps Foundations ops/devops DONE (2025-10-21) DevOps Guild, Notify Guild DEVOPS-SCANNER-09-205 Notify smoke job validates Redis stream + Notify deliveries after staging deploys.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE (2025-10-19) Policy Guild POLICY-CORE-09-004 Versioned scoring config with schema validation, trust table, and golden fixtures.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE (2025-10-19) Policy Guild POLICY-CORE-09-005 Scoring/quiet engine compute score, enforce VEX-only quiet rules, emit inputs and provenance.
Sprint 9 Policy Foundations src/Policy/__Libraries/StellaOps.Policy DONE (2025-10-19) Policy Guild POLICY-CORE-09-006 Unknown state & confidence decay deterministic bands surfaced in policy outputs.
Sprint 9 Docs & Governance docs DONE (2025-10-21) Platform Events Guild PLATFORM-EVENTS-09-401 Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas.
Sprint 10 Benchmarks src/Bench/StellaOps.Bench DONE (2025-10-21) Bench Guild, Language Analyzer Guild BENCH-SCANNER-10-002 Wire real language analyzers into bench harness & refresh baselines post-implementation.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-21) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-302 Node analyzer handling workspaces/symlinks emitting pkg:npm.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-21) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-303 Python analyzer reading *.dist-info, RECORD hashes, entry points.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-22) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-304 Go analyzer leveraging buildinfo for pkg:golang components.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go DONE (2025-10-22) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-304E Plumb Go heuristic counter into Scanner metrics pipeline and alerting.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-22) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-305 .NET analyzer parsing *.deps.json, assembly metadata, RID variants.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-22) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-306 Rust analyzer detecting crates or falling back to bin:{sha256}.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-19) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-307 Shared language evidence helpers + usage flag propagation.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-19) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-308 Determinism + fixture harness for language analyzers.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-21) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-309 Package language analyzers as restart-time plug-ins (manifest + host registration).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-601 Compose inventory SBOM (CycloneDX JSON/Protobuf) from layer fragments.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-602 Compose usage SBOM leveraging EntryTrace to flag actual usage.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-603 Generate BOM index sidecar (purl table + roaring bitmap + usage flag).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-604 Package artifacts for export + attestation with deterministic manifests.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-605 Emit BOM-Index sidecar schema/fixtures (CRITICAL PATH for SP16).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-606 Usage view bit flags integrated with EntryTrace.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-22) Emit Guild SCANNER-EMIT-10-607 Embed scoring inputs, confidence band, and quiet provenance in CycloneDX/DSSE artifacts.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Cache DONE (2025-10-19) Scanner Cache Guild SCANNER-CACHE-10-101 Implement layer cache store keyed by layer digest with metadata retention per architecture §3.3.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Cache DONE (2025-10-19) Scanner Cache Guild SCANNER-CACHE-10-102 Build file CAS with dedupe, TTL enforcement, and offline import/export hooks.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Cache DONE (2025-10-19) Scanner Cache Guild SCANNER-CACHE-10-103 Expose cache metrics/logging and configuration toggles for warm/cold thresholds.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Cache DONE (2025-10-19) Scanner Cache Guild SCANNER-CACHE-10-104 Implement cache invalidation workflows (layer delete, TTL expiry, diff invalidation).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-201 Alpine/apk analyzer emitting deterministic components with provenance.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-202 Debian/dpkg analyzer mapping packages to purl identity with evidence.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-203 RPM analyzer capturing EVR, file listings, provenance.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-204 Shared OS evidence helpers for package identity + provenance.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-205 Vendor metadata enrichment (source packages, license, CVE hints).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-206 Determinism harness + fixtures for OS analyzers.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS DONE (2025-10-19) OS Analyzer Guild SCANNER-ANALYZERS-OS-10-207 Package OS analyzers as restart-time plug-ins (manifest + host registration).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang DONE (2025-10-19) Language Analyzer Guild SCANNER-ANALYZERS-LANG-10-301 Java analyzer emitting pkg:maven with provenance.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-401 POSIX shell AST parser with deterministic output.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-402 Command resolution across layered rootfs with evidence attribution.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-403 Interpreter tracing for shell wrappers to Python/Node/Java launchers.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-404 Python entry analyzer (venv shebang, module invocation, usage flag).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-405 Node/Java launcher analyzer capturing script/jar targets.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-406 Explainability + diagnostics for unresolved constructs with metrics.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace DONE (2025-10-19) EntryTrace Guild SCANNER-ENTRYTRACE-10-407 Package EntryTrace analyzers as restart-time plug-ins (manifest + host registration).
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Diff DONE (2025-10-19) Diff Guild SCANNER-DIFF-10-501 Build component differ tracking add/remove/version changes with deterministic ordering.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Diff DONE (2025-10-19) Diff Guild SCANNER-DIFF-10-502 Attribute diffs to introducing/removing layers including provenance evidence.
Sprint 10 Scanner Analyzers & SBOM src/Scanner/__Libraries/StellaOps.Scanner.Diff DONE (2025-10-19) Diff Guild SCANNER-DIFF-10-503 Produce JSON diff output for inventory vs usage views aligned with API contract.
Sprint 10 Samples samples DONE (2025-10-20) Samples Guild, Scanner Team SAMPLES-10-001 Sample images with SBOM/BOM-Index sidecars.
Sprint 10 DevOps Perf ops/devops DONE (2025-10-22) DevOps Guild DEVOPS-PERF-10-001 Perf smoke job ensuring <5s SBOM compose.
Sprint 10 DevOps Perf ops/devops DONE (2025-10-23) DevOps Guild DEVOPS-PERF-10-002 Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20% regressions.
Sprint 10 Policy Samples samples DONE (2025-10-23) Samples Guild, Policy Guild SAMPLES-13-004 Add policy preview/report fixtures showing confidence bands and unknown-age tags.
Sprint 10 Policy Samples src/Web/StellaOps.Web DONE (2025-10-23) UI Guild WEB-POLICY-FIXTURES-10-001 Wire policy preview/report doc fixtures into UI harness (test utility or Storybook substitute) with type bindings and validation guard so UI stays aligned with documented payloads.
Sprint 11 Signing Chain Bring-up src/Signer/StellaOps.Signer DONE (2025-10-21) Signer Guild SIGNER-API-11-101 /sign/dsse pipeline with Authority auth, PoE introspection, release verification, DSSE signing.
Sprint 11 Signing Chain Bring-up src/Signer/StellaOps.Signer DONE (2025-10-21) Signer Guild SIGNER-REF-11-102 /verify/referrers endpoint with OCI lookup, caching, and policy enforcement.
Sprint 11 Signing Chain Bring-up src/Signer/StellaOps.Signer DONE (2025-10-21) Signer Guild SIGNER-QUOTA-11-103 Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs.
Sprint 11 Signing Chain Bring-up src/Authority/StellaOps.Authority DONE (2025-10-23) Authority Core & Security Guild AUTH-MTLS-11-002 Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates.
Sprint 12 Runtime Guardrails src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-20) Scanner WebService Guild SCANNER-RUNTIME-12-301 /runtime/events ingestion endpoint with validation, batching, storage hooks.
Sprint 13 UX & CLI Experience src/Cli/StellaOps.Cli DONE (2025-10-21) DevEx/CLI CLI-OFFLINE-13-006 Implement offline kit pull/import/status commands with integrity checks.
Sprint 13 UX & CLI Experience src/Cli/StellaOps.Cli DONE (2025-10-22) DevEx/CLI CLI-PLUGIN-13-007 Package non-core CLI verbs as restart-time plug-ins (manifest + loader tests).
Sprint 13 UX & CLI Experience src/Web/StellaOps.Web DONE (2025-10-21) UX Specialist, Angular Eng, DevEx WEB1.DEPS-13-001 Stabilise Angular workspace dependencies for headless CI installs (npm install, Chromium handling, docs).
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Queue DONE (2025-10-20) Scheduler Queue Guild SCHED-QUEUE-16-403 Dead-letter handling + metrics.
Sprint 18 Launch Readiness ops/offline-kit DONE (2025-10-22) Offline Kit Guild, Scanner Guild DEVOPS-OFFLINE-18-004 Rebuild Offline Kit bundle with Go analyzer plug-in and refreshed manifest/signature set.
This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 11 Signing Chain Bring-up src/Attestor/StellaOps.Attestor DONE (2025-10-19) Attestor Guild ATTESTOR-API-11-201 /rekor/entries submission pipeline with dedupe, proof acquisition, and persistence.
Sprint 11 Signing Chain Bring-up src/Attestor/StellaOps.Attestor DONE (2025-10-19) Attestor Guild ATTESTOR-VERIFY-11-202 /rekor/verify + retrieval endpoints validating signatures and Merkle proofs.
Sprint 11 Signing Chain Bring-up src/Attestor/StellaOps.Attestor DONE (2025-10-19) Attestor Guild ATTESTOR-OBS-11-203 Telemetry, alerting, mTLS hardening, and archive workflow for Attestor.
Sprint 11 Storage Platform Hardening src/Scanner/__Libraries/StellaOps.Scanner.Storage DONE (2025-10-23) Scanner Storage Guild SCANNER-STORAGE-11-401 Migrate scanner object storage integration from MinIO to RustFS with data migration plan.
Sprint 11 UI Integration src/Web/StellaOps.Web DONE (2025-10-23) UI Guild UI-ATTEST-11-005 Attestation visibility (Rekor id, status) on Scan Detail.
Sprint 12 Runtime Guardrails src/Zastava/__Libraries/StellaOps.Zastava.Core DONE (2025-10-23) Zastava Core Guild ZASTAVA-CORE-12-201 Define runtime event/admission DTOs, hashing helpers, and versioning strategy.
Sprint 12 Runtime Guardrails src/Zastava/__Libraries/StellaOps.Zastava.Core DONE (2025-10-23) Zastava Core Guild ZASTAVA-CORE-12-202 Provide configuration/logging/metrics utilities shared by Observer/Webhook.
Sprint 12 Runtime Guardrails src/Zastava/__Libraries/StellaOps.Zastava.Core DONE (2025-10-23) Zastava Core Guild ZASTAVA-CORE-12-203 Authority client helpers, OpTok caching, and security guardrails for runtime services.
Sprint 12 Runtime Guardrails src/Zastava/__Libraries/StellaOps.Zastava.Core DONE (2025-10-23) Zastava Core Guild ZASTAVA-OPS-12-204 Operational runbooks, alert rules, and dashboard exports for runtime plane.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Observer DONE (2025-10-24) Zastava Observer Guild ZASTAVA-OBS-12-001 Container lifecycle watcher emitting deterministic runtime events with buffering.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Observer DONE (2025-10-24) Zastava Observer Guild ZASTAVA-OBS-12-002 Capture entrypoint traces + loaded libraries, hashing binaries and linking to baseline SBOM.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Observer DONE (2025-10-24) Zastava Observer Guild ZASTAVA-OBS-12-003 Posture checks for signatures/SBOM/attestation with offline caching.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Observer DONE (2025-10-24) Zastava Observer Guild ZASTAVA-OBS-12-004 Batch /runtime/events submissions with disk-backed buffer and rate limits.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Webhook DONE (2025-10-24) Zastava Webhook Guild ZASTAVA-WEBHOOK-12-101 Admission controller host with TLS bootstrap and Authority auth.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Webhook DONE (2025-10-24) Zastava Webhook Guild ZASTAVA-WEBHOOK-12-102 Query Scanner /policy/runtime, resolve digests, enforce verdicts.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Webhook DONE (2025-10-24) Zastava Webhook Guild ZASTAVA-WEBHOOK-12-103 Caching, fail-open/closed toggles, metrics/logging for admission decisions.
Sprint 12 Runtime Guardrails src/Zastava/StellaOps.Zastava.Webhook DONE (2025-10-24) Zastava Webhook Guild ZASTAVA-WEBHOOK-12-104 Wire /admission endpoint to runtime policy client and emit allow/deny envelopes.
Sprint 12 Runtime Guardrails src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-302 /policy/runtime endpoint joining SBOM baseline + policy verdict, returning admission guidance.
Sprint 12 Runtime Guardrails src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-303 Align /policy/runtime verdicts with canonical policy evaluation (Conselier/Excitor).
Sprint 12 Runtime Guardrails src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-304 Integrate attestation verification into runtime policy metadata.
Sprint 12 Runtime Guardrails src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-305 Deliver shared fixtures + e2e validation with Zastava/CLI teams.
Sprint 13 UX & CLI Experience src/Web/StellaOps.Web DONE (2025-10-23) UI Guild UI-AUTH-13-001 Integrate Authority OIDC + DPoP flows with session management.
Sprint 13 UX & CLI Experience src/Web/StellaOps.Web DONE (2025-10-25) UI Guild UI-NOTIFY-13-006 Notify panel: channels/rules CRUD, deliveries view, test send.
Sprint 13 Platform Reliability ops/devops DONE (2025-10-25) DevOps Guild, Platform Leads DEVOPS-NUGET-13-001 Wire up .NET 10 preview feeds/local mirrors so dotnet restore succeeds offline; document updated NuGet bootstrap.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Queue DONE (2025-10-23) Notify Queue Guild NOTIFY-QUEUE-15-401 Bus abstraction + Redis Streams adapter with ordering/idempotency.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Queue DONE (2025-10-23) Notify Queue Guild NOTIFY-QUEUE-15-402 NATS JetStream adapter with health probes and failover.
Sprint 15 Notify Foundations src/Notify/__Libraries/StellaOps.Notify.Queue DONE (2025-10-23) Notify Queue Guild NOTIFY-QUEUE-15-403 Delivery queue with retry/dead-letter + metrics.
Sprint 15 Notify Foundations src/Notify/StellaOps.Notify.Worker DONE (2025-10-23) Notify Worker Guild NOTIFY-WORKER-15-201 Bus subscription + leasing loop with backoff.
Sprint 17 Symbol Intelligence & Forensics src/Zastava/StellaOps.Zastava.Observer DONE (2025-10-25) Zastava Observer Guild ZASTAVA-OBS-17-005 Collect GNU build-id during runtime observation and attach it to emitted events.
Sprint 17 Symbol Intelligence & Forensics src/Scanner/StellaOps.Scanner.WebService DONE (2025-10-25) Scanner WebService Guild SCANNER-RUNTIME-17-401 Persist runtime build-id observations and expose them for debug-symbol correlation.
This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 13 Platform Reliability ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-NUGET-13-002 Ensure all solutions/projects prioritize local-nuget before public feeds and add restore-order validation.
Sprint 13 Platform Reliability ops/devops DONE (2025-10-26) DevOps Guild, Platform Leads DEVOPS-NUGET-13-003 Upgrade Microsoft.* dependencies pinned to 8.* to their latest .NET 10 (or 9.x) releases and refresh guidance.
Sprint 14 Release & Offline Ops ops/deployment DONE (2025-10-26) Deployment Guild DEVOPS-OPS-14-003 Deployment/update/rollback automation and channel management documentation.
Sprint 14 Release & Offline Ops ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-REL-14-001 Deterministic build/release pipeline with SBOM/provenance, signing, and manifest generation.
Sprint 14 Release & Offline Ops ops/devops DONE (2025-10-26) DevOps Guild, Scanner Guild DEVOPS-REL-14-004 Extend release/offline smoke jobs to cover Python analyzer plug-ins (warm/cold, determinism, signing).
Sprint 14 Release & Offline Ops ops/licensing DONE (2025-10-26) Licensing Guild DEVOPS-LIC-14-004 Registry token service tied to Authority, plan gating, revocation handling, monitoring.
Sprint 14 Release & Offline Ops ops/offline-kit DONE (2025-10-26) Offline Kit Guild DEVOPS-OFFLINE-14-002 Offline kit packaging workflow with integrity verification and documentation.
Sprint 15 Benchmarks src/Bench/StellaOps.Bench DONE (2025-10-26) Bench Guild, Notify Team BENCH-NOTIFY-15-001 Notify dispatch throughput bench with results CSV.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-19) Scheduler Models Guild SCHED-MODELS-16-101 Define Scheduler DTOs & validation.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-19) Scheduler Models Guild SCHED-MODELS-16-102 Publish schema docs/sample payloads.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo DONE (2025-10-19) Scheduler Storage Guild SCHED-STORAGE-16-201 Mongo schemas/indexes for Scheduler state.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo DONE (2025-10-26) Scheduler Storage Guild SCHED-STORAGE-16-202 Repositories with tenant scoping, TTL, causal consistency.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo DONE (2025-10-26) Scheduler Storage Guild SCHED-STORAGE-16-203 Audit/run stats materialization for UI.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex DONE (2025-10-26) Scheduler ImpactIndex Guild SCHED-IMPACT-16-302 Query APIs for ResolveByPurls/ResolveByVulns/ResolveAll.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex DONE (2025-10-26) Scheduler ImpactIndex Guild SCHED-IMPACT-16-301 Ingest BOM-Index into roaring bitmap store.
Sprint 16 Scheduler Intelligence src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-26) Scheduler WebService Guild SCHED-WEB-16-102 Schedules CRUD (cron validation, pause/resume, audit).
Sprint 16 Scheduler Intelligence src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-26) Scheduler WebService Guild SCHED-WEB-16-103 Runs API (list/detail/cancel) + impact previews.
Sprint 16 Scheduler Intelligence src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-27) Scheduler WebService Guild SCHED-WEB-16-104 Conselier/Excitor webhook handlers with security enforcement.
Sprint 17 Symbol Intelligence & Forensics docs DONE (2025-10-26) Docs Guild DOCS-RUNTIME-17-004 Document build-id workflows for SBOMs, runtime events, and debug-store usage.
Sprint 17 Symbol Intelligence & Forensics ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-REL-17-002 Ship stripped debug artifacts organised by build-id within release/offline kits.
Sprint 17 Symbol Intelligence & Forensics ops/offline-kit DONE (2025-10-26) Offline Kit Guild, DevOps Guild DEVOPS-OFFLINE-17-003 Mirror release debug-store artefacts into Offline Kit packaging and document validation.
Sprint 17 Symbol Intelligence & Forensics src/Scanner/__Libraries/StellaOps.Scanner.Emit DONE (2025-10-26) Emit Guild SCANNER-EMIT-17-701 Record GNU build-id for ELF components and surface it in SBOM/diff outputs.
Sprint 18 Launch Readiness ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-LAUNCH-18-001 Production launch cutover rehearsal and runbook publication.
Sprint 18 Launch Readiness ops/offline-kit DONE (2025-10-26) Offline Kit Guild, Scanner Guild DEVOPS-OFFLINE-18-005 Rebuild Offline Kit with Python analyzer artefacts and refreshed manifest/signature pair.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild DOCS-AOC-19-001 Publish aggregation-only contract reference documentation.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, Architecture Guild DOCS-AOC-19-002 Update architecture overview with AOC boundary diagrams.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, Policy Guild DOCS-AOC-19-003 Refresh policy engine doc with raw ingestion constraints.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, UI Guild DOCS-AOC-19-004 Document console AOC dashboard and drill-down flow.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, CLI Guild DOCS-AOC-19-005 Document CLI AOC commands and exit codes.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, Observability Guild DOCS-AOC-19-006 Document new AOC metrics, traces, and logs.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, Authority Core DOCS-AOC-19-007 Document new Authority scopes and tenancy enforcement.
Sprint 19 Aggregation-Only Contract Enforcement docs DONE (2025-10-26) Docs Guild, DevOps Guild DOCS-AOC-19-008 Update deployment guide with validator enablement and verify user guidance.
Sprint 19 Aggregation-Only Contract Enforcement src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core & Security Guild AUTH-AOC-19-001 Introduce new ingestion/auth scopes across Authority.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild DOCS-POLICY-20-001 Publish /docs/policy/overview.md with compliance checklist.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild DOCS-POLICY-20-002 Document DSL grammar + examples in /docs/policy/dsl.md.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Authority Core DOCS-POLICY-20-003 Write /docs/policy/lifecycle.md covering workflow + roles.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Scheduler Guild DOCS-POLICY-20-004 Document policy run modes + cursors in /docs/policy/runs.md.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Platform Guild DOCS-POLICY-20-005 Produce /docs/api/policy.md with endpoint schemas + errors.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, CLI Guild DOCS-POLICY-20-006 Author /docs/modules/cli/guides/policy.md with commands, exit codes, JSON output.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, UI Guild DOCS-POLICY-20-007 Create /docs/ui/policy-editor.md covering editor, simulation, approvals.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Architecture Guild DOCS-POLICY-20-008 Publish /docs/modules/policy/architecture.md with sequence diagrams.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Observability Guild DOCS-POLICY-20-009 Document metrics/traces/logs in /docs/observability/policy.md.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Security Guild DOCS-POLICY-20-010 Publish /docs/security/policy-governance.md for scopes + approvals.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Policy Guild DOCS-POLICY-20-011 Add example policies under /docs/examples/policies/ with commentary.
Sprint 20 Policy Engine v2 docs DONE (2025-10-26) Docs Guild, Support Guild DOCS-POLICY-20-012 Draft /docs/faq/policy-faq.md covering conflicts, determinism, pitfalls.
Sprint 20 Policy Engine v2 ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-POLICY-20-001 Add DSL lint + compile checks to CI pipelines.
Sprint 20 Policy Engine v2 ops/devops DONE (2025-10-26) DevOps Guild, QA Guild DEVOPS-POLICY-20-003 Add determinism CI job diffing repeated policy runs.
Sprint 20 Policy Engine v2 samples DONE (2025-10-26) Samples Guild, Policy Guild SAMPLES-POLICY-20-001 Commit baseline/serverless/internal-only policy samples + fixtures.
Sprint 20 Policy Engine v2 samples DONE (2025-10-26) Samples Guild, UI Guild SAMPLES-POLICY-20-002 Produce simulation diff fixtures for UI/CLI tests.
Sprint 20 Policy Engine v2 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core & Security Guild AUTH-POLICY-20-001 Add new policy scopes (policy:*, findings:read, effective:write).
Sprint 20 Policy Engine v2 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core & Security Guild AUTH-POLICY-20-002 Enforce Policy Engine service identity and scope checks at gateway.
Sprint 20 Policy Engine v2 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core & Docs Guild AUTH-POLICY-20-003 Update Authority docs/config samples for policy scopes + workflows.
Sprint 20 Policy Engine v2 src/Bench/StellaOps.Bench DONE (2025-10-26) Bench Guild, Policy Guild BENCH-POLICY-20-001 Create policy evaluation benchmark suite + baseline metrics.
Sprint 20 Policy Engine v2 src/Policy/StellaOps.Policy.Engine DONE (2025-10-26) Policy Guild, Platform Guild POLICY-ENGINE-20-000 Spin up new Policy Engine service host with DI bootstrap and Authority wiring.
Sprint 20 Policy Engine v2 src/Policy/StellaOps.Policy.Engine DONE (2025-10-26) Policy Guild POLICY-ENGINE-20-001 Deliver stella-dsl@1 parser + IR compiler with diagnostics and checksums.
Sprint 20 Policy Engine v2 src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-26) Scheduler Models Guild SCHED-MODELS-20-001 Define policy run/diff DTOs + validation helpers.
Sprint 21 Graph Explorer v1 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core Guild AUTH-GRAPH-21-001 Introduce graph scopes (graph:*) with configuration binding and defaults.
Sprint 21 Graph Explorer v1 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core Guild AUTH-GRAPH-21-002 Enforce graph scopes/identities at gateway with tenant propagation.
Sprint 21 Graph Explorer v1 src/Authority/StellaOps.Authority DONE (2025-10-26) Authority Core & Docs Guild AUTH-GRAPH-21-003 Update security docs/config samples for graph access and least privilege.
Sprint 21 Graph Explorer v1 src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-26) Scheduler Models Guild SCHED-MODELS-21-001 Define job DTOs for graph builds/overlay refresh (GraphBuildJob, GraphOverlayJob) with deterministic serialization and status enums; document in src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md.
Sprint 21 Graph Explorer v1 src/Scheduler/__Libraries/StellaOps.Scheduler.Models DONE (2025-10-26) Scheduler Models Guild SCHED-MODELS-21-002 Publish schema docs/sample payloads for graph job lifecycle.
Sprint 22 Link-Not-Merge v1 src/Bench/StellaOps.Bench DONE (2025-10-26) Bench Guild BENCH-LNM-22-001 Benchmark advisory observation ingest/correlation throughput.
Sprint 22 Link-Not-Merge v1 src/Bench/StellaOps.Bench DONE (2025-10-26) Bench Guild BENCH-LNM-22-002 Benchmark VEX ingest/correlation latency and event emission.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-001 Publish /docs/ui/console-overview.md (IA, tenant model, filters, AOC alignment).
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-002 Author /docs/ui/navigation.md with route map, filters, keyboard shortcuts, deep links.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-003 Document /docs/ui/sbom-explorer.md covering catalog, graph, overlays, exports.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-004 Produce /docs/ui/advisories-and-vex.md detailing aggregation-not-merge UX.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-005 Write /docs/ui/findings.md with filters, explain, exports, CLI parity notes.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-006 Publish /docs/ui/policies.md (editor, simulation, approvals, RBAC).
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-007 Document /docs/ui/runs.md with SSE monitoring, diff, retries, evidence downloads.
Sprint 23 StellaOps Console docs DONE (2025-10-26) Docs Guild DOCS-CONSOLE-23-008 Draft /docs/ui/admin.md covering tenants, roles, tokens, integrations, fresh-auth.
Sprint 23 StellaOps Console docs DONE (2025-10-27) Docs Guild DOCS-CONSOLE-23-009 Publish /docs/ui/downloads.md aligning manifest with commands and offline flow.
Sprint 23 StellaOps Console docs DONE (2025-10-27) Docs Guild, Deployment Guild, Console Guild DOCS-CONSOLE-23-010 Write /docs/deploy/console.md (Helm, ingress, TLS, env vars, health checks).
Sprint 28 Graph Explorer src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-26) Scheduler WebService Guild SCHED-WEB-21-001 Provide graph build/overlay job APIs; see docs/SCHED-WEB-21-001-GRAPH-APIS.md.
Sprint 28 Graph Explorer src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-26) Scheduler WebService Guild SCHED-WEB-21-002 Provide overlay lag metrics endpoint/webhook; see docs/SCHED-WEB-21-001-GRAPH-APIS.md.
Sprint 28 Graph Explorer src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-26) Scheduler WebService Guild, Authority Core Guild SCHED-WEB-21-003 Replace header auth with Authority scopes using StellaOpsScopes; dev fallback only when Scheduler:Authority:Enabled=false.
Sprint 50 Observability & Forensics Phase 1 Baseline Telemetry ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-OBS-50-001 Deploy default OpenTelemetry collector manifests with secure OTLP pipeline.
Sprint 50 Observability & Forensics Phase 1 Baseline Telemetry ops/devops DONE (2025-10-26) DevOps Guild DEVOPS-OBS-50-003 Package telemetry stack configs for offline/air-gapped installs with signatures.
Sprint 16 Scheduler Intelligence src/Scheduler/StellaOps.Scheduler.WebService DONE (2025-10-27) Scheduler WebService Guild SCHED-WEB-16-101 Minimal API host with Authority enforcement.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Worker DONE (2025-10-27) Scheduler Worker Guild SCHED-WORKER-16-202 ImpactIndex targeting and shard planning.
This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Worker DONE (2025-10-27) Scheduler Worker Guild SCHED-WORKER-16-203 Runner execution invoking Scanner analysis/content refresh.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Worker DONE (2025-10-27) Scheduler Worker Guild SCHED-WORKER-16-204 Emit rescan/report events for Notify/UI.
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Worker DONE (2025-10-27) Scheduler Worker Guild SCHED-WORKER-16-205 Metrics/telemetry for Scheduler planners/runners.
Sprint 19 Aggregation-Only Contract Enforcement src/Authority/StellaOps.Authority DONE (2025-10-27) Authority Core & Security Guild AUTH-AOC-19-002 Enforce tenant claim propagation and cross-tenant guardrails.

AUTH-AOC-19-002: Tenant metadata now flows through rate limiter/audit/token persistence; password grant scope/tenant enforcement landed. Docs/stakeholder walkthrough pending. 2025-10-27 Update: Ingestion scopes require tenant assignment; access tokens propagate tenant claims and reject cross-tenant mismatches with coverage. | Sprint 19 | Aggregation-Only Contract Enforcement | src/Authority/StellaOps.Authority | DONE (2025-10-27) | Authority Core & Docs Guild | AUTH-AOC-19-003 | Update Authority docs/config samples for new scopes. | AUTH-AOC-19-003: Scope catalogue, console/CLI docs, and sample config updated to require aoc:verify plus read scopes; verification clients now explicitly include tenant hints. Authority test run remains blocked on Concelier build failure (ImmutableHashSet<string?>), previously noted under AUTH-AOC-19-002. | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService | DONE (2025-10-28) | Concelier WebService Guild | CONCELIER-WEB-AOC-19-001 | Implement raw advisory ingestion endpoints with AOC guard and verifier. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker | DONE (2025-10-28) | QA Guild | EXCITITOR-WORKER-AOC-19-003 | Expand worker tests for deterministic batching and restart safety. | | Sprint 20 | Policy Engine v2 | ops/devops | DONE (2025-10-27) | DevOps Guild, Scheduler Guild, CLI Guild | DEVOPS-POLICY-20-004 | Automate policy schema exports and change notifications for CLI consumers. | | Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli | DONE (2025-10-27) | DevEx/CLI Guild | CLI-POLICY-20-002 | Implement stella policy simulate with diff outputs + exit codes. | | Sprint 21 | Graph Explorer v1 | src/Cartographer/StellaOps.Cartographer | DONE (2025-10-27) | Cartographer Guild | CARTO-GRAPH-21-010 | Replace hard-coded graph:* scope strings with shared constants once graph services integrate. | | Sprint 21 | Graph Explorer v1 | src/Scheduler/StellaOps.Scheduler.WebService | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-002 | Expose overlay lag metrics and job completion hooks for Cartographer. | | Sprint 23 | StellaOps Console | docs | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-011 | Update /docs/install/docker.md to include console image, compose/Helm/offline examples. | | Sprint 23 | StellaOps Console | docs | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-012 | Publish /docs/security/console-security.md covering OIDC, scopes, CSP, evidence handling. | | Sprint 23 | StellaOps Console | docs | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-013 | Write /docs/observability/ui-telemetry.md cataloguing metrics/logs/dashboards/alerts. | | Sprint 23 | StellaOps Console | docs | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-014 | Maintain /docs/cli-vs-ui-parity.md matrix with CI drift detection guidance. | | Sprint 23 | StellaOps Console | docs | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-016 | Refresh /docs/accessibility.md with console keyboard flows, tokens, testing tools.
2025-10-28: Published guide covering keyboard matrix, screen-reader behaviour, colour tokens, testing workflow, offline guidance, and compliance checklist. | | Sprint 25 | Exceptions v1 | docs | DONE (2025-10-27) | Docs Guild | DOCS-EXC-25-004 | Document policy exception effects + simulation. | | Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine | DONE (2025-10-27) | Policy Guild | POLICY-ENGINE-70-001 | Add exception evaluation layer with specificity + effects. | | Sprint 25 | Exceptions v1 | src/Policy/__Libraries/StellaOps.Policy | DONE (2025-10-27) | Policy Guild | POLICY-EXC-25-001 | Extend SPL schema to reference exception effects and routing. | This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).

Sprint Theme Tasks File Path Status Type of Specialist Task ID Task Description
Sprint 16 Scheduler Intelligence src/Scheduler/__Libraries/StellaOps.Scheduler.Worker DOING (2025-10-27) Scheduler Worker Guild SCHED-WORKER-16-201 Planner loop (cron/event triggers, leases, fairness).
Sprint 17 Symbol Intelligence & Forensics ops/offline-kit BLOCKED (2025-10-26) Offline Kit Guild, DevOps Guild DEVOPS-OFFLINE-17-004 Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit.
Sprint 17 Symbol Intelligence & Forensics ops/devops BLOCKED (2025-10-26) DevOps Guild DEVOPS-REL-17-004 Ensure release workflow publishes out/release/debug (build-id tree + manifest) and fails when symbols are missing.

DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance. DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs. | Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | | Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running stella aoc verify against seeded snapshots. | | Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement stella sources ingest --dry-run command. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement stella aoc verify command with exit codes. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | DOING (2025-10-28) | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for advisory_raw. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for vex_raw. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | | Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | TODO | Scanner Guild, Zastava Guild | SURFACE-FS-01 | Author Surface.FS cache specification and cross-module contract. | | Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env | TODO | Scanner Guild, Ops Guild, Zastava Guild | SURFACE-ENV-01 | Draft Surface.Env variable matrix for Scanner/Zastava deployments. | | Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | TODO | Scanner Guild, Security Guild, Zastava Guild | SURFACE-SECRETS-01 | Define Surface.Secrets schema and rotation guidance. | | Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation | TODO | Scanner Guild, Security Guild | SURFACE-VAL-01 | Design validator framework for shared Surface checks and extensibility. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to effective_finding_* collections. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | | Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | | Sprint 20 | Policy Engine v2 | ops/devops | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run stella policy simulate CI stage against golden SBOMs. | | Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | | Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend stella findings commands with policy filters and explain view. | 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up. | Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | | Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | | Sprint 20 | Policy Engine v2 | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | | Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | | Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | | Sprint 20 | Policy Engine v2 | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | | Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | | Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | | Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | | Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | | Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | | Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | | Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to ERR_POL_* responses with contract tests. | | Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | | Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (GRAPH-API-28-003, GRAPH-INDEX-28-006) still pending, so benchmarks cannot target stable endpoints yet. | | Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (UI-GRAPH-24-001), both pending. | | Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | DONE (2025-11-18) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Schema frozen 2025-11-17; acceptance tests pass. | | Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | DONE (2025-11-22) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Observation event contract + publisher shipped; aligned to Cartographer webhook expectations. | | Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (EXCITITOR-POLICY-20-002) and Cartographer inspector contract (CARTO-GRAPH-21-005). | | Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on EXCITITOR-GRAPH-21-001 and Policy overlay schema (POLICY-ENGINE-30-001). | | Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from EXCITITOR-GRAPH-21-001. | | Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (CONCELIER-GRAPH-21-001). | | Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (SBOM-SERVICE-21-001) and Scheduler contracts. | | Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | | Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from SBOM-SERVICE-21-001. | | Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (GRAPH-API-28-003) and Authority scope work (AUTH-VULN-24-001) pending. | | Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | | Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to ERR_Graph_* and support export streaming. Requires WEB-GRAPH-21-001. | | Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (POLICY-ENGINE-30-002). | | Sprint 22 | Link-Not-Merge v1 | docs | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | Blocked by CONCELIER-LNM-21-001..003; draft doc exists but final alignment waits for schema/API delivery. | Sprint 22 | Link-Not-Merge v1 | docs | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | Blocked by EXCITITOR-LNM-21-001..003; draft doc staged pending observation/linkset implementation. | Sprint 22 | Link-Not-Merge v1 | docs | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | Blocked by UI-LNM-22-001..003; need shipping UI to capture screenshots and finalize guidance. | Sprint 22 | Link-Not-Merge v1 | ops/devops | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | | Sprint 22 | Link-Not-Merge v1 | ops/devops | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | | Sprint 22 | Link-Not-Merge v1 | samples | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | | Sprint 22 | Link-Not-Merge v1 | samples | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | | Sprint 22 | Link-Not-Merge v1 | src/Authority/StellaOps.Authority | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. | | Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | | Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Merge | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | | Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to ERR_AGG_*. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | | Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | | Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | | Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | | Sprint 22 | Link-Not-Merge v1 | src/Scanner/StellaOps.Scanner.WebService | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | | Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | | Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | | Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | | Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | | Sprint 23 | StellaOps Console | docs | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce /docs/architecture/console.md describing packages, data flow, SSE design. | | Sprint 23 | StellaOps Console | docs | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create /docs/examples/ui-tours.md walkthroughs with annotated screenshots/GIFs. | | Sprint 23 | StellaOps Console | docs | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. | | Sprint 23 | StellaOps Console | ops/deployment | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | | Sprint 23 | StellaOps Console | ops/devops | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | | Sprint 23 | StellaOps Console | ops/devops | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver stella-console container + Helm overlays with SBOM/provenance and offline packaging. | | Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | | Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | | Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | | Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface /console/advisories aggregation views with per-source metadata and filters. | | Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | | Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | | Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose /console/vex aggregation endpoints with precedence and provenance. | | Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | | Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | | Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | | Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | | Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | | Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | | Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | | Sprint 23 | StellaOps Console | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | | Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | | Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | | Sprint 23 | StellaOps Console | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship /console/dashboard + /console/filters aggregates with tenant scoping and deterministic totals. | | Sprint 23 | StellaOps Console | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide /console/status polling and /console/runs/{id}/stream SSE proxy with heartbeat/backoff. | | Sprint 23 | StellaOps Console | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose /console/exports orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | | Sprint 23 | StellaOps Console | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement /console/search fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | | Sprint 23 | StellaOps Console | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve /console/downloads manifest with signed image metadata and offline guidance. | | Sprint 24 | Graph & Vuln Explorer v1 | src/Authority/StellaOps.Authority | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (vuln:view/vuln:investigate/vuln:operate/vuln:audit) and signed permalinks. | 2025-10-27: Scope enforcement spike paused; no production change landed. | Sprint 24 | Graph & Vuln Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO. | Sprint 24 | Graph & Vuln Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | | Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | | Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | | Sprint 24 | Graph & Vuln Explorer v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | | Sprint 24 | Graph & Vuln Explorer v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | | Sprint 25 | Exceptions v1 | docs | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | | Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | | Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | | Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | | Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | | Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | | Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | | Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | | Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | | Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | | Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | | Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | | Sprint 26 | Reachability v1 | docs | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | | Sprint 26 | Reachability v1 | ops/devops | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | | Sprint 26 | Reachability v1 | ops/devops | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | | Sprint 26 | Reachability v1 | src/Authority/StellaOps.Authority | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | | Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | | Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | | Sprint 26 | Reachability v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | | Sprint 26 | Reachability v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | | Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | | Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | | Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | | Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | | Sprint 26 | Reachability v1 | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | | Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | | Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | | Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on AUTH-SIG-26-001 to finalize scope issuance and tenant enforcement. | | Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | | Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | | Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | | Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | | Sprint 26 | Reachability v1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish /docs/policy/studio-overview.md with lifecycle + roles. | Blocked by REGISTRY-API-27-001 and POLICY-ENGINE-27-001; revisit once spec and compile enrichments land. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write /docs/policy/authoring.md with templates/snippets/lint rules. | Blocked by CONSOLE-STUDIO-27-001 pending; waiting on Studio authoring UX. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document /docs/policy/versioning-and-publishing.md. | Blocked by REGISTRY-API-27-007 pending publish/sign pipeline. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish /docs/policy/simulation.md with quick vs batch guidance. | Blocked by REGISTRY-API-27-005/SCHED-WORKER-27-301 pending batch simulation. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author /docs/policy/review-and-approval.md. | Blocked by REGISTRY-API-27-006 review workflow outstanding. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish /docs/policy/promotion.md covering canary + rollback. | Blocked by REGISTRY-API-27-008 promotion APIs not ready. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update /docs/policy/cli.md with new commands + JSON schemas. | Blocked by CLI-POLICY-27-001..004 CLI commands missing. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish /docs/policy/api.md aligning with Registry OpenAPI. | Blocked by Registry OpenAPI (REGISTRY-API-27-001..008) incomplete. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create /docs/security/policy-attestations.md. | Blocked by AUTH-POLICY-27-002 signing integration pending. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write /docs/architecture/policy-registry.md. | Blocked by REGISTRY-API-27-001 & SCHED-WORKER-27-301 not delivered. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish /docs/observability/policy-telemetry.md. | Blocked by DEVOPS-POLICY-27-004 observability work outstanding. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write /docs/runbooks/policy-incident.md. | Blocked by DEPLOY-POLICY-27-002 ops playbooks pending. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update /docs/examples/policy-templates.md. | Blocked by CONSOLE-STUDIO-27-001/REGISTRY-API-27-002 templates missing. | Sprint 27 | Policy Studio | docs | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh /docs/aoc/aoc-guardrails.md with Studio guardrails. | Blocked by REGISTRY-API-27-003 & WEB-POLICY-27-001 guardrails not implemented. | Sprint 27 | Policy Studio | ops/deployment | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | | Sprint 27 | Policy Studio | ops/deployment | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | | Sprint 27 | Policy Studio | ops/devops | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | | Sprint 27 | Policy Studio | ops/devops | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | | Sprint 27 | Policy Studio | ops/devops | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | | Sprint 27 | Policy Studio | ops/devops | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | | Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | | Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | | Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | | Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | | Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | | Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | | Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | | Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | | Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | | Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | | Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | | Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | | Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | | Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | | Sprint 27 | Policy Studio | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | | Sprint 27 | Policy Studio | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | | Sprint 27 | Policy Studio | src/Web/StellaOps.Web | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | | Sprint 27 | Policy Studio | src/Web/StellaOps.Web | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | | Sprint 27 | Policy Studio | src/Web/StellaOps.Web | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish /docs/sbom/graph-explorer-overview.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write /docs/sbom/graph-using-the-console.md with walkthrough + accessibility tips. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document /docs/sbom/graph-query-language.md (JSON schema, cost rules). | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish /docs/sbom/graph-api.md endpoints + streaming guidance. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce /docs/sbom/graph-cli.md command reference. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish /docs/policy/graph-overlays.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Excitor Guilds | DOCS-GRAPH-28-007 | Document /docs/vex/graph-integration.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document /docs/advisories/graph-integration.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author /docs/architecture/graph-services.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish /docs/observability/graph-telemetry.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write /docs/runbooks/graph-incidents.md. | | Sprint 28 | Graph Explorer | docs | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create /docs/security/graph-rbac.md. | | Sprint 28 | Graph Explorer | ops/deployment | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | | Sprint 28 | Graph Explorer | ops/devops | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | | Sprint 28 | Graph Explorer | ops/devops | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | | Sprint 28 | Graph Explorer | ops/devops | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | | Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship stella sbom graph subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | | Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | | Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | | Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | | Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | | Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | | Sprint 28 | Graph Explorer | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-002 | Implement /graph/search with caching and RBAC. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver /graph/paths with depth limits and policy overlay support. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-005 | Implement /graph/diff streaming adds/removes/changes for SBOM snapshots. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for vex_exempts edges with precedence metadata. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | | Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | | Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | | Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | | Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | | Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. | | Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | | Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | | Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | | Sprint 28 | Graph Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route /graph/* APIs through gateway with tenant scoping and RBAC. | | Sprint 28 | Graph Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | | Sprint 28 | Graph Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs Guild | DOCS-VULN-29-001 | Publish /docs/vuln/explorer-overview.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write /docs/vuln/explorer-using-console.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs Guild | DOCS-VULN-29-003 | Author /docs/vuln/explorer-api.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs Guild | DOCS-VULN-29-004 | Publish /docs/vuln/explorer-cli.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (/docs/vuln/findings-ledger.md). | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update /docs/policy/vuln-determinations.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish /docs/vex/explorer-integration.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish /docs/advisories/explorer-integration.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish /docs/sbom/vuln-resolution.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish /docs/observability/vuln-telemetry.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish /docs/security/vuln-rbac.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish /docs/runbooks/vuln-ops.md. | | Sprint 29 | Vulnerability Explorer | docs | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update /docs/install/containers.md with Findings Ledger & Vuln Explorer API. | | Sprint 29 | Vulnerability Explorer | ops/deployment | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | | Sprint 29 | Vulnerability Explorer | ops/deployment | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | | Sprint 29 | Vulnerability Explorer | ops/devops | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | | Sprint 29 | Vulnerability Explorer | ops/devops | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | | Sprint 29 | Vulnerability Explorer | ops/devops | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | | Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | | Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | | Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI Guild | CLI-VULN-29-001 | Implement stella vuln list with grouping, filters, JSON/CSV output. | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI Guild | CLI-VULN-29-002 | Implement stella vuln show with evidence/policy/path display. | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI Guild | CLI-VULN-29-004 | Implement stella vuln simulate producing diff summaries/Markdown. | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI Guild | CLI-VULN-29-005 | Implement stella vuln export and bundle signature verification. | | Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli | DONE (2025-12-06) | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | | Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist links[], backfill, and expose raw payload snapshots (no merge/derived fields). | | Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | | Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | | Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | | Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | | Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving findings_projection with idempotent replay. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | | Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | | Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | | Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | | Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | | Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | | Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | | Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | | Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | | Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | | Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | | Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | | Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | | Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | | Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route /vuln/* APIs with tenant RBAC, ABAC, anti-forgery enforcement. | | Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | | Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | | Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-001 | Publish /docs/vex/consensus-overview.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-002 | Write /docs/vex/consensus-algorithm.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-003 | Document /docs/vex/issuer-directory.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-004 | Publish /docs/vex/consensus-api.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-005 | Create /docs/vex/consensus-console.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-006 | Add /docs/policy/vex-trust-model.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-007 | Author /docs/sbom/vex-mapping.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-008 | Publish /docs/security/vex-signatures.md. | | Sprint 30 | VEX Lens | docs | TODO | Docs Guild | DOCS-VEX-30-009 | Write /docs/runbooks/vex-ops.md. | | Sprint 30 | VEX Lens | ops/devops | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | | Sprint 30 | VEX Lens | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement stella vex consensus CLI commands with list/show/simulate/export. | | Sprint 30 | VEX Lens | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | | Sprint 30 | VEX Lens | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | | Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | | Sprint 30 | VEX Lens | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | | Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | | Sprint 30 | VEX Lens | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route /vex/consensus APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | | Sprint 31 | Advisory AI | docs | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | | Sprint 31 | Advisory AI | docs | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | | Sprint 31 | Advisory AI | docs | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | | Sprint 31 | Advisory AI | ops/deployment | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | | Sprint 31 | Advisory AI | ops/devops | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | | Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | | Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | | Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | | Sprint 31 | Advisory AI | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement stella advise * CLI commands leveraging Advisory AI orchestration and policy scopes. | | Sprint 31 | Advisory AI | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | | Sprint 31 | Advisory AI | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | | Sprint 31 | Advisory AI | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | | Sprint 31 | Advisory AI | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | | Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | | Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | | Sprint 31 | Advisory AI | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route /advisory/ai/* APIs with RBAC/telemetry. | | Sprint 31 | Advisory AI | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | | Sprint 31 | Advisory AI | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | | Sprint 32 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-32-001 | Author /docs/orchestrator/overview.md covering mission, roles, AOC alignment, and imposed rule reminder. | | Sprint 32 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-32-002 | Author /docs/orchestrator/architecture.md detailing scheduler, DAGs, rate limits, and data model. | | Sprint 32 | Orchestrator Dashboard | ops/devops | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | | Sprint 32 | Orchestrator Dashboard | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce orch:read scope and Orch.Viewer role with metadata, discovery docs, and offline defaults. | | Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | | Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | | Sprint 32 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | | Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | | Sprint 32 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator policy_eval job contract, idempotency keys, and enqueue hooks for change events. | | Sprint 32 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | | Sprint 32 | Orchestrator Dashboard | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | | Sprint 33 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-33-001 | Author /docs/orchestrator/api.md with endpoints, WebSocket events, error codes, and imposed rule reminder. | | Sprint 33 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-33-002 | Author /docs/orchestrator/console.md covering screens, accessibility, and live updates. | | Sprint 33 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-33-003 | Author /docs/orchestrator/cli.md with command reference, examples, and exit codes. | | Sprint 33 | Governance & Rules | ops/devops | REVIEW (2025-10-30) | DevOps Guild, Platform Leads | DEVOPS-RULES-33-001 | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). | | Sprint 33 | Orchestrator Dashboard | ops/devops | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | | Sprint 33 | Orchestrator Dashboard | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add Orch.Operator role, control action scopes, and enforce reason/ticket field capture. | | Sprint 33 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | | Sprint 33 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | | Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | | Sprint 33 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | | Sprint 33 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | | Sprint 33 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose consensus_compute orchestrator job type and integrate VEX Lens worker for diff batches. | | Sprint 33 | Orchestrator Dashboard | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | | Sprint 34 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-34-001 | Author /docs/orchestrator/run-ledger.md describing provenance export format and audits. | | Sprint 34 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-34-002 | Author /docs/security/secrets-handling.md covering KMS refs, redaction, and operator hygiene. | | Sprint 34 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-34-003 | Author /docs/operations/orchestrator-runbook.md (failures, backfill guide, circuit breakers). | | Sprint 34 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-34-004 | Author /docs/schemas/artifacts.md detailing artifact kinds, schema versions, hashing, storage layout. | | Sprint 34 | Orchestrator Dashboard | docs | TODO | Docs Guild | DOCS-ORCH-34-005 | Author /docs/slo/orchestrator-slo.md defining SLOs, burn alerts, and measurement strategy. | | Sprint 34 | Orchestrator Dashboard | ops/deployment | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | | Sprint 34 | Orchestrator Dashboard | ops/devops | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | | Sprint 34 | Orchestrator Dashboard | ops/offline-kit | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | | Sprint 34 | Orchestrator Dashboard | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add Orch.Admin role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | | Sprint 34 | Orchestrator Dashboard | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | | Sprint 34 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | | Sprint 34 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | | Sprint 34 | Orchestrator Dashboard | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150ms) and add autoscaling hooks. | | Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | | Sprint 34 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | | Sprint 34 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | | Sprint 34 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | | Sprint 34 | Orchestrator Dashboard | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | | Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | | Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | | Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | | Sprint 35 | Export Center Phase 1 | docs | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author /docs/modules/export-center/overview.md with purpose, profiles, security, and imposed rule reminder. | | Sprint 35 | Export Center Phase 1 | docs | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author /docs/modules/export-center/architecture.md detailing service components, adapters, manifests, signing, and distribution. | | Sprint 35 | Export Center Phase 1 | docs | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish /docs/modules/export-center/profiles.md covering schemas, examples, and compatibility. | | Sprint 35 | Export Center Phase 1 | ops/deployment | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | | Sprint 35 | Export Center Phase 1 | ops/devops | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | | Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | | Sprint 35 | Export Center Phase 1 | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | | Sprint 35 | Export Center Phase 1 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | | Sprint 35 | Export Center Phase 1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | | Sprint 35 | Export Center Phase 1 | src/VexLens/StellaOps.VexLens | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | | Sprint 35 | Export Center Phase 1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | | Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | | Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | | Sprint 36 | Export Center Phase 2 | docs | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author /docs/modules/export-center/api.md with endpoint examples and imposed rule note. | | Sprint 36 | Export Center Phase 2 | docs | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish /docs/modules/export-center/cli.md covering commands, scripts, verification, and imposed rule reminder. | | Sprint 36 | Export Center Phase 2 | docs | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write /docs/modules/export-center/trivy-adapter.md detailing mappings, compatibility, and test matrix. | | Sprint 36 | Export Center Phase 2 | ops/deployment | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | | Sprint 36 | Export Center Phase 2 | ops/devops | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | | Sprint 36 | Export Center Phase 2 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add stella export distribute (OCI/objstore), run download --resume, and status polling enhancements. | | Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | | Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | | Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | | Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | | Sprint 36 | Export Center Phase 2 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | | Sprint 36 | Export Center Phase 2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | | Sprint 37 | Export Center Phase 3 | docs | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish /docs/modules/export-center/mirror-bundles.md detailing layouts, deltas, encryption, imposed rule reminder. | | Sprint 37 | Export Center Phase 3 | docs | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish /docs/modules/export-center/provenance-and-signing.md covering manifests, attestation, verification. | | Sprint 37 | Export Center Phase 3 | docs | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish /docs/operations/export-runbook.md for failures, tuning, capacity, with imposed rule note. | | Sprint 37 | Export Center Phase 3 | docs | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish /docs/security/export-hardening.md covering RBAC, isolation, encryption, and imposed rule. | | Sprint 37 | Export Center Phase 3 | ops/devops | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | | Sprint 37 | Export Center Phase 3 | ops/offline-kit | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | | Sprint 37 | Export Center Phase 3 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add Export.Admin scope enforcement for retention, encryption keys, and scheduling APIs. | | Sprint 37 | Export Center Phase 3 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement stella export schedule, run verify, and bundle verification tooling with signature/hash checks. | | Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | | Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | | Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | | Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | | Sprint 37 | Export Center Phase 3 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | | Sprint 37 | Export Center Phase 3 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | | Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | | Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | | Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | | Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | | Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | | Sprint 38 | Notifications Studio Phase 1 | docs | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish /docs/notifications/overview.md and /docs/notifications/architecture.md ending with imposed rule statement. | | Sprint 38 | Notifications Studio Phase 1 | ops/deployment | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | | Sprint 38 | Notifications Studio Phase 1 | ops/devops | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | | Sprint 38 | Notifications Studio Phase 1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement stella notify rule/template/incident commands (list/create/test/ack) with file-based inputs. | | Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | | Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | | Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | | Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | | Sprint 38 | Notifications Studio Phase 1 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | | Sprint 38 | Notifications Studio Phase 1 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | | Sprint 38 | Notifications Studio Phase 1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | DONE | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | | Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | | Sprint 39 | Notifications Studio Phase 2 | docs | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish /docs/notifications/rules.md, /templates.md, /digests.md with imposed rule reminder. | | Sprint 39 | Notifications Studio Phase 2 | ops/devops | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | | Sprint 39 | Notifications Studio Phase 2 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | | Sprint 39 | Notifications Studio Phase 2 | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | | Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | | Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | | Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | | Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | | Sprint 39 | Notifications Studio Phase 2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | | Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | | Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | | Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | | Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | | Sprint 40 | Notifications Studio Phase 3 | docs | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish /docs/notifications/channels.md, /escalations.md, /api.md, /operations/notifier-runbook.md, /security/notifications-hardening.md with imposed rule lines. | | Sprint 40 | Notifications Studio Phase 3 | ops/deployment | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | | Sprint 40 | Notifications Studio Phase 3 | ops/devops | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | | Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | | Sprint 40 | Notifications Studio Phase 3 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | | Sprint 40 | Notifications Studio Phase 3 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | | Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | | Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | | Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | | Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | | Sprint 40 | Notifications Studio Phase 3 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | docs | TODO | Docs Guild | DOCS-CLI-41-001 | Publish /docs/modules/cli/guides/overview.md, /cli/configuration.md, /cli/output-and-exit-codes.md (with imposed rule). | | Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (Packs.Read/Write/Run/Approve) roles; update discovery/offline defaults. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (policy, sbom, vuln, vex, advisory, export, orchestrator) with JSON/table outputs and --explain. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement notify, aoc, auth command groups, idempotency keys, completions, and parity matrix export. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register pack-run job type, integrate logs/artifacts, expose pack run metadata. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/PacksRegistry/StellaOps.PacksRegistry | DONE (2025-11-25) | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | | Sprint 41 | CLI Parity & Task Packs Phase 1 | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | docs | TODO | Docs Guild | DOCS-CLI-42-001 | Publish /docs/modules/cli/guides/parity-matrix.md, /cli/commands/*.md, /docs/task-packs/spec.md (imposed rule). | | Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (pack plan/run/push/pull/verify) with plan/simulate engine and expression sandbox. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/PacksRegistry/StellaOps.PacksRegistry | DONE (2025-11-25) | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI --explain and pack policy gates. | | Sprint 42 | CLI Parity & Task Packs Phase 2 | src/TaskRunner/StellaOps.TaskRunner | BLOCKED (2025-11-25) | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, maxParallel, outputs, simulation mode, policy gates in Task Runner; blocked awaiting control-flow/policy-gate addendum. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | docs | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish /docs/task-packs/authoring-guide.md, /registry.md, /runbook.md, /security/pack-signing-and-rbac.md, /operations/cli-release-and-packaging.md (imposed rule). | | Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | src/PacksRegistry/StellaOps.PacksRegistry | DONE (2025-11-25) | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | | Sprint 43 | CLI Parity & Task Packs Phase 3 | src/TaskRunner/StellaOps.TaskRunner | BLOCKED (2025-11-25) | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience; blocked until TASKRUN-42-001 unblocks. | | Sprint 44 | Containerized Distribution Phase 1 | docs | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | | Sprint 44 | Containerized Distribution Phase 1 | ops/deployment | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | | Sprint 44 | Containerized Distribution Phase 1 | ops/deployment | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | | Sprint 44 | Containerized Distribution Phase 1 | ops/deployment | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (QUICKSTART_MODE). | | Sprint 44 | Containerized Distribution Phase 1 | ops/deployment | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | | Sprint 44 | Containerized Distribution Phase 1 | ops/devops | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | | Sprint 44 | Containerized Distribution Phase 1 | ops/devops | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | | Sprint 44 | Containerized Distribution Phase 1 | ops/devops | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | | Sprint 44 | Containerized Distribution Phase 1 | ops/devops | TODO | DevOps Guild | DOCKER-44-003 | Ensure /health/*, /version, /metrics, and capability endpoints (merge=false) are exposed across services. | | Sprint 44 | Containerized Distribution Phase 1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | | Sprint 45 | Containerized Distribution Phase 2 | docs | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | | Sprint 45 | Containerized Distribution Phase 2 | ops/deployment | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | | Sprint 45 | Containerized Distribution Phase 2 | ops/deployment | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | | Sprint 45 | Containerized Distribution Phase 2 | ops/deployment | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | | Sprint 45 | Containerized Distribution Phase 2 | ops/deployment | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | | Sprint 45 | Containerized Distribution Phase 2 | ops/devops | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | | Sprint 45 | Containerized Distribution Phase 2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | | Sprint 46 | Containerized Distribution Phase 3 | docs | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | | Sprint 46 | Containerized Distribution Phase 3 | ops/deployment | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | | Sprint 46 | Containerized Distribution Phase 3 | ops/devops | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | | Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | | Sprint 46 | Containerized Distribution Phase 3 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | | Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs | TODO | Docs Guild | DOCS-TEN-47-001 | Publish /docs/security/tenancy-overview.md and /docs/security/scopes-and-roles.md (imposed rule). | | Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | | Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | | Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship stella login, whoami, tenants list, and tenant flag persistence with secure token storage. | | Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs | TODO | Docs Guild | DOCS-TEN-48-001 | Publish /docs/operations/multi-tenancy.md, /docs/operations/rls-and-data-isolation.md, /docs/console/admin-tenants.md (imposed rule). | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint merge=false. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-TEN-48-001 | Add tenant_id/project_id to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-12-10) | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | | Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | | Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs | TODO | Docs Guild | DOCS-TEN-49-001 | Publish /docs/modules/cli/guides/authentication.md, /docs/api/authentication.md, /docs/policy/examples/abac-overlays.md, /docs/install/configuration-reference.md updates (imposed rule). | | Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | | Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (act chain), per-tenant quotas, and audit log streaming. | | Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and --impersonate banner/controls. | | Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add /docs/install/telemetry-stack.md for collector deployment and offline packaging. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author /docs/observability/overview.md with imposed rule banner and architecture context. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under /docs/observability/telemetry-standards.md. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide /docs/observability/logging.md with examples and imposed rule banner. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide /docs/observability/tracing.md covering context propagation and sampling. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | docs | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update /docs/security/redaction-and-privacy.md for telemetry privacy controls. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | ops/devops | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | Staging rollout plan recorded in docs/modules/telemetry/operations/storage.md; waiting on Authority-issued tokens and namespace bootstrap. | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Authority/StellaOps.Authority | DOING (2025-11-01) | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | | Sprint 50 | Observability & Forensics Phase 1 Baseline Telemetry | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | docs | TODO | Docs Guild | DOCS-OBS-51-001 | Publish /docs/observability/metrics-and-slos.md with alert policies. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement stella obs top streaming health metrics command. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | | Sprint 51 | Observability & Forensics Phase 2 SLOs & Dashboards | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose /obs/health and /obs/slo aggregations for services. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | docs | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document stella obs CLI commands and scripting patterns. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | docs | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | docs | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add stella obs trace + log commands correlating timeline data. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer | DONE (2025-12-03) | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer | DONE (2025-12-03) | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer | DONE (2025-12-03) | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer | DONE (2025-12-03) | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | | Sprint 52 | Observability & Forensics Phase 3 Timeline & Decision Logs | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document stella forensic CLI workflows with sample bundles. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-001 | Publish /docs/forensics/evidence-locker.md covering bundles, WORM, legal holds. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-003 | Publish /docs/forensics/timeline.md with schema and query examples. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship stella forensic snapshot commands invoking evidence locker. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add /evidence/advisories/* gateway endpoints consuming locker APIs. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose /evidence/vex/* endpoints retrieving locker bundles. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | | Sprint 53 | Observability & Forensics Phase 4 Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer | DONE (2025-12-10) | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | docs | DONE (2025-11-26) | Docs Guild | DOCS-FORENSICS-53-002 | Publish /docs/forensics/provenance-attestation.md covering signing + verification. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement stella forensic verify command verifying bundles + signatures. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add stella forensic attest show command with signer/timestamp details. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add /attestations/advisories/* endpoints surfacing verification metadata. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose /attestations/vex/* endpoints with verification summaries. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | | Sprint 54 | Observability & Forensics Phase 5 Provenance & Verification | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-12-06) | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | docs | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish /docs/runbooks/incidents.md covering activation, escalation, and verification checklist. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | ops/devops | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Authority/StellaOps.Authority | DOING (2025-11-01) | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce obs:incident scope with fresh-auth requirement and audit export for toggles. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship stella obs incident-mode commands with safeguards and audit logging. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-12-06) | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data and notifications for incident mode runs. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Telemetry/StellaOps.Telemetry.Core | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | | Sprint 55 | Observability & Forensics Phase 6 Incident Mode | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver /obs/incident-mode control endpoints with audit + retention previews. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | docs | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish /docs/airgap/overview.md. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | docs | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | docs | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | docs | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | ops/devops | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | ops/devops | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | ops/devops | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship EgressPolicy facade with sealed/unsealed enforcement and remediation errors. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Mirror/StellaOps.Mirror.Creator | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Telemetry/StellaOps.Telemetry.Core | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | | Sprint 56 | Air-Gapped Mode Phase 1 Sealing Foundations | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | docs | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | docs | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | docs | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | docs | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | ops/devops | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | ops/devops | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Time | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | | Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-12-03) | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Controller | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | | Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | | Sprint 59 | Air-Gapped Mode Phase 4 Deterministic Jobs & Enforcement | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | docs | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/EvidenceLocker/StellaOps.EvidenceLocker | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | | Sprint 60 | Air-Gapped Mode Phase 5 Evidence Portability & UX | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | docs | TODO | Docs Guild | DOCS-OAS-61-001 | Publish /docs/api/overview.md. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | docs | TODO | Docs Guild | DOCS-OAS-61-002 | Publish /docs/api/conventions.md. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | docs | TODO | Docs Guild | DOCS-OAS-61-003 | Publish /docs/api/versioning.md. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | ops/devops | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Api/StellaOps.Api.Governance | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Api/StellaOps.Api.Governance | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Api/StellaOps.Api.OpenApi | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Api/StellaOps.Api.OpenApi | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | | Sprint 61 | SDKs & OpenAPI Phase 1 Contract Foundations | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy /docs/api/reference/ generated site. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | docs | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Api/StellaOps.Api.Governance | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Api/StellaOps.Api.OpenApi | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Authority/StellaOps.Authority | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Concelier/StellaOps.Concelier.WebService | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Excititor/StellaOps.Excititor.WebService | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | test/contract | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | | Sprint 62 | SDKs & OpenAPI Phase 2 Examples & Portal | test/contract | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | docs | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Api/StellaOps.Api.Governance | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | test/contract | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | | Sprint 63 | SDKs & OpenAPI Phase 3 SDK Alpha & Try-It | test/contract | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | docs | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | ops/devops | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | ops/devops | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | | Sprint 64 | SDKs & OpenAPI Phase 4 Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | docs | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Api/StellaOps.Api.Governance | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Authority/StellaOps.Authority | DONE (2025-11-01) | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Sdk/StellaOps.Sdk.Release | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | | Sprint 65 | SDKs & OpenAPI Phase 5 Deprecation & Notifications | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | | Sprint 66 | Risk Profiles Phase 1 Foundations | docs | TODO | Docs Guild | DOCS-RISK-66-001 | Publish /docs/risk/overview.md. | | Sprint 66 | Risk Profiles Phase 1 Foundations | docs | TODO | Docs Guild | DOCS-RISK-66-002 | Publish /docs/risk/profiles.md. | | Sprint 66 | Risk Profiles Phase 1 Foundations | docs | TODO | Docs Guild | DOCS-RISK-66-003 | Publish /docs/risk/factors.md. | | Sprint 66 | Risk Profiles Phase 1 Foundations | docs | TODO | Docs Guild | DOCS-RISK-66-004 | Publish /docs/risk/formulas.md. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Policy/StellaOps.Policy.RiskProfile | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Policy/StellaOps.Policy.RiskProfile | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | | Sprint 66 | Risk Profiles Phase 1 Foundations | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | docs | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | docs | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | docs | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | docs | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Concelier/__Libraries/StellaOps.Concelier.Core | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Excititor/__Libraries/StellaOps.Excititor.Core | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | | Sprint 67 | Risk Profiles Phase 2 Providers & Lifecycle | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | docs | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | docs | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Policy/__Libraries/StellaOps.Policy | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | | Sprint 68 | Risk Profiles Phase 3 APIs & Ledger | src/Web/StellaOps.Web | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | docs | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | | Sprint 69 | Risk Profiles Phase 4 Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | docs | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | | Sprint 70 | Risk Profiles Phase 5 Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | | Sprint 71 | Risk Profiles Phase 6 Quality & Performance | docs | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | | Sprint 71 | Risk Profiles Phase 6 Quality & Performance | src/Cli/StellaOps.Cli | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | | Sprint 71 | Risk Profiles Phase 6 Quality & Performance | src/Findings/StellaOps.Findings.Ledger | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | | Sprint 71 | Risk Profiles Phase 6 Quality & Performance | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | | Sprint 71 | Risk Profiles Phase 6 Quality & Performance | src/RiskEngine/StellaOps.RiskEngine | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | | Sprint 72 | Attestor Console Phase 1 Foundations | ops/devops | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor.Envelope | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor.Envelope | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor.Types | DONE | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor.Types | DONE | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | | Sprint 72 | Attestor Console Phase 1 Foundations | src/__Libraries/StellaOps.Cryptography.Kms | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. | | Sprint 73 | Attestor CLI Phase 2 Signing & Policies | src/Cli/StellaOps.Cli | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement stella attest sign (payload selection, subject digest, key reference, output format) using official SDK transport. | | Sprint 73 | Attestor CLI Phase 2 Signing & Policies | src/Cli/StellaOps.Cli | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement stella attest verify with policy selection, explainability output, and JSON/table formatting. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | docs | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | docs | DONE | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | docs | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | docs | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Attestor/StellaOps.Attestor.Envelope | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Attestor/StellaOps.Attestor.Types | DONE | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Attestor/StellaOps.Attestor | DOING | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/__Libraries/StellaOps.Cryptography.Kms | DONE (2025-10-30) | KMS Guild | KMS-72-002 | CLI support for key import/export. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | | Sprint 73 | Attestor Console Phase 2 Signing & Policies | src/Policy/StellaOps.Policy.Engine | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | | Sprint 74 | Attestor CLI Phase 3 Transparency & Chain of Custody | src/Cli/StellaOps.Cli | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement stella attest list with filters (subject, type, issuer, scope) and pagination. | | Sprint 74 | Attestor CLI Phase 3 Transparency & Chain of Custody | src/Cli/StellaOps.Cli | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement stella attest fetch to download envelopes and payloads to disk. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | docs | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | docs | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | docs | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | docs | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | ops/devops | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Envelope | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor | DOING | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | | Sprint 74 | Attestor Console Phase 3 Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | | Sprint 75 | Attestor CLI Phase 4 Air Gap & Bulk | src/Cli/StellaOps.Cli | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | docs | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | docs | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | ops/devops | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | ops/devops | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/Attestor/StellaOps.Attestor | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/Attestor/StellaOps.Attestor | DONE | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | | Sprint 75 | Attestor Console Phase 4 Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. |

Sprint 110 - Ingestion & Evidence

Completed or Dropped Tasks

Theme Task ID Status Owners/Path Notes
110.A) AdvisoryAI AIAI-31-001 DONE (2025-11-02) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. (Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001.)
110.A) AdvisoryAI AIAI-31-002 DONE (2025-11-04) Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). (Dependencies: SBOM-VULN-29-001.)
110.A) AdvisoryAI AIAI-31-003 DONE (2025-11-04) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. (Dependencies: AIAI-31-001..002.)
110.A) AdvisoryAI AIAI-31-004 DONE (2025-11-04) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). (Dependencies: AIAI-31-001..003, AUTH-VULN-29-001.)
110.A) AdvisoryAI AIAI-31-004A DONE (2025-11-04) Advisory AI Guild, Platform Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Wire orchestrator into WebService/Worker, expose API + queue contract, emit metrics, stub cache. (Dependencies: AIAI-31-004, AIAI-31-002.)
110.A) AdvisoryAI AIAI-31-004B DONE (2025-11-06) Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement prompt assembler, guardrails, cache persistence, DSSE provenance, golden outputs. (Dependencies: AIAI-31-004A, DOCS-AIAI-31-003, AUTH-AIAI-31-004.)
110.A) AdvisoryAI AIAI-31-004C DONE (2025-11-06) Advisory AI Guild, CLI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Deliver CLI stella advise run command, renderer, docs, CLI golden tests. (Dependencies: AIAI-31-004B, CLI-AIAI-31-003.)
110.A) AdvisoryAI DOCS-AIAI-31-002 DONE (2025-11-03) Docs Guild, Advisory AI Guild (docs) Author /docs/advisory-ai/architecture.md detailing RAG pipeline, deterministic tooling, caching, model profiles. (Dependencies: AIAI-31-004.)
110.A) AdvisoryAI DOCS-AIAI-31-001 DONE (2025-11-03) Docs Guild, Advisory AI Guild (docs) Publish /docs/advisory-ai/overview.md covering capabilities, guardrails, RBAC personas, and offline posture.
110.A) AdvisoryAI DOCS-AIAI-31-003 DONE (2025-11-03) Docs Guild, Advisory AI Guild (docs) Write /docs/advisory-ai/api.md covering endpoints, schemas, errors, rate limits, and imposed-rule banner. (Dependencies: DOCS-AIAI-31-002.)
110.A) AdvisoryAI DOCS-AIAI-31-007 DONE (2025-11-07) Docs Guild, Security Guild (docs) Write /docs/security/assistant-guardrails.md detailing redaction, injection defense, logging. (Dependencies: AIAI-31-005.)
110.A) AdvisoryAI AIAI-31-005 DONE (2025-11-04) Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. (Dependencies: AIAI-31-004.)
110.A) AdvisoryAI AIAI-31-006 DONE (2025-11-04) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Expose REST API endpoints (/advisory/ai/*) with RBAC, rate limits, OpenAPI schemas, and batching support. (Dependencies: AIAI-31-004..005.)
110.A) AdvisoryAI AIAI-31-007 DONE (2025-11-06) Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Instrument metrics (advisory_ai_latency, guardrail_blocks, validation_failures, citation_coverage), logs, and traces; publish dashboards/alerts. (Dependencies: AIAI-31-004..006.)
110.A) AdvisoryAI AIAI-31-010 DONE (2025-11-02) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement Concelier advisory raw document provider mapping CSAF/OSV payloads into structured chunks for retrieval. (Dependencies: CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001.)
110.A) AdvisoryAI AIAI-31-011 DONE (2025-11-02) Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) Implement Excititor VEX document provider to surface structured VEX statements for retrieval. (Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-CORE-AOC-19-002.)
110.B) Concelier.I CONCELIER-AIAI-31-001 Paragraph anchors DONE Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval.
110.B) Concelier.I CONCELIER-CORE-AOC-19-004 Remove ingestion normalization DONE (2025-11-06) Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.… (Dependencies: CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003.)
110.B) Concelier.III CONCELIER-OBS-50-001 Telemetry adoption DONE (2025-11-07) Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs.
110.B) Concelier.IV CONCELIER-VULN-29-001 Advisory key canonicalization DONE (2025-11-07) Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService) Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into advisory_key, persist links[], expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no… (Dependencies: CONCELIER-LNM-21-001.)
110.B) Concelier.IV CONCELIER-VULN-29-002 Evidence retrieval API DONE (2025-11-07) Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) Provide /vuln/evidence/advisories/{advisory_key} returning raw advisory docs with provenance, filtering by tenant and source. (Dependencies: CONCELIER-VULN-29-001, VULN-API-29-003.)
110.B) Concelier.V CONCELIER-WEB-AOC-19-002 AOC observability DONE (2025-11-07) Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService) Emit ingestion_write_total, aoc_violation_total, latency histograms, and tracing spans (ingest.fetch/transform/write, aoc.guard). Wire structured logging to include…
110.B) Concelier.V CONCELIER-WEB-OAS-61-001 /.well-known/openapi DONE (2025-11-02) Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) Implement discovery endpoint emitting Concelier spec with version metadata and ETag.
110.B) Concelier.V CONCELIER-WEB-OBS-50-001 Telemetry adoption DONE (2025-11-07) Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (tenant_id, route, decision_effect), and add correlation IDs to responses.
110.B) Concelier.VI FEEDCONN-ICSCISA-02-012 Version range provenance DONE (2025-11-03) Promote existing firmware/semver data into advisory_observations.affected.versions[] entries with deterministic comparison keys and provenance identifiers (ics-cisa:{advisoryId}:{product}). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.
2025-10-29: Follow docs/dev/normalized-rule-recipes.md §2 to build observation version entries and log failures without invoking the retired merge helpers.
2025-11-03: Completed connector now normalizes semver ranges with provenance notes, RSS fallback content clears the AOC guard, and end-to-end Fetch/Parse/Map integration tests pass.		 CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa) DONE (2025-11-03) Promote existing firmware/semver data into advisory_observations.affected.versions[] entries with deterministic comparison keys and provenance…
110.B) Concelier.VI FEEDCONN-KISA-02-008 Firmware range provenance DONE (2025-11-04) Define comparison helpers for Hangul-labelled firmware ranges (XFU 1.0.1.0084 ~ 2.0.1.0034) and map them into advisory_observations.affected.versions[] with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema.
2025-11-03: Analysis in progress auditing existing mapper output/fixtures ahead of implementing firmware range normalization and provenance wiring.
2025-11-03: SemVer normalization helper wired through KisaMapper with provenance slugs + vendor extensions; integration tests updated and green, follow-up capture for additional Hangul exclusivity markers queued before completion.
2025-11-03: Extended connector tests to cover single-ended (이상, 초과, 이하, 미만) and non-numeric phrases, verifying normalized rule types (gt, gte, lt, lte) and fallback behaviour; broader corpus review remains before transitioning to DONE.
2025-11-03: Captured the top 10 detailDos.do?IDX= pages into seed-data/kisa/html/ via scripts/kisa_capture_html.py; JSON endpoint (rssDetailData.do?IDX=…) now returns error pages, so connector updates must parse the embedded HTML or secure authenticated API access before closing.
2025-11-04: Fetch + parse pipeline now consumes the HTML detail pages end to end (metadata persisted, DOM parser extracts vendor/product ranges); fixtures/tests operate on the HTML snapshots to guard normalized SemVer + vendor extension expectations and severity extraction.		 CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa) DONE (2025-11-04) Define comparison helpers for Hangul-labelled firmware ranges (XFU 1.0.1.0084 ~ 2.0.1.0034) and map them into advisory_observations.affected.versions[]
110.B) Concelier.VI FEEDCONN-SHARED-STATE-003 Source state seeding helper DONE (2025-11-04) Delivered SourceStateSeeder CLI + processor APIs, Mongo fixtures, and MSRC runbook updates. Seeds raw docs + cursor state deterministically; tests cover happy/path/idempotent flows (dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Common.Tests/... note: requires libcrypto.so.1.1 when running Mongo2Go locally). Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common) DONE (2025-11-04) Delivered SourceStateSeeder CLI + processor APIs, Mongo fixtures, and MSRC runbook updates. Seeds raw docs + cursor state deterministically; tests cover…
110.B) Concelier.VI FEEDMERGE-COORD-02-901 Connector deadline check-ins DROPPED (2025-11-07) Scope removed: FeedMerge coordination requires an AOC policy that does not exist yet. Re-open once governance/ownership is defined.
110.B) Concelier.VI FEEDMERGE-COORD-02-902 ICS-CISA version comparison support DROPPED (2025-11-07) Blocked on FEEDMERGE policy/ownership; dropped alongside 02-901.
110.B) Concelier.VI FEEDMERGE-COORD-02-903 KISA firmware scheme review DROPPED (2025-11-07) Blocked on FEEDMERGE policy/ownership; dropped alongside 02-901.
110.B) Concelier.VI Fixture validation sweep DONE (2025-11-04) Regenerated RHSA CSAF goldens via scripts/update-redhat-fixtures.sh (sets UPDATE_GOLDENS=1) and re-ran connector tests dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests.csproj --no-restore to confirm snapshot parity. None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat) DONE (2025-11-04) Regenerated RHSA CSAF goldens via scripts/update-redhat-fixtures.sh (sets UPDATE_GOLDENS=1) and re-ran connector tests `dotnet test…
110.B) Concelier.VI Link-Not-Merge version provenance coordination DONE (2025-11-04) Published connector status tracker + follow-up IDs in docs/dev/normalized-rule-recipes.md, enabled Normalized version rules missing diagnostics in Merge, and aligned dashboards on LinksetVersionCoverage. Remaining gaps (ACSC/CCCS/CERTBUND/Cisco/RU-BDU) documented as upstream data deficiencies awaiting feed updates. Dependencies: CONCELIER-LNM-21-203. CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge) DONE (2025-11-04) Published connector status tracker + follow-up IDs in docs/dev/normalized-rule-recipes.md, enabled Normalized version rules missing diagnostics in… (Dependencies: CONCELIER-LNM-21-203.)
110.B) Concelier.VI MERGE-LNM-21-001 DONE (2025-11-03) BE-Merge, Architecture Guild (src/Concelier/__Libraries/StellaOps.Concelier.Merge) Draft no-merge migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. 2025-11-03: Authored…
110.B) Concelier.VII MERGE-LNM-21-002 DONE (2025-11-07) BE-Merge (src/Concelier/__Libraries/StellaOps.Concelier.Merge) Refactor or retire AdvisoryMergeService and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.…
110.B) Concelier.VII MERGE-LNM-21-003 Determinism/test updates DONE (2025-11-07) MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge) Replaced the retired merge determinism harness with observation/linkset/export regressions. AdvisoryObservationFactoryTests now assert raw reference parity + conflict notes,…
110.B) Concelier.VII WEB-AOC-19-001 (dependency) DONE (2025-11-07) BE-Base Platform Guild (docs/aoc/guard-library.md, src/Web/StellaOps.Web) Shared guard primitives now enforce the top-level allowlist (_id, tenant, source, upstream, content, identifiers, linkset, supersedes, created/ingested timestamps, attributes)…
110.C) Excititor.III EXCITITOR-OBS-50-001 Telemetry adoption DONE (2025-11-07) Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs.
110.C) Excititor.VI EXCITITOR-WEB-AOC-19-001 Raw VEX ingestion APIs DONE (2025-11-08) Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) Implement POST /ingest/vex, GET /vex/raw*, and POST /aoc/verify endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts…
110.C) Excititor.VI EXCITITOR-WEB-AOC-19-002 AOC observability + metrics DONE (2025-11-08) Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService) Export metrics (ingestion_write_total, aoc_violation_total, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes… (Dependencies: EXCITITOR-WEB-AOC-19-001.)
110.C) Excititor.VI EXCITITOR-WEB-AOC-19-003 Guard + schema test harness DONE (2025-11-08) QA Guild (src/Excititor/StellaOps.Excititor.WebService) Add unit/integration tests for schema validation, forbidden field rejection (ERR_AOC_001/006/007), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic… (Dependencies: EXCITITOR-WEB-AOC-19-002.)
110.C) Excititor.VI EXCITITOR-WEB-AOC-19-004 Batch ingest validation DONE (2025-11-08) Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService) Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI aoc verify compatibility. Document load test/runbook updates. (Dependencies: EXCITITOR-WEB-AOC-19-003.)
110.C) Excititor.VI EXCITITOR-WEB-OBS-50-001 Telemetry adoption DONE (2025-11-07) Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints.
110.C) Excititor.VI EXCITITOR-WEB-OBS-51-001 Observability health endpoints DONE (2025-11-08) Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) Implement /obs/excititor/health summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. (Dependencies: EXCITITOR-WEB-OBS-50-001.)

Progress Notes

  • 110.A) AdvisoryAI 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (/api/v1/advisory/plan, /api/v1/advisory/queue), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator.
  • 110.A) AdvisoryAI 2025-11-04: SBOM base address now flows via SbomContextClientOptions.BaseAddress, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs.
  • 110.A) AdvisoryAI 2025-11-07: Draft doc committed (docs/advisory-ai/console.md) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship.
  • 110.A) AdvisoryAI 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests.
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-003 moved to DOING drafting Advisory AI API reference (endpoints, rate limits, error model) for sprint 110.
  • 110.A) AdvisoryAI 2025-11-04: AIAI-31-005 DONE guardrail pipeline redacts secrets, enforces citation/injection policies, emits block counters, and tests (AdvisoryGuardrailPipelineTests) cover redaction + citation validation.
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-003 marked DONE docs/advisory-ai/api.md published with scopes, request/response schemas, rate limits, and error catalogue (Docs Guild).
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-001 marked DONE docs/advisory-ai/overview.md published with value, personas, guardrails, observability, and roadmap checklists (Docs Guild).
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-002 marked DONE docs/advisory-ai/architecture.md published describing pipeline, deterministic tooling, caching, and profile governance (Docs Guild).
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-004 marked BLOCKED Console widgets/endpoints (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) still pending; cannot document UI flows yet.
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-005 marked BLOCKED CLI implementation (stella advise run, CLI-VULN-29-001, CLI-VEX-30-001) plus AIAI-31-004C not shipped; doc blocked until commands exist.
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-006 marked BLOCKED Advisory AI parameter knobs (POLICY-ENGINE-31-001) absent; doc deferred.
  • 110.A) AdvisoryAI 2025-11-07: DOCS-AIAI-31-007 marked DONE /docs/security/assistant-guardrails.md now documents redaction rules, blocked phrases, telemetry, and alert procedures.
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-008 marked BLOCKED Waiting on SBOM heuristics delivery (SBOM-AIAI-31-001).
  • 110.A) AdvisoryAI 2025-11-03: DOCS-AIAI-31-009 marked BLOCKED DevOps runbook inputs (DEVOPS-AIAI-31-001) outstanding.
  • 110.A) AdvisoryAI 2025-11-03: Shipped /api/v1/advisory/{task} execution and /api/v1/advisory/outputs/{cacheKey} retrieval endpoints with guardrail integration, provenance hashes, and metrics (RBAC & rate limiting still pending Authority scope delivery).
  • 110.A) AdvisoryAI 2025-11-06: AIAI-31-007 completed Advisory AI WebService/Worker emit latency histograms, guardrail/validation counters, citation coverage ratios, and OTEL spans; Grafana dashboard + burn-rate alerts refreshed.
  • 110.A) AdvisoryAI 2025-11-02: AIAI-31-004 kicked off orchestration pipeline design establishing deterministic task sequence (summary/conflict/remediation) and cache key strategy.
  • 110.A) AdvisoryAI 2025-11-02: AIAI-31-004 orchestration prerequisites documented in docs/modules/advisory-ai/orchestration-pipeline.md (tasks 004A/004B/004C).
  • 110.A) AdvisoryAI 2025-11-02: AIAI-31-003 moved to DOING beginning deterministic tooling (comparators, dependency analysis) while awaiting SBOM context client. Semantic & EVR comparators shipped; toolset interface published for orchestrator adoption.
  • 110.A) AdvisoryAI 2025-11-04: AIAI-31-004 DONE orchestrator composes evidence (structured/vector/SBOM) with stable cache keys, metadata, and hashing; tests keep determinism enforced.
  • 110.A) AdvisoryAI 2025-11-02: Structured + vector retrievers landed with deterministic CSAF/OSV/Markdown chunkers, deterministic hash embeddings, and unit coverage for sample advisories.
  • 110.A) AdvisoryAI 2025-11-02: SBOM context request/result models finalized; retriever tests now validate environment-flag toggles and dependency-path dedupe. SBOM guild to wire real context service client.
  • 110.A) AdvisoryAI 2025-11-04: AIAI-31-002 completed AddSbomContext typed client registered in WebService/Worker, BaseAddress/tenant headers sourced from configuration, and retriever HTTP-mapping tests extended.
  • 110.A) AdvisoryAI 2025-11-04: AIAI-31-003 completed deterministic toolset integrated with orchestrator cache, property/range tests broadened, and dependency analysis outputs now hashed for replay.
  • 110.A) AdvisoryAI 2025-11-04: AIAI-31-004A ongoing WebService/Worker queue wiring emits initial metrics, SBOM context hashing feeds cache keys, and replay docs updated ahead of guardrail implementation.
  • 110.D) Mirror 2025-11-04: AIAI-31-004A DONE WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore.
  • 110.D) Mirror 2025-11-04: AIAI-31-006 DONE REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.

| Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE | AirGap Policy Guild | AIRGAP-POL-56-001 | Implement StellaOps.AirGap.Policy package exposing EgressPolicy facade with sealed/unsealed branches and remediation-friendly errors. | | Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE | AirGap Policy Guild, DevEx Guild | AIRGAP-POL-56-002 | Create Roslyn analyzer/code fix warning on raw HttpClient usage outside approved wrappers; add CI integration. Dependencies: AIRGAP-POL-56-001. | | Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE (2025-11-03) | AirGap Policy Guild, BE-Base Platform Guild | AIRGAP-POL-57-001 | Update core web services (Web, Exporter, Policy, Findings, Authority) to use EgressPolicy; ensure configuration wiring for sealed mode. Dependencies: AIRGAP-POL-56-002. | | Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE (2025-11-03) | AirGap Policy Guild, Task Runner Guild | AIRGAP-POL-57-002 | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list.
2025-11-03: Worker wiring pulls IEgressPolicy, filesystem dispatcher enforces sealed-mode egress, dispatcher test + grant normalization landed, package versions aligned to rc.2.
Next: ensure other dispatchers/executors reuse the injected policy before enabling sealed-mode runs in worker service. Dependencies: AIRGAP-POL-57-001. | | Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE (2025-11-03) | AirGap Policy Guild, Observability Guild | AIRGAP-POL-58-001 | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning.
2025-11-03: Introduced StellaOps.Telemetry.Core with OTLP exporter guard; Registry Token Service consumes new telemetry bootstrap; sealed-mode now skips non-loopback collectors and logs remediation guidance; docs refreshed for telemetry/air-gap playbooks. Dependencies: AIRGAP-POL-57-002. | | Sprint 120 | [Policy & Reasoning] 120.A) AirGap | src/AirGap/StellaOps.AirGap.Policy | DONE (2025-11-03) | AirGap Policy Guild, CLI Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation.
2025-11-03: CLI now wires HTTP clients through StellaOps.AirGap.Policy, returns AIRGAP_EGRESS_BLOCKED with remediation when sealed, and docs updated. Dependencies: AIRGAP-POL-58-001. | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE (2025-11-03) | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures.
2025-11-03: Initial migration, canonical fixtures, and schema doc alignment delivered (LEDGER-29-001). | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE (2025-11-03) | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API (POST /vuln/ledger/events) with validation, idempotency, hash chaining, and Merkle root computation job.
2025-11-03: Web service + domain scaffolding landed with canonical hashing helpers, in-memory repository, Merkle scheduler stub, request/response contracts, and unit tests covering hashing & conflict flows. Dependencies: LEDGER-29-001. | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE (2025-11-03) | Findings Ledger Guild, Scheduler Guild | LEDGER-29-003 | Build projector worker that derives findings_projection rows from ledger events + policy determinations; ensure idempotent replay keyed by (tenant,finding_id,policy_version).
2025-11-03: Postgres projection services landed with replay checkpoints, fixtures, and unit coverage (LEDGER-29-003). Dependencies: LEDGER-29-002. | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE (2025-11-04) | Findings Ledger Guild, Policy Guild | LEDGER-29-004 | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references.
2025-11-04: Ledger service now calls /api/policy/eval/batch with resilient HttpClient, shared cache, and inline fallback; documentation/config samples updated; ledger tests executed (dotnet test src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj --no-restore). Dependencies: LEDGER-29-003. | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. Dependencies: LEDGER-29-004. | | Sprint 120 | [Policy & Reasoning] 120.B) Findings.I | src/Findings/StellaOps.Findings.Ledger | DONE | Findings Ledger Guild, Security Guild | LEDGER-29-006 | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. Dependencies: LEDGER-29-005. | | Sprint 120 | [Policy & Reasoning] 120.C) Policy.II | src/Policy/StellaOps.Policy.Engine | DONE | Policy Guild, Security Guild | POLICY-ENGINE-27-003 | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (ERR_POL_COMPLEXITY). Dependencies: POLICY-ENGINE-27-002. | | Sprint 120 | [Policy & Reasoning] 120.C) Policy.II | src/Policy/StellaOps.Policy.Engine | DONE | Policy Guild, QA Guild | POLICY-ENGINE-27-004 | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. Dependencies: POLICY-ENGINE-27-003. |

| Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust) | DONE | SCANNER-ANALYZERS-LANG-10-308R | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust) | DONE | SCANNER-ANALYZERS-LANG-10-309R | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. Dependencies: SCANNER-ANALYZERS-LANG-10-308R. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | DONE (2025-11-02) | EntryTrace Guild | ENTRYTRACE-SURFACE-01 | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | DONE (2025-11-02) | EntryTrace Guild | ENTRYTRACE-SURFACE-02 | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. Dependencies: ENTRYTRACE-SURFACE-01. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | DONE (2025-11-02) | EntryTrace Guild, QA Guild | SCANNER-ENTRYTRACE-18-509 | Add regression coverage for EntryTrace surfaces (result store, WebService endpoint, CLI renderer) and NDJSON hashing. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | DONE (2025-11-02) | EntryTrace Guild | SCANNER-ENTRYTRACE-18-507 | Expand candidate discovery beyond ENTRYPOINT/CMD by scanning Docker history metadata and default service directories (/etc/services/**, /s6/**, /etc/supervisor/*.conf, /usr/local/bin/*-entrypoint) when explicit commands are absent. Dependencies: SCANNER-ENTRYTRACE-18-509. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | DONE (2025-11-02) | EntryTrace Guild | SCANNER-ENTRYTRACE-18-508 | Extend wrapper catalogue to collapse language/package launchers (bundle, bundle exec, docker-php-entrypoint, npm, yarn node, pipenv, poetry run) and vendor init scripts before terminal classification. Dependencies: SCANNER-ENTRYTRACE-18-507. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | DONE (2025-11-03) | Language Analyzer Guild | LANG-SURFACE-01 | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites.
2025-11-03: CompositeScanAnalyzerDispatcher now enforces Surface.Validation prior to language analyzers and propagates actionable failure diagnostics. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | DONE (2025-11-03) | Language Analyzer Guild | LANG-SURFACE-02 | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. Dependencies: LANG-SURFACE-01.
2025-11-03: Language analyzer runs fingerprint the workspace and persist results via Surface.FS cache helper for deterministic reuse. | | Sprint 130 | Scanner & Surface / Scanner.I | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | DONE (2025-11-03) | Language Analyzer Guild | LANG-SURFACE-03 | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. Dependencies: LANG-SURFACE-02.
2025-11-03: LanguageAnalyzerContext exposes Surface.Secrets-backed helper for registry/feed credentials with unit coverage. | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService | DONE (2025-11-06) | Scanner WebService Guild | SCANNER-EVENTS-16-302 | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. Dependencies: SCANNER-EVENTS-16-301.
2025-11-06 22:55Z: Dispatcher honours configurable console/API segments; docs and samples refreshed; added regression test for custom segments. dotnet test previously blocked by legacy Surface cache ctor signature (tracked under Surface task).
2025-11-06 23:30Z: Report DSSE fixtures re-synced; Surface cache ctor drift repaired; dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests --no-build now green end-to-end. | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Worker | DONE (2025-11-06) | Scanner Worker Guild, Security Guild | SCANNER-SECRETS-01 | Adopt StellaOps.Scanner.Surface.Secrets for registry/CAS credentials during scan execution.
2025-11-02: Surface.Secrets provider wired for CAS token retrieval; integration tests added.
2025-11-06: Replaced registry credential plumbing with shared provider + rotation-aware metrics; introduced registry secret stage and analysis keys.
2025-11-06 23:40Z: Installed .NET 10 RC2 runtime, parser/stage unit suites green (dotnet test Surface.Secrets + Worker focused filter). | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService | DONE (2025-11-06) | Scanner WebService Guild, Security Guild | SCANNER-SECRETS-02 | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). Dependencies: SCANNER-SECRETS-01.
2025-11-02: WebService export path now resolves registry credentials via Surface.Secrets stub; CI pipeline hook in progress.
2025-11-06: Picking up Surface.Secrets provider usage across report/export flows and removing legacy secret file readers.
2025-11-06 21:40Z: WebService options now consume cas-access secrets via configurator; storage mirrors updated; targeted tests passing.
2025-11-06 23:58Z: Registry + attestation secrets sourced via Surface.Secrets (options extended, configurator + tests updated); Surface.Secrets & configurator test suites executed on .NET 10 RC2 runtime. | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Worker | DONE (2025-11-06) | Scanner Worker Guild | SCANNER-SURFACE-01 | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments.
2025-11-02: Worker pipeline emitting draft Surface.FS manifests for sample scans; determinism checks running.
2025-11-06: Continuing with manifest writer abstraction + telemetry wiring for Surface.FS persistence.
2025-11-06 18:45Z: Resumed work; targeting manifest writer abstraction, CAS persistence hooks, and telemetry/test coverage updates.
2025-11-06 20:20Z: Published Surface worker Grafana dashboard + updated design doc; WebService pointer integration test now covers manifest/payload artefacts. | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.WebService | DONE (2025-11-05) | Scanner WebService Guild | SCANNER-SURFACE-02 | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. Dependencies: SCANNER-SURFACE-01.
2025-11-05: Surface pointer projection wired through WebService endpoints, orchestrator samples & DSSE fixtures refreshed with surface manifest block, and regression suite (platform events, report sample, ready check) updated. | | Sprint 130 | Scanner & Surface / Scanner.VII | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | DONE (2025-11-07) | BuildX Plugin Guild | SCANNER-SURFACE-03 | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. Dependencies: SCANNER-SURFACE-02.
2025-11-06: Starting BuildX manifest upload implementation with Surface.FS client abstraction and integration tests.
2025-11-07 15:30Z: Resumed BuildX plugin Surface wiring; analyzing Surface.FS models, CAS flow, and upcoming tests before coding.
2025-11-07 22:10Z: Added Surface manifest writer + CLI flags to the BuildX plug-in, persisted artefacts into CAS, regenerated docs/fixtures, and shipped new tests covering the writer + descriptor flow. |

Sprint 100 - Identity & Signing

Completed or Dropped Tasks

Theme Task ID Status Owners/Path Notes
100.A) Attestor.I ATTEST-ENVELOPE-72-001 DONE (2025-11-01) Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope) Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers.
100.A) Attestor.I ATTEST-ENVELOPE-72-002 DONE (2025-11-01) Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope) Support compact and expanded JSON output, payload compression, and detached payload references. (Deps: ATTEST-ENVELOPE-72-001.)
100.A) Attestor.I ATTEST-ENVELOPE-73-001 DONE Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope) Implement Ed25519 & ECDSA signature create/verify helpers, key identification (keyid) scheme, and error mapping. (Deps: ATTEST-ENVELOPE-72-002.)
100.A) Attestor.I ATTEST-ENVELOPE-73-002 DONE Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope) Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. (Deps: ATTEST-ENVELOPE-73-001.)
100.A) Attestor.I ATTEST-TYPES-72-001 DONE Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types) Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1.
100.A) Attestor.I ATTEST-TYPES-72-002 DONE Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types) Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. (Deps: ATTEST-TYPES-72-001.)
100.A) Attestor.I ATTEST-TYPES-73-001 DONE Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types) Create golden payload samples for each type; integrate into tests and documentation. (Deps: ATTEST-TYPES-72-002.)
100.A) Attestor.I ATTEST-TYPES-73-002 DONE Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types) Publish schema reference docs (/docs/modules/attestor/payloads.md) with annotated JSON examples. (Deps: ATTEST-TYPES-73-001.)
100.A) Attestor.I ATTEST-VERIFY-73-001 DONE Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify) Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. (Deps: VERPOL-73-001, ATTESTOR-73-002.)
100.A) Attestor.I ATTEST-VERIFY-73-002 DONE Verification Guild (src/Attestor/StellaOps.Attestor.Verify) Add caching layer keyed by (subject, envelope_id, policy_version) with TTL and invalidation on new evidence. (Deps: ATTEST-VERIFY-73-001.)
100.A) Attestor.I ATTEST-VERIFY-74-001 DONE Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify) Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. (Deps: ATTEST-VERIFY-73-001.)
100.A) Attestor.I ATTEST-VERIFY-74-002 DONE (2025-11-01) Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify) Document verification report schema and explainability in /docs/modules/attestor/workflows.md. (Deps: ATTEST-VERIFY-73-001.)
100.A) Attestor.I ATTESTOR-72-001 DONE Attestor Service Guild (src/Attestor/StellaOps.Attestor) Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. (Deps: ATTEST-ENVELOPE-72-001.)
100.A) Attestor.I ATTESTOR-72-002 DONE Attestor Service Guild (src/Attestor/StellaOps.Attestor) Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. (Deps: ATTESTOR-72-001.)
100.A) Attestor.I ATTESTOR-72-003 DONE (2025-11-03) Attestor Service Guild, QA Guild (src/Attestor/StellaOps.Attestor) Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan. (Deps: ATTESTOR-72-002.)
100.A) Attestor.I ATTESTOR-73-001 DONE (2025-11-01) Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor) Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. (Deps: ATTESTOR-72-002, KMS-72-001.)
100.A) Attestor.II ATTESTOR-73-002 DONE (2025-11-01) Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor) Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. (Deps: ATTESTOR-73-001, VERPOL-73-001.)
100.A) Attestor.II ATTESTOR-73-003 DONE Attestor Service Guild (src/Attestor/StellaOps.Attestor) Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). (Deps: ATTESTOR-73-002.)
100.A) Attestor.II ATTESTOR-74-001 DONE (2025-11-02) Attestor Service Guild (src/Attestor/StellaOps.Attestor) Integrate transparency witness client, inclusion proof verification, and caching. (Deps: ATTESTOR-73-002, TRANSP-74-001.)
100.A) Attestor.II ATTESTOR-74-002 DONE Attestor Service Guild (src/Attestor/StellaOps.Attestor) Implement bulk verification worker + API with progress tracking, rate limits, and caching. (Deps: ATTESTOR-74-001.)
100.A) Attestor.II ATTESTOR-75-001 DONE Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor) Add export/import flows for attestation bundles and offline verification mode. (Deps: ATTESTOR-74-002, EXPORT-ATTEST-74-001.)
100.A) Attestor.II ATTESTOR-75-002 DONE Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor) Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. (Deps: ATTESTOR-73-002.)
100.B) Authority.I AUTH-AIAI-31-001 DONE (2025-11-01) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Define Advisory AI scopes (advisory-ai:view, advisory-ai:operate, advisory-ai:admin) and remote inference toggles; update discovery metadata/offline defaults. (Deps: AUTH-VULN-29-001.)
100.B) Authority.I AUTH-AIAI-31-002 DONE (2025-11-01) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. (Deps: AUTH-AIAI-31-001, AIAI-31-006.)
100.B) Authority.I AUTH-AIRGAP-56-001 DONE (2025-11-04) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Provision new scopes (airgap:seal, airgap:import, airgap:status:read) in configuration metadata, offline kit defaults, and issuer templates. (Deps: AIRGAP-CTL-56-001.)
100.B) Authority.I AUTH-AIRGAP-56-002 DONE (2025-11-04) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Audit import actions with actor, tenant, bundle ID, and trace ID; expose /authority/audit/airgap endpoint. (Deps: AUTH-AIRGAP-56-001, AIRGAP-IMP-58-001.)
100.B) Authority.I AUTH-PACKS-43-001 DONE (2025-11-09) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Enforce pack approval metadata (pack_run_id, pack_gate_id, pack_plan_hash) plus five-minute fresh-auth; scope handler downgrades missing metadata, docs/runbook updated, and Authority tests cover new claims + audit properties.
100.B) Authority.I AUTH-NOTIFY-38-001 DONE (2025-11-01) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Define Notify.Viewer, Notify.Operator, Notify.Admin scopes/roles, update discovery metadata, offline defaults, and issuer templates.
100.B) Authority.I AUTH-NOTIFY-40-001 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. (Deps: AUTH-NOTIFY-38-001, WEB-NOTIFY-40-001.)
100.B) Authority.I AUTH-NOTIFY-42-001 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Investigate ack token rotation 500 errors (test Rotate_ReturnsBadRequest_WhenKeyIdMissing_AndAuditsFailure still failing). Capture logs, identify root cause, and patch handler. (Deps: AUTH-NOTIFY-40-001.)
100.B) Authority.I AUTH-OAS-62-001 DONE (2025-11-02) Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority) Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. (Deps: AUTH-OAS-61-001, SDKGEN-63-001.)
100.B) Authority.I AUTH-OAS-63-001 DONE (2025-11-02) Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority) Emit deprecation headers and notifications for legacy auth endpoints. (Deps: AUTH-OAS-62-001, APIGOV-63-001.)
100.B) Authority.I AUTH-OBS-50-001 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Introduce scopes obs:read, timeline:read, timeline:write, evidence:create, evidence:read, evidence:hold, attest:read, and obs:incident (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. (Deps: AUTH-AOC-19-001.)
100.B) Authority.I AUTH-OBS-52-001 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. (Deps: AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003.)
100.B) Authority.I AUTH-OBS-55-001 DONE (2025-11-02) Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority) Harden incident mode authorization: require obs:incident scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. (Deps: AUTH-OBS-50-001, WEB-OBS-55-001.)
100.B) Authority.I AUTH-ORCH-34-001 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Introduce Orch.Admin role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. (Deps: AUTH-ORCH-33-001.)
Sprint 100 Authority Identity & Signing docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md DONE (2025-11-09) Authority Core, Security Guild, Docs Guild
100.B) Authority.I AUTH-PACKS-41-001 DONE (2025-11-04) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Define CLI SSO profiles and pack scopes (Packs.Read, Packs.Write, Packs.Run, Packs.Approve), update discovery metadata, offline defaults, and issuer templates. (Deps: AUTH-AOC-19-001.)
100.B) Authority.II AUTH-POLICY-23-001 DONE (2025-10-27) Authority Core & Docs Guild (src/Authority/StellaOps.Authority) Introduce fine-grained policy scopes (policy:read, policy:author, policy:review, policy:simulate, findings:read) for CLI/service accounts; update discovery metadata, issuer templates, and offline defaults. (Deps: AUTH-AOC-19-002.)
100.B) Authority.II AUTH-POLICY-23-002 DONE (2025-11-08) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Implement optional two-person rule for activation: require two distinct policy:activate approvals when configured; emit audit logs. (Deps: AUTH-POLICY-23-001.)
100.B) Authority.II AUTH-POLICY-23-003 DONE (2025-11-08) Authority Core & Docs Guild (src/Authority/StellaOps.Authority) Update documentation and sample configs for policy roles, approval workflow, and signing requirements. (Deps: AUTH-POLICY-23-001.)
100.B) Authority.II AUTH-POLICY-27-002 DONE (2025-11-02) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. (Deps: AUTH-POLICY-27-001, REGISTRY-API-27-007.)
100.B) Authority.II AUTH-POLICY-27-003 DONE (2025-11-04) Authority Core & Docs Guild (src/Authority/StellaOps.Authority) Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. (Deps: AUTH-POLICY-27-001, AUTH-POLICY-27-002.)
100.B) Authority.II AUTH-TEN-49-001 DONE (2025-11-04) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Implement service accounts & delegation tokens (act chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. (Deps: AUTH-TEN-47-001.)
100.B) Authority.II AUTH-VULN-29-001 DONE (2025-11-03) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Define Vuln Explorer scopes/roles (vuln:view, vuln:investigate, vuln:operate, vuln:audit) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. (Deps: AUTH-POLICY-27-001.)
100.B) Authority.II AUTH-VULN-29-002 DONE (2025-11-03) Authority Core & Security Guild (src/Authority/StellaOps.Authority) Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. (Deps: AUTH-VULN-29-001, LEDGER-29-002.)
100.B) Authority.II AUTH-VULN-29-003 DONE (2025-11-04) Authority Core & Docs Guild (src/Authority/StellaOps.Authority) Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. (Deps: AUTH-VULN-29-001..002.)
100.B) Authority.II PLG7.IMPL-001 DONE (2025-11-03) BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) Scaffold StellaOps.Authority.Plugin.Ldap + tests, bind configuration (client certificate, trust-store, insecure toggle) with validation and docs samples.
100.B) Authority.II PLG7.IMPL-002 DONE (2025-11-04) BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) Implement LDAP credential store with TLS/mutual TLS enforcement, deterministic retry/backoff, and structured logging/metrics.
100.C) IssuerDirectory ISSUER-30-001 DONE (2025-11-01) Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata.
100.C) IssuerDirectory ISSUER-30-002 DONE (2025-11-01) Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). (Deps: ISSUER-30-001.)
100.C) IssuerDirectory ISSUER-30-003 DONE (2025-11-04) Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. (Deps: ISSUER-30-001.)
100.C) IssuerDirectory ISSUER-30-004 DONE (2025-11-01) Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Integrate with VEX Lens and Excitor signature verification (client SDK, caching, retries). (Deps: ISSUER-30-001..003.)
100.C) IssuerDirectory ISSUER-30-005 DONE (2025-11-01) Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. (Deps: ISSUER-30-001..004.)
100.C) IssuerDirectory ISSUER-30-006 DONE (2025-11-02) Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory) Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. (Deps: ISSUER-30-001..005.)
100.E) Deployment HELM-45-004 DONE (2025-11-08) Deployment Guild, Policy Guild (ops/deployment) Mount the new policy-engine-activation ConfigMap into the Policy Engine (and Policy Gateway) pods, ensure runtime config loads activation overrides from env/file, and refresh Helm/Compose samples for offline parity.

Progress Notes

  • 2025-11-03: TTL soak tests captured in docs/modules/attestor/ttl-validation.md; Mongo/Redis evidence archived for replay.
  • 2025-11-01: ATTESTOR-73-002 completed — verification endpoints emit structured reports, cache hits, and telemetry; Attestor verification test suites cover success, failure, and cached paths. Transparency witness integration continues under ATTESTOR-74-001.
  • 2025-11-02: ATTESTOR-74-001 completed — witness client wired into proof refresh, repository model stores witness statements, and verification warns on missing endorsements. Tests updated for witness refresh, bundle export/import, and signing stubs.
  • 2025-11-04: Verified discovery metadata now advertises the airgap scope trio, etc/authority.yaml.sample + offline kit docs ship the new roles, and Authority tests enforce tenant gating for airgap:* scopes (dotnet test executed).
  • 2025-11-04: /authority/audit/airgap minimal APIs persist tenant-scoped records with paging, RBAC checks for airgap:import/airgap:status:read pass, and Authority integration suite (187 tests) exercised the audit flow.
  • 2025-11-01: AUTH-AIRGAP-57-001 blocked pending definition of sealed-confirmation evidence and configuration shape before gating (Authority Core & Security Guild, DevOps Guild).
  • 2025-11-08: Flipped to DOING; partnering with DevOps on artifacts so Authority gating tests can consume sealed confirmations once published (target 2025-11-10).
  • 2025-11-07: Still waiting on DEVOPS-AIRGAP-57-002 sealed-mode CI suite (ops/devops/sealed-mode-ci/*) to publish artefacts so Authority can wire the gating tests.
  • 2025-11-08: DevOps sealed-mode CI now uploads artifacts/sealed-mode-ci/<commit>/authority-sealed-ci.json; Authority to hook the gating middleware/tests up to that feed next.
  • 2025-11-01: AUTH-NOTIFY-38-001 completed—Notify scope catalog, discovery metadata, docs, configuration samples, and service tests updated for new roles.
  • 2025-11-02: /notify/ack-tokens/rotate (notify.admin) now rotates DSSE keys with audit coverage and integration tests. Webhook allowlist + escalation scope enforcement verified.
  • 2025-11-02: Added StellaOpsBearer mapping to test harness, fixed bootstrap rotate handler defaults, and reran targeted notify ack rotation test (now returning BadRequest instead of 500).
  • 2025-11-02: Added HttpClient auth helper (OAuth2 + PAT) with tenant header support, plus coverage in StellaOps.Auth.Client.Tests.
  • 2025-11-02: AUTH-OAS-63-001 marked DONE — legacy /oauth/* shims now emit Deprecation/Sunset/Warning headers, audit events (authority.api.legacy_endpoint) validated by tests, and migration guide docs/api/authority-legacy-auth-endpoints.md published (Authority Core & Security Guild, API Governance Guild).
  • 2025-11-02: Observability scope bundle published in discovery metadata, OpenAPI, docs, and offline configs; issuer templates + roles updated with deterministic scope ordering and tests refreshed.
  • 2025-11-02: Timeline/Evidence/Export resource servers now register observability policies, enforce tenant claims, and emit enriched authorization audit events; config samples + tests updated.
  • 2025-11-02: Resource servers now enforce a five-minute fresh-auth window for obs:incident, incident reasons are stamped into authorization audits and /authority/audit/incident, and sample configs/tests updated to require tenant headers across observability endpoints.
  • 2025-11-02: Added orch:backfill scope with required backfill_reason/backfill_ticket, tightened Authority handlers/tests, updated CLI configuration/env vars, and refreshed docs + samples for Orchestrator admins.
  • 2025-11-02: Pack scope policies added, Authority samples/roles refreshed, and CLI SSO profiles documented for packs operators/publishers/approvers.
  • 2025-11-04: Verified discovery metadata, OpenAPI, etc/authority.yaml.sample, and offline kit docs reflect the packs scope set; Authority suite re-run (dotnet test) to confirm tenant gating and policy checks.
  • 2025-11-02: Shared OpenSSL 1.1 shim now feeds Mongo2Go for Authority & Signals tests, keeping pack scope regressions and other Mongo flows working on OpenSSL 3 hosts.
  • 2025-11-07: AUTH-PACKS-41-001 + TASKRUN-42-001 are DONE; remaining blocker is ORCH-SVC-42-101 (still TODO) for log streaming/approvals APIs. Not deleted—waiting on Orchestrator to publish contracts.
  • 2025-11-08: Added Policy Engine activation options (force/default/audit toggles), enforced pending-second-approval responses, and emitted policy.activation.* telemetry across auditor logs.
  • 2025-11-08: Documented dual-control activation steps, new PolicyEngine.activation.* knobs, sample YAML defaults, and console/operator guidance for audit visibility.
  • 2025-11-07: Scope migration (AUTH-POLICY-23-001) shipped; activation guardrail and documentation updates now waiting on pairing.
  • 2025-11-07: Authority + DevOps stand-up aligned on a 2025-11-10 delivery target for AUTH-DPOP-11-001 / AUTH-MTLS-11-002 and DEVOPS-AIRGAP-57-002 so plugin security/air-gap gating can flip to DOING immediately after.
  • 2025-11-08: Taking ownership to wire certificate thumbprint persistence + audit logging; blocking issues from AUTH-DPOP-11-001 now resolved, so mTLS enforcement can proceed.
  • 2025-11-08: /token//introspect now enforce TLS certificate matches for mTLS-bound tokens and emit authority_mtls_mismatch_total telemetry when rejections occur.
  • 2025-11-02: Added interactive-only policy:publish/policy:promote scopes with metadata requirements (policy_reason, policy_ticket, policy_digest), fresh-auth validation, audit enrichment, and updated config/docs for operators.
  • 2025-11-04: Confirmed Policy Studio role/scope guidance in docs/11_AUTHORITY.md, OpenAPI metadata, and samples; compliance checklist appended and Authority tests rerun for fresh-auth + scope enforcement.
  • 2025-11-02: Service account store + configuration wired, delegation quotas enforced, token persistence extended with serviceAccountId/tokenKind/actorChain, docs & samples refreshed, and new tests cover delegated issuance/persistence.
  • 2025-11-02: Updated bootstrap test fixtures to use AuthorityDelegation seed types and verified /internal/service-accounts endpoints respond as expected via targeted Authority tests.
  • 2025-11-02: Documented bootstrap admin API usage (/internal/service-accounts/**) and clarified that repeated seeding preserves Mongo _id/createdAt values to avoid immutable field errors.
  • 2025-11-03: Patched Authority test harness to seed enabled service-account records deterministically and restored StellaOps.Authority.Tests to green (covers /internal/service-accounts listing + revocation paths).
  • 2025-11-04: Validated service-account docs/configs and Authority Mongo store wiring; reran Authority integration suite to confirm issuance, listing, and revocation happy/negative paths.
  • 2025-11-04: Reviewed Vuln Explorer RBAC/ABAC sections in docs/11_AUTHORITY.md + security guides, confirmed attachment and anti-forgery docs reflect shipped endpoints, and Authority test pass confirms ledger token flows.
  • 2025-11-03: Workflow anti-forgery and attachment token endpoints merged with audit trails; negative-path coverage added (VulnWorkflowTokenEndpointTests). Full Authority test suite still running; follow-up execution required after dependency build completes.
  • 2025-11-07: Upstream AUTH-DPOP-11-001 / AUTH-MTLS-11-002 now DOING; revisit plugin backlog once sender-constraint hardening lands.
  • 2025-11-08: Dependency audit confirmed — AUTH-DPOP-11-001 / AUTH-MTLS-11-002 staffed with 2025-11-10 delivery; no missing SEC2/SEC3/SEC5 subtasks, so these remain BLOCKED only until sender constraints merge.
  • 2025-11-03: Initial StellaOps.Authority.Plugin.Ldap project/tests scaffolded with configuration options + registrar; sample manifest (etc/authority.plugins/ldap.yaml) updated to new schema (client certificate, trust store, insecure toggle).
  • 2025-11-03: Review concluded; RFC accepted with audit/mTLS/mapping decisions recorded in docs/notes/2025-11-03-authority-plugin-ldap-review.md. Follow-up implementation tasks PLG7.IMPL-001..005 added to plugin board.
  • 2025-11-04: Updated connection factory to negotiate StartTLS via StartTransportLayerSecurity(null) and normalized LDAP result-code handling (invalid credentials + transient codes) against System.DirectoryServices.Protocols 8.0. Plugin unit suite (dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/StellaOps.Authority.Plugin.Ldap.Tests.csproj) now passes again after the retry/error-path fixes.
  • 2025-11-04: PLG7.IMPL-002 DONE deterministic credential store retries now emit metrics + structured audit context, DirectoryServices factory enforces TLS/mTLS settings (trust store + client cert), and configuration samples/docs refreshed. Tests: dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/StellaOps.Authority.Plugin.Ldap.Tests.csproj --no-restore.
  • 2025-11-04: Confirmed /issuer-directory/issuers/{id}/trust endpoints persist tenant/global overrides with bounds validation, Mongo indexes seeded, docs/config updated, and core tests executed. | Sprint 320 | Docs Modules Export Center | docs/modules/export-center/TASKS.md | DONE (2025-11-05) | Docs Guild | CENTER-DOCS-0001 | Validate that docs/modules/export-center/README.md matches the latest release notes, including devportal offline profile, DSSE manifest signatures, and supporting specs. | | Sprint 327 | Docs Modules Scanner | docs/modules/scanner/TASKS.md | DONE (2025-11-05) | Docs Guild | SCANNER-DOCS-0001 | Validate that docs/modules/scanner/README.md is current with platform-event coverage (scanner.report.ready@1, scanner.scan.completed@1). | | Sprint 327 | Docs Modules Scanner | docs/modules/scanner/TASKS.md | DONE (2025-11-02) | Docs Guild | SCANNER-DOCS-0002 | Keep scanner benchmark comparisons (Trivy/Grype/Snyk) and deep-dive matrices up to date with cited sources. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Scanner Guild | DOCS-SCANNER-BENCH-62-001 | Maintain the scanner comparison doc for Trivy/Grype/Snyk with refreshed deep dives and ecosystem matrices. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-05) | Docs Guild, Security Guild | DOCS-SCANNER-BENCH-62-007 | Publish secret leak detection documentation (rules, policy templates) once implementation lands. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, PHP Analyzer Guild | DOCS-SCANNER-BENCH-62-010 | Document PHP analyzer parity gaps with technique tables and policy hooks. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Language Analyzer Guild | DOCS-SCANNER-BENCH-62-011 | Capture Deno runtime gap analysis versus competitors, including detection/merge strategy tables. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Language Analyzer Guild | DOCS-SCANNER-BENCH-62-012 | Add Dart ecosystem comparisons and task linkage in scanning-gaps-stella-misses-from-competitors.md. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Swift Analyzer Guild | DOCS-SCANNER-BENCH-62-013 | Expand Swift coverage analysis with implementation techniques and policy considerations. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Runtime Guild | DOCS-SCANNER-BENCH-62-014 | Detail Kubernetes/VM target coverage gaps and linkage with Zastava/Runtime docs. | | Sprint 327 | Docs Modules Scanner | docs/benchmarks/scanner | DONE (2025-11-02) | Docs Guild, Export Center Guild | DOCS-SCANNER-BENCH-62-015 | Document DSSE/Rekor operator enablement guidance drawn from competitor comparisons. | | Sprint 112 | Concelier.I | src/Concelier/StellaOps.Concelier.WebService | DONE (2025-11-08) | Concelier WebService Guild, Security Guild | CONCELIER-CRYPTO-90-001 | Route WebService hashing through ICryptoHash so sovereign deployments (e.g., RootPack_RU) can select CryptoPro/PKCS#11 providers; discovery, chunk builders, and seed processors updated accordingly. | | Sprint 158 | TaskRunner.II | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-11-06) | Task Runner Guild | TASKRUN-43-001 | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logging for TaskRunner. |