stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e69b57d467ffe665754fa93f5a0853e6e96bd526
git.stella-ops.org/docs/implplan/SPRINT_111_advisoryai.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

12 KiB
Raw Blame History

Sprint 111 - Ingestion & Evidence · 110.A) AdvisoryAI

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

[Ingestion & Evidence] 110.A) AdvisoryAI Depends on: Sprint 100.A - Attestor Summary: Ingestion & Evidence focus on AdvisoryAI.

Task ID State Task description Owners (Source)
DOCS-AIAI-31-006 DONE (2025-11-13) /docs/policy/assistant-parameters.md now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via AdvisoryAiServiceOptions). Docs Guild, Policy Guild (docs)

2025-11-13: Published docs/policy/assistant-parameters.md, added env-var mapping tables, and linked the page from Advisory AI architecture so guild owners can trace DOCS-AIAI-31-006 to Sprint 111. DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish /docs/sbom/remediation-heuristics.md (feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs) DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create /docs/runbooks/assistant-ops.md for warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs) SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | Publish the Advisory AI hand-off kit for /v1/sbom/context, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001 (not yet delivered). | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService) AIAI-31-008 | BLOCKED (2025-11-16) | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007 (done) plus DEVOPS-AIAI-31-001 runbook. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) AIAI-31-009 | DONE (2025-11-12) | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) |

2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (/api/v1/advisory/plan, /api/v1/advisory/queue), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator. 2025-11-16: SBOM-AIAI-31-003 marked BLOCKED pending SBOM-AIAI-31-001 projection kit + smoke plan. 2025-11-16: AIAI-31-008 marked BLOCKED pending DEVOPS-AIAI-31-001 runbook for on-prem/remote packaging. 2025-11-04: SBOM base address now flows via SbomContextClientOptions.BaseAddress, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs. DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | Create /docs/advisory-ai/console.md with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001 (not yet delivered). | Docs Guild, Console Guild (docs) 2025-11-07: Draft doc committed (docs/advisory-ai/console.md) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship. 2025-11-16: DOCS-AIAI-31-004 marked BLOCKED; console widgets and Excititor feed endpoints still pending, cannot capture final screenshots/flows. 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests. 2025-11-09: Guardrail/inference sections and offline playbooks documented; screenshot placeholders remain open. DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish /docs/advisory-ai/cli.md covering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs) 2025-11-03: DOCS-AIAI-31-003 moved to DOING drafting Advisory AI API reference (endpoints, rate limits, error model) for sprint 110. 2025-11-04: AIAI-31-005 DONE guardrail pipeline redacts secrets, enforces citation/injection policies, emits block counters, and tests (AdvisoryGuardrailPipelineTests) cover redaction + citation validation. 2025-11-03: DOCS-AIAI-31-003 marked DONE docs/advisory-ai/api.md published with scopes, request/response schemas, rate limits, and error catalogue (Docs Guild). 2025-11-03: DOCS-AIAI-31-001 marked DONE docs/advisory-ai/overview.md published with value, personas, guardrails, observability, and roadmap checklists (Docs Guild). 2025-11-03: DOCS-AIAI-31-002 marked DONE docs/advisory-ai/architecture.md published describing pipeline, deterministic tooling, caching, and profile governance (Docs Guild). 2025-11-03: DOCS-AIAI-31-004 marked BLOCKED Console widgets/endpoints (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) still pending; cannot document UI flows yet. 2025-11-03: DOCS-AIAI-31-005 marked BLOCKED CLI implementation (stella advise run, CLI-VULN-29-001, CLI-VEX-30-001) plus AIAI-31-004C not shipped; doc blocked until commands exist. 2025-11-03: DOCS-AIAI-31-006 initially blocked (POLICY-ENGINE-31-001 pending); resolved 2025-11-13 once the guardrail/inference bindings shipped and the parameter doc landed. 2025-11-07: DOCS-AIAI-31-007 marked DONE /docs/security/assistant-guardrails.md now documents redaction rules, blocked phrases, telemetry, and alert procedures. 2025-11-03: DOCS-AIAI-31-008 marked BLOCKED Waiting on SBOM heuristics delivery (SBOM-AIAI-31-001). 2025-11-03: DOCS-AIAI-31-009 marked BLOCKED DevOps runbook inputs (DEVOPS-AIAI-31-001) outstanding. 2025-11-03: Shipped /api/v1/advisory/{task} execution and /api/v1/advisory/outputs/{cacheKey} retrieval endpoints with guardrail integration, provenance hashes, and metrics (RBAC & rate limiting still pending Authority scope delivery). 2025-11-06: AIAI-31-007 completed Advisory AI WebService/Worker emit latency histograms, guardrail/validation counters, citation coverage ratios, and OTEL spans; Grafana dashboard + burn-rate alerts refreshed.

2025-11-09: Guardrail harness converted to JSON fixtures + legacy payloads, property-style plan cache load tests added, and file-system cache/output suites cover seeded/offline scenarios. 2025-11-12: Guardrail/perf suite now enforces sub-400ms budgets and binds AdvisoryAI:Guardrails configuration (prompt length, citation toggle, blocked phrase files) so Console surfaces can reflect ops-tuned budgets. 2025-11-02: AIAI-31-004 kicked off orchestration pipeline design establishing deterministic task sequence (summary/conflict/remediation) and cache key strategy. 2025-11-02: AIAI-31-004 orchestration prerequisites documented in docs/modules/advisory-ai/orchestration-pipeline.md (tasks 004A/004B/004C). 2025-11-02: AIAI-31-003 moved to DOING beginning deterministic tooling (comparators, dependency analysis) while awaiting SBOM context client. Semantic & EVR comparators shipped; toolset interface published for orchestrator adoption. 2025-11-04: AIAI-31-004 DONE orchestrator composes evidence (structured/vector/SBOM) with stable cache keys, metadata, and hashing; tests keep determinism enforced. 2025-11-02: Structured + vector retrievers landed with deterministic CSAF/OSV/Markdown chunkers, deterministic hash embeddings, and unit coverage for sample advisories. 2025-11-02: SBOM context request/result models finalized; retriever tests now validate environment-flag toggles and dependency-path dedupe. SBOM guild to wire real context service client. 2025-11-04: AIAI-31-002 completed AddSbomContext typed client registered in WebService/Worker, BaseAddress/tenant headers sourced from configuration, and retriever HTTP-mapping tests extended. 2025-11-04: AIAI-31-003 completed deterministic toolset integrated with orchestrator cache, property/range tests broadened, and dependency analysis outputs now hashed for replay. 2025-11-04: AIAI-31-004A ongoing WebService/Worker queue wiring emits initial metrics, SBOM context hashing feeds cache keys, and replay docs updated ahead of guardrail implementation.

Blockers & dependencies (2025-11-13)

Blocked item Dependency Owner(s) Notes
DOCS-AIAI-31-004 (/docs/advisory-ai/console.md) CONSOLE-VULN-29-001 · CONSOLE-VEX-30-001 · EXCITITOR-CONSOLE-23-001 Docs Guild · Console Guild Screenshots + a11y copy cannot be captured until Console widgets + Excititor feeds ship.
DOCS-AIAI-31-005 (/docs/advisory-ai/cli.md) CLI-VULN-29-001 · CLI-VEX-30-001 · AIAI-31-004C Docs Guild · CLI Guild CLI verbs + outputs not available; doc work paused.
DOCS-AIAI-31-008 (/docs/sbom/remediation-heuristics.md) SBOM-AIAI-31-001 Docs Guild · SBOM Service Guild Needs heuristics kit + API contract.
DOCS-AIAI-31-009 (/docs/runbooks/assistant-ops.md) DEVOPS-AIAI-31-001 Docs Guild · DevOps Guild Runbook automation steps pending DevOps guidance.
SBOM-AIAI-31-003 (/v1/sbom/context hand-off kit) SBOM-AIAI-31-001 SBOM Service Guild · Advisory AI Guild Requires base /v1/sbom/context projection + smoke test plan.
AIAI-31-008 (on-prem/remote inference packaging) AIAI-31-006..007 (guardrail knobs, security guidance) Advisory AI Guild · DevOps Guild Needs finalized guardrail knob doc (done) plus DevOps runbooks before shipping containers/manifests.

Next actions (target: 2025-11-15)

Owner(s) Action Status
Docs Guild · Console Guild Capture screenshot checklist + copy snippets for DOCS-AIAI-31-004 once Console widgets land; pre-draft alt text now. Pending widgets
SBOM Service Guild Publish SBOM-AIAI-31-001 projection doc + ETA for hand-off kit; unblock SBOM-AIAI-31-003 and remediation heuristics doc. Pending
CLI Guild Share outline of stella advise verbs (CLI-VULN/CLI-VEX) so docs can prep structure before GA. Pending
DevOps Guild Provide first draft of DEVOPS-AIAI-31-001 runbook so DOCS-AIAI-31-009 can start. Pending
Advisory AI Guild Scope packaging work for AIAI-31-008 (container manifests, Helm/Compose) now that guardrail knobs doc (DOCS-AIAI-31-006) is live. In planning

Dependency watchlist

Dependency Latest update Impact
CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING as of 2025-11-08; telemetry not yet exposed to docs. Blocks DOCS-AIAI-31-004 screenshots + instructions.
EXCITITOR-CONSOLE-23-001 Not started (per Console backlog). Required for console doc data feed references.
SBOM-AIAI-31-001 ETA requested during Sprint 110 follow-up (2025-11-14). Gate for SBOM-AIAI-31-003 & DOCS-AIAI-31-008.
DEVOPS-AIAI-31-001 Awaiting runbook draft. Gate for DOCS-AIAI-31-009 + AIAI-31-008 packaging guidance.

Standup prompts

  1. Are Console owners on track to deliver widget screenshots/data before 2025-11-15 so DOCS-AIAI-31-004 can close?
  2. Has SBOM-AIAI-31-001 published a projection kit and smoke-test plan to unlock SBOM-AIAI-31-003/DOCS-AIAI-31-008?
  3. When will CLI-VULN-29-001 / CLI-VEX-30-001 expose a beta so DOCS-AIAI-31-005 can resume?
  4. Does DevOps have a draft for DEVOPS-AIAI-31-001 (needed for DOCS-AIAI-31-009) and the packaging work in AIAI-31-008?

Risks (snapshot 2025-11-13)

Risk Impact Mitigation / owner
Console dependencies miss 2025-11-15 DOCS-AIAI-31-004 misses sprint goal, delaying Advisory AI UI documentation. Escalate via Console stand-up; consider temporary mock screenshots if needed.
SBOM-AIAI-31-001 slips again SBOM hand-off kit + remediation heuristics doc stay blocked, delaying customer enablement. SBOM Guild to commit date during Sprint 110 follow-up; escalate if no date.
CLI backlog deprioritized DOCS-AIAI-31-005 + CLI enablement slide. Request interim CLI output samples; coordinate with CLI guild for priority.
DevOps runbook not ready DOCS-AIAI-31-009 + packaging work (AIAI-31-008) suspended. DevOps to share outline even if final automation pending; iterate doc in parallel.