stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d92973d6fdeb259a3a8c5a67b0b6e95aaca8633f
git.stella-ops.org/docs/implplan/SPRINT_136_scanner_surface.md
StellaOps Bot 029002ad05 work
2025-11-23 23:40:10 +02:00

14 KiB
Raw Blame History

Sprint 136 - Scanner & Surface

Implementation order remains sequential across Sprint 130139. Complete each sprint in order before pulling tasks from the next file.

7. Scanner.VII — Scanner & Surface focus on Scanner (phase VII).

Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).

Task ID State Summary Owner / Source Depends On
SCANNER-ENTRYTRACE-18-504 TODO Emit EntryTrace AOC NDJSON (entrytrace.entry/node/edge/target/warning/capability) and wire CLI/service streaming outputs. EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) SCANNER-ENTRYTRACE-18-503
SCANNER-ENTRYTRACE-18-505 TODO Implement process-tree replay (ProcGraph) to reconcile /proc exec chains with static EntryTrace results, collapsing wrappers and emitting agreement/conflict diagnostics. EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) SCANNER-ENTRYTRACE-18-504
SCANNER-ENTRYTRACE-18-506 TODO Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. EntryTrace Guild, Scanner WebService Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) SCANNER-ENTRYTRACE-18-505
SCANNER-ENV-01 DONE (2025-11-18) Worker already wired to AddSurfaceEnvironment/ISurfaceEnvironment for cache roots + CAS endpoints; no remaining ad-hoc env reads. Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker)
SCANNER-ENV-02 TODO (2025-11-06) Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService) SCANNER-ENV-01
SCANNER-ENV-03 DOING (2025-11-23) Surface.Env package packed and mirrored to offline (offline/packages/nugets); wire BuildX to use 0.1.0-alpha.20251123 and update restore feeds. BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) SCANNER-ENV-02
SURFACE-ENV-01 DONE (2025-11-13) Draft surface-env.md enumerating environment variables, defaults, and air-gap behaviour for Surface consumers. Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env)
SURFACE-ENV-02 DONE (2025-11-18) Strongly-typed env accessors implemented; validation covers required endpoint, bounds, TLS cert path; regression tests passing. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) SURFACE-ENV-01
SURFACE-ENV-03 TODO Adopt the env helper across Scanner Worker/WebService/BuildX plug-ins. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) SURFACE-ENV-02
SURFACE-ENV-04 TODO Wire env helper into Zastava Observer/Webhook containers. Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) SURFACE-ENV-02
SURFACE-ENV-05 TODO Update Helm/Compose/offline kit templates with new env knobs and documentation. Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) SURFACE-ENV-03, SURFACE-ENV-04
SCANNER-EVENTS-16-301 BLOCKED (2025-10-26) Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService)
SCANNER-GRAPH-21-001 TODO Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService)
SCANNER-LNM-21-001 TODO Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService)
SCANNER-LNM-21-002 TODO Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService) SCANNER-LNM-21-001
SCANNER-SECRETS-03 TODO Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) SCANNER-SECRETS-02
SURFACE-SECRETS-01 DONE (2025-11-23) Security-approved schema published at docs/modules/scanner/design/surface-secrets-schema.md; proceed to provider wiring. Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets)
SURFACE-SECRETS-02 DONE (2025-11-23) Provider chain implemented (primary + fallback) with DI wiring; tests updated (StellaOps.Scanner.Surface.Secrets.Tests). Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) SURFACE-SECRETS-01
SURFACE-SECRETS-03 TODO Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) SURFACE-SECRETS-02
SURFACE-SECRETS-04 TODO Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) SURFACE-SECRETS-02
SURFACE-SECRETS-05 TODO Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) SURFACE-SECRETS-02
SURFACE-SECRETS-06 TODO Update deployment manifests/offline kit bundles to provision secret references instead of raw values. Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) SURFACE-SECRETS-03
SCANNER-ENG-0020 TODO Implement Homebrew collector & fragment mapper per design/macos-analyzer.md §3.1. Scanner Guild (docs/modules/scanner)
SCANNER-ENG-0021 TODO Implement pkgutil receipt collector per design/macos-analyzer.md §3.2. Scanner Guild (docs/modules/scanner)
SCANNER-ENG-0022 TODO Implement macOS bundle inspector & capability overlays per design/macos-analyzer.md §3.3. Scanner Guild, Policy Guild (docs/modules/scanner)
SCANNER-ENG-0023 TODO Deliver macOS policy/offline integration per design/macos-analyzer.md §56. Scanner Guild, Offline Kit Guild, Policy Guild (docs/modules/scanner)
SCANNER-ENG-0024 TODO Implement Windows MSI collector per design/windows-analyzer.md §3.1. Scanner Guild (docs/modules/scanner)
SCANNER-ENG-0025 TODO Implement WinSxS manifest collector per design/windows-analyzer.md §3.2. Scanner Guild (docs/modules/scanner)
SCANNER-ENG-0026 TODO Implement Windows Chocolatey & registry collectors per design/windows-analyzer.md §3.33.4. Scanner Guild (docs/modules/scanner)
SCANNER-ENG-0027 TODO Deliver Windows policy/offline integration per design/windows-analyzer.md §56. Scanner Guild, Policy Guild, Offline Kit Guild (docs/modules/scanner)
SCHED-SURFACE-02 TODO Integrate Scheduler worker prefetch using Surface manifest reader and persist manifest pointers with rerun plans. Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) SURFACE-FS-02, SCHED-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §3 for implementation checklist
ZASTAVA-SURFACE-02 TODO Use Surface manifest reader helpers to resolve cas:// pointers and enrich drift diagnostics with manifest provenance. Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) SURFACE-FS-02, ZASTAVA-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §4 for integration steps
SURFACE-FS-03 TODO Integrate Surface.FS writer into Scanner Worker analyzer pipeline to persist layer + entry-trace fragments. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) SURFACE-FS-02
SURFACE-FS-04 TODO Integrate Surface.FS reader into Zastava Observer runtime drift loop. Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) SURFACE-FS-02
SURFACE-FS-05 TODO Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) SURFACE-FS-03
SURFACE-FS-06 TODO Update scanner-engine guide and offline kit docs with Surface.FS workflow. Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) SURFACE-FS-02..05
SCANNER-SURFACE-04 TODO DSSE-sign every layer.fragments payload, emit _composition.json, and persist DSSE envelopes so offline kits can replay deterministically (see docs/modules/scanner/deterministic-sbom-compose.md §2.1). Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) SCANNER-SURFACE-01, SURFACE-FS-03
SURFACE-FS-07 TODO Extend Surface.FS manifest schema with composition.recipe, fragment attestation metadata, and verification helpers per deterministic SBOM spec. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) SCANNER-SURFACE-04
SCANNER-EMIT-15-001 TODO Enforce canonical JSON (stella.contentHash, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in docs/modules/scanner/deterministic-sbom-compose.md §2.2. Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) SCANNER-SURFACE-04
SCANNER-SORT-02 TODO Sort layer fragments by digest and components by identity.purl/identity.key before composition; add determinism regression tests. Scanner Core Guild (src/Scanner/__Libraries/StellaOps.Scanner.Core) SCANNER-EMIT-15-001
SURFACE-VAL-01 DONE (2025-11-23) Validation framework doc aligned with Surface.Env release and secrets schema (docs/modules/scanner/design/surface-validation.md v1.1). Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) SURFACE-FS-01, SURFACE-ENV-01
SURFACE-VAL-02 DONE (2025-11-23) Validation library now enforces secrets schema, fallback/provider checks, and inline/file guardrails; tests added. Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02
SURFACE-VAL-03 DONE (2025-11-23) Validation runner wired into Worker/WebService startup and pre-analyzer paths (OS, language, EntryTrace). Scanner Guild, Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) SURFACE-VAL-02
SURFACE-VAL-04 TODO Expose validation helpers to Zastava and other runtime consumers for preflight checks. Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) SURFACE-VAL-02
SURFACE-VAL-05 TODO Document validation extensibility, registration, and customization in scanner-engine guides. Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) SURFACE-VAL-02

Execution Log

Date (UTC) Update Owner
2025-11-23 Published Security-approved Surface.Secrets schema (docs/modules/scanner/design/surface-secrets-schema.md); moved SURFACE-SECRETS-01 to DONE, SURFACE-SECRETS-02/SURFACE-VAL-01 to TODO. Security Guild
2025-11-23 Implemented Surface.Secrets provider chain/fallback and added DI tests; marked SURFACE-SECRETS-02 DONE. Scanner Guild
2025-11-23 Pinned Surface.Env package version 0.1.0-alpha.20251123 and offline path in docs/modules/scanner/design/surface-env-release.md; SCANNER-ENV-03 moved to TODO. BuildX Plugin Guild
2025-11-23 Updated Surface.Validation doc to v1.1, binding to Surface.Env release and secrets schema; marked SURFACE-VAL-01 DONE. Scanner Guild
2025-11-23 Strengthened Surface.Validation secrets checks (provider/fallback/inline/file root) and added unit tests; marked SURFACE-VAL-02 DONE. Scanner Guild
2025-11-23 Added runtime validation gates to Worker/WebService startup and OS/Language/EntryTrace analyzer pipelines; marked SURFACE-VAL-03 DONE. Scanner Guild
2025-11-23 Packed Surface.Env 0.1.0-alpha.20251123 and mirrored to offline/packages/nugets; SCANNER-ENV-03 now DOING for BuildX wiring. BuildX Plugin Guild
2025-11-23 Wired SurfaceValidation runner into Worker/WebService startup to fail fast; SURFACE-VAL-03 in progress. Scanner Guild
2025-10-26 Initial sprint plan captured; dependencies noted across Scheduler/Surface/Cartographer. Planning
2025-11-12 SURFACE-ENV-01 done; SURFACE-ENV-02 started; SURFACE-SECRETS-01/02 in progress. Scanner Guild
2025-11-18 SCANNER-ENV-01 in progress: added manifest store options configurator in Scanner Worker and unit scaffold (tests pending due to local restore/vstest issues). Implementer
2025-11-18 SCANNER-ENV-02 started: wired Surface manifest store options into Scanner WebService and unit scaffold added; tests pending (nuget.org restore cancelled locally). Implementer
2025-11-18 Attempted dotnet test for Worker Surface manifest configurator; restore failed fetching StackExchange.Redis from nuget.org (network timeout); tests still pending CI. Implementer
2025-11-18 SCANNER-ENV-03 started: BuildX plugin now loads Surface.Env defaults (SCANNER/SURFACE prefixes) for cache root/bucket/tenant when args/env missing; tests not yet added. Implementer
2025-11-19 Marked SCANNER-ENV-03, SURFACE-SECRETS-01/02, and SURFACE-VAL-01 BLOCKED pending Security/Surface schema approvals and published env/secrets artifacts; move back to TODO once upstream contracts land. Implementer