75c2bcafce
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values. - Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context. - Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events. - Introduced AuthorityAuditSink for persisting audit records with structured logging. - Added CryptoPro related classes for certificate resolution and signing operations.
4.4 KiB
4.4 KiB
Sprint 127 - Policy & Reasoning
Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
Policy.V
Dependency: Sprint 120.C - Policy.IV (must land before this track). Focus: Policy & Reasoning focus on Policy (phase V).
| # | Task ID & handle | State | Key dependency / next step | Owners |
|---|---|---|---|---|
| 1 | POLICY-ENGINE-80-002 | TODO | Create joining layer to read reachability_facts efficiently (indexes, projections) and populate Redis overlay caches (Deps: POLICY-ENGINE-80-001) |
Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 2 | POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation (Deps: POLICY-ENGINE-80-002) | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine |
| 3 | POLICY-ENGINE-80-004 | TODO | Emit metrics (policy_reachability_applied_total, policy_reachability_cache_hit_ratio) and traces for signals usage (Deps: POLICY-ENGINE-80-003) |
Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 4 | POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with tenant_id, policy_version, decision_effect, and trace IDs |
Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 5 | POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules (Deps: POLICY-OBS-50-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine |
| 6 | POLICY-OBS-52-001 | TODO | Emit timeline events policy.evaluate.started, policy.evaluate.completed, policy.decision.recorded with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics (Deps: POLICY-OBS-51-001) |
Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 7 | POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests (Deps: POLICY-OBS-52-001) | Policy Guild, Evidence Locker Guild / src/Policy/StellaOps.Policy.Engine |
| 8 | POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose /evaluations/{id}/attestation, and link attestation IDs in timeline + console. Provide verification harness (Deps: POLICY-OBS-53-001) |
Policy Guild, Provenance Guild / src/Policy/StellaOps.Policy.Engine |
| 9 | POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier (Deps: POLICY-OBS-54-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine |
| 10 | POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile |
| 11 | POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing (Deps: POLICY-RISK-66-001) | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile |
| 12 | POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment (Deps: POLICY-RISK-66-002) | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics (Deps: POLICY-RISK-66-003) | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy |
| 14 | POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks (Deps: POLICY-RISK-66-004) | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine |
| 15 | POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate) (Deps: POLICY-RISK-67-001) | Risk Profile Schema Guild, Policy Engine Guild / src/Policy/StellaOps.Policy.RiskProfile |