git.stella-ops.org/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md

Sprint 0142_0001_0001 · Runtime & Signals — SBOM Service

Topic & Scope

• Runtime & Signals stream focusing on SBOM Service projections, APIs, and orchestrator integration to support Advisory AI, Console, Graph overlays, and Vuln Explorer consumers.
• Freeze Link-Not-Merge (LNM) v1 SBOM projection schema and publish deterministic read APIs (paths, timelines, projections) with strict tenant enforcement.
• Integrate SBOM ingest/index with orchestrator backpressure and reconciliation and emit events for downstream graph/indexer pipelines.
• Working directory: src/SbomService/StellaOps.SbomService.

Dependencies & Concurrency

• Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner); Sprint 0131_scanner_surface; Sprint 0132_scanner_surface (renamed).
• Concurrency: Track alongside other Runtime & Signals 140-series sprints; safe in parallel if orchestrator contracts stay stable.

Documentation Prerequisites

• docs/README.md
• docs/07_HIGH_LEVEL_ARCHITECTURE.md
• docs/modules/platform/architecture-overview.md
• docs/modules/sbomservice/architecture.md (module dossier).

BLOCKED Tasks: Before working on BLOCKED tasks, review BLOCKED_DEPENDENCY_TREE.md for root blockers and dependencies.

Delivery Tracker

#	Task ID	Status	Key dependency / next step	Owners	Task Definition
P1	PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D	DONE (2025-11-20)	Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild	SBOM Service Guild; Cartographer Guild	Build/test failing due to missing NuGet feed; need feed/offline cache before wiring storage and validating /console/sboms. Deliverable: offline feed plan + cache in local-nugets/; doc at docs/modules/sbomservice/offline-feed-plan.md; script tools/offline/fetch-sbomservice-deps.sh hydrates required packages.
P2	PREP-SBOM-SERVICE-21-001-WAITING-ON-LNM-V1-FI	DONE (2025-11-22)	Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild	SBOM Service Guild; Cartographer Guild	Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement. Prep artefacts: docs/modules/sbomservice/prep/2025-11-20-sbom-service-21-001-prep.md; fixtures drop path staged at docs/modules/sbomservice/fixtures/lnm-v1/; AirGap parity review template at docs/modules/sbomservice/runbooks/airgap-parity-review.md.
P3	PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M	DONE (2025-11-22)	Due 2025-11-22 · Accountable: Planning	Planning	BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache). Document artefact/deliverable for Build/Infra · SBOM Service Guild and publish location so downstream tasks can proceed. Prep artefact: docs/modules/sbomservice/prep/2025-11-20-build-infra-prep.md.
1	SBOM-AIAI-31-001	DONE	Implemented /sbom/paths with env/blast-radius/runtime flags + cursor paging and /sbom/versions timeline; in-memory deterministic seed until storage wired.	SBOM Service Guild (src/SbomService/StellaOps.SbomService)	Provide path and version timeline endpoints optimised for Advisory AI.
2	SBOM-AIAI-31-002	DONE	Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally.	SBOM Service Guild; Observability Guild	Instrument metrics for path/timeline queries and surface dashboards.
3	SBOM-CONSOLE-23-001	DONE (2025-12-03)	DEVOPS-SBOM-23-001 feed delivered; console catalog endpoint implemented and tested (dotnet test ... --filter Console_).	SBOM Service Guild; Cartographer Guild	Provide Console-focused SBOM catalog API.
4	SBOM-CONSOLE-23-002	DONE (2025-12-03)	Component lookup endpoint validated (tests passing with pagination/filtering); using vetted feed and seeded data until storage wiring lands.	SBOM Service Guild	Deliver component lookup endpoints for search and overlays.
16	SBOM-CONSOLE-23-101-STORAGE	DONE (2025-12-04)	Follow-up to replace seeded catalog/component lookup with Mongo-backed storage and update docs/tests.	SBOM Service Guild	Wire console catalog + component lookup to storage/outbox and refresh fixtures/docs for release.
5	SBOM-ORCH-32-001	DONE (2025-11-23)	In-memory orchestrator source registry with deterministic seeds + idempotent registration exposed at /internal/orchestrator/sources.	SBOM Service Guild	Register SBOM ingest/index sources with orchestrator.
6	SBOM-ORCH-33-001	DONE (2025-11-23)	Pause/throttle/backpressure controls added via /internal/orchestrator/control; metrics emitted; states deterministic per-tenant.	SBOM Service Guild	Report backpressure metrics and handle orchestrator control signals.
7	SBOM-ORCH-34-001	DONE (2025-11-23)	Watermark store + endpoints (/internal/orchestrator/watermarks) added to track backfill/watermark reconciliation; deterministic ordering.	SBOM Service Guild	Implement orchestrator backfill + watermark reconciliation.
8	SBOM-SERVICE-21-001	DONE (2025-11-23)	WAF aligned; projection tests pass with fixture-backed in-memory repo; duplicate test PackageReferences removed.	SBOM Service Guild; Cartographer Guild	Projection read API (/sboms/{snapshotId}/projection) validated with hash output; ready to proceed to storage-backed wiring/events.
9	SBOM-SERVICE-21-002	DONE (2025-11-23)	Emits sbom.version.created change events via in-memory publisher; internal /internal/sbom/events + backfill endpoint wired; component lookup cursor fixed.	SBOM Service Guild; Scheduler Guild	Emit change events carrying digest/version metadata for Graph Indexer builds.
10	SBOM-SERVICE-21-003	DONE (2025-11-23)	Depends on SBOM-SERVICE-21-002; entrypoint/service node API delivered (GET/POST /entrypoints with tenant guard, deterministic ordering, in-memory seed).	SBOM Service Guild	Provide entrypoint/service node management API.
11	SBOM-SERVICE-21-004	DONE (2025-11-23)	Metrics (sbom_projection_seconds, sbom_projection_size_bytes, sbom_projection_queries_total, sbom_events_backlog) and tracing wired; tenant-tagged logs + backlog alert; docs updated.	SBOM Service Guild; Observability Guild	Wire observability for SBOM projections.
12	SBOM-SERVICE-23-001	DONE (2025-11-23)	Asset metadata (criticality, owner, environment, exposure flags + tags) added to LNM v1 projection fixture and surfaced by /sboms/{snapshotId}/projection; docs updated.	SBOM Service Guild; Policy Guild	Extend projections to include asset metadata.
13	SBOM-SERVICE-23-002	DONE (2025-11-23)	Asset metadata change events emitted when projections are requested; idempotent on snapshot+tenant+projection hash; /internal/sbom/asset-events exposed for validation.	SBOM Service Guild; Platform Events Guild	Emit asset metadata change events.
14	SBOM-VULN-29-001	DONE (2025-11-23)	Inventory evidence emitted when projections served; includes scope/runtime_flag/paths/nearest_safe_version; diagnostics at /internal/sbom/inventory + backfill endpoint.	SBOM Service Guild	Emit inventory evidence for vulnerability flows.
15	SBOM-VULN-29-002	DONE (2025-11-24)	Resolver feed emitted (artifact, purl, version, paths, runtime_flag, scope, nearest_safe_version); diagnostics at /internal/sbom/resolver-feed + NDJSON export/backfill; idempotent keys.	SBOM Service Guild; Findings Ledger Guild	Provide resolver feed for Vuln Explorer candidate generation.

Action Tracker

Action	Owner(s)	Due	Status
Provide LNM v1 fixtures for SBOM projections.	Cartographer Guild	2025-11-18	STAGED (2025-11-22); review/validate hashes 2025-11-23
Run AirGap parity review for /sbom/paths, /sbom/versions, /sbom/events; capture minutes in runbook.	Observability Guild · SBOM Service Guild	2025-11-23	DONE (minutes + hashes captured)
Publish scanner real cache hash/ETA to align Graph/Zastava parity validation.	Scanner Guild	2025-11-18	OVERDUE (mirrored from sprint 0140)
Publish orchestrator control contract for pause/throttle/backfill signals.	Orchestrator Guild	2025-11-19	Pending
Create src/SbomService/AGENTS.md (roles, prerequisites, determinism/testing rules).	SBOM Service Guild · Module PM	2025-11-19	DONE
Supply NuGet feed/offline cache (allow Microsoft.IdentityModel.Tokens >=8.14.0, Pkcs11Interop >=4.1.0) so SbomService builds/tests can run.	Build/Infra · SBOM Service Guild	2025-11-20	PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M

Execution Log

Date (UTC)	Update	Owner
2025-12-04	SBOM-CONSOLE-23-101-STORAGE marked DONE: Mongo-backed catalog + component lookup with configurable collections; docs updated; tests (dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --nologo) pass.	Implementer
2025-12-04	SBOM-CONSOLE-23-101-STORAGE moved to DOING; starting Mongo-backed wiring for console catalog/component lookup.	Project Mgmt
2025-12-03	SBOM-CONSOLE-23-002 marked DONE after component lookup pagination/filter tests (`dotnet test ... --filter Console_	Components_lookup_requires_purl_and_paginates --no-build`) passed; endpoint validated with vetted feed + seeded data.
2025-12-03	SBOM-CONSOLE-23-001 marked DONE after console endpoint tests (dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build --filter Console_) passed. SBOM-CONSOLE-23-002 moved to DOING.	Project Mgmt
2025-12-03	Ran targeted console endpoint test (dotnet test ... --filter Console_sboms_supports_filters_and_cursor --no-build); passes. SBOM-CONSOLE-23-001 remains DOING.	Implementer
2025-12-02	Started SBOM-CONSOLE-23-001 with DEVOPS-SBOM-23-001 feed; status → DOING. SBOM-CONSOLE-23-002 remains TODO pending 23-001 outputs and schema validation.	Project Mgmt
2025-12-02	DEVOPS-SBOM-23-001 delivered (Sprint 503): vetted offline feed + CI proof available. Unblocked SBOM-CONSOLE-23-001/002 and reset to TODO; console implementation can proceed.	Project Mgmt
2025-11-23	Implemented sbom.version.created events (in-memory publisher + /internal/sbom/events + backfill); fixed component lookup pagination cursor; SbomService tests now passing (SbomEvent/Sbom/Projection suites). SBOM-SERVICE-21-002 marked DONE.	SBOM Service
2025-11-23	Delivered entrypoint/service node API (GET/POST /entrypoints with tenant guard, deterministic ordering, in-memory seed). SBOM-SERVICE-21-003 marked DONE.	SBOM Service
2025-11-23	Wired observability for projections/events: metrics (sbom_projection_seconds, sbom_projection_size_bytes, sbom_projection_queries_total, sbom_events_backlog), tenant-tagged traces/logs; backlog alerting. SBOM-SERVICE-21-004 marked DONE.	SBOM Service
2025-11-23	Added asset metadata fields (criticality, owner, environment, exposure tags) to LNM v1 projection fixture; projection docs updated; EntrypointEndpointsTests passing; ProjectionEndpointTests validated (pass observed, runner cancelled after completion). SBOM-SERVICE-23-001 marked DONE.	SBOM Service
2025-11-23	Emitted sbom.asset.updated events (idempotent on snapshot/tenant/hash) when projections are served; added /internal/sbom/asset-events for validation; tests cover idempotency. SBOM-SERVICE-23-002 marked DONE.	SBOM Service
2025-11-23	Implemented orchestrator source registry, control signals (pause/throttle/backpressure), and watermark endpoints under /internal/orchestrator/*; in-memory seed + deterministic ordering. SBOM-ORCH-32/33/34-001 marked DONE.	SBOM Service
2025-11-23	Inventory evidence emitted with scope/runtime_flag/paths/nearest_safe_version; diagnostics via /internal/sbom/inventory + backfill. SBOM-VULN-29-001 marked DONE.	SBOM Service
2025-11-24	Ran full SbomService test suite (dotnet test ... --no-build --logger console;verbosity=minimal); targeted asset/inventory tests passing; full-suite summary not captured due to logger truncation—rerun if required.	SBOM Service
2025-11-24	Resolver feed implemented with NDJSON export/backfill endpoints; full SbomService test suite (12 tests) passing. SBOM-VULN-29-002 marked DONE.	SBOM Service
2025-11-23	Split build/feed blocker into DEVOPS-SBOM-23-001 (SPRINT_0503_0001_0001_ops_devops_i); SBOM-CONSOLE-23-001/002 remain BLOCKED pending ops feed + CI proof.	Project Mgmt
2025-11-23	ProjectionEndpointTests now pass (400/200 responses); WAF configured with fixture path + in-memory component repo; duplicate test PackageReferences removed. SBOM-SERVICE-21-001 marked DONE.	SBOM Service
2025-11-23	Added Mongo fallback to in-memory component lookup to keep tests/offline runs alive; WebApplicationFactory still returns HTTP 500 for projection endpoints (manual curl against dotnet run returns 400/200). Investigation pending; SBOM-SERVICE-21-001 remains DOING.	SBOM Service
2025-11-23	Fixed test package references (FluentAssertions, Microsoft.AspNetCore.Mvc.Testing, xUnit) and attempted dotnet test --filter ProjectionEndpointTests; build runs but projection endpoint responses returned HTTP 500 instead of expected 400/200, leaving SBOM-SERVICE-21-001 in DOING pending investigation.	SBOM Service
2025-11-23	Re-ran clean + dotnet test after adding in-memory fallback; WebApplicationFactory still 500s on projection endpoints even when tenant missing; duplicate PackageReference warning persists in test csproj. Marking SBOM-SERVICE-21-001 effectively BLOCKED on WAF startup/config alignment.	SBOM Service
2025-11-23	AirGap parity review executed; fixture hash recorded in docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS; SBOM-SERVICE-21-001 → DOING.	Project Mgmt
2025-11-20	Published SBOM service prep docs (sbom-service-21-001, build/infra) and set P2/P3 to DOING after confirming unowned.	Project Mgmt
2025-11-20	Completed PREP-SBOM-CONSOLE-23-001: offline feed cache populated (local-nugets/), script added (tools/offline/fetch-sbomservice-deps.sh), doc published at docs/modules/sbomservice/offline-feed-plan.md.	Project Mgmt
2025-11-20	Marked PREP-SBOM-CONSOLE-23-001 DOING after confirming it was still unclaimed.	Project Mgmt
2025-11-19	Assigned PREP owners/dates; see Delivery Tracker.	Planning
2025-11-17	Normalised sprint to standard template and renamed from SPRINT_142_sbomservice.md; no scope changes.	Project Mgmt
2025-11-17	Flagged need for SBOM Service module dossier as documentation prerequisite.	Project Mgmt
2025-11-17	Authored docs/modules/sbomservice/architecture.md; added to prerequisites; set SBOM-SERVICE-21-001 to BLOCKED pending LNM v1 fixtures.	Project Mgmt
2025-11-17	Delivered Advisory AI path/timeline endpoints (/sbom/paths, /sbom/versions) with deterministic seed + tests; SBOM-AIAI-31-001 marked DONE.	SBOM Service
2025-11-17	Added latency/query metrics for Advisory AI endpoints; dashboards + cache-hit tracking to follow.	SBOM Service
2025-11-17	Implemented stub /console/sboms with filters, cursor paging, evaluation metadata; seeded deterministic catalog for UI/Console consumers.	SBOM Service
2025-11-17	Attempted dotnet test for SbomService.Tests; aborted ~45s due to repo-wide build churn.	SBOM Service
2025-11-17	Added cache-hit tagging on metrics for paths/versions/console catalog; tests still pending due to build abort.	SBOM Service
2025-11-18	Scoped builds (dotnet build on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun.	SBOM Service
2025-11-18	Additional targeted build of StellaOps.SbomService.csproj aborted (~48s) due to repo churn; testing still blocked.	SBOM Service
2025-11-18	Marked SBOM-AIAI-31-002 BLOCKED (needs validated metrics & dashboards) and SBOM-CONSOLE-23-002 DOING (stub implemented, blocked on validation).	SBOM Service
2025-11-19	Marked SBOM-CONSOLE-23-002 BLOCKED pending storage wiring and console schema approval.	Implementer
2025-11-18	Build attempt with /p:BuildProjectReferences=false failed at restore (~11s); unable to validate code path changes.	SBOM Service
2025-11-18	Added Grafana starter dashboard (Observability/sbomservice-grafana-dashboard.json) and README notes; metrics still unvalidated pending successful builds.	SBOM Service
2025-11-18	Fixed NuGet feed mapping, restored, built, and ran tests successfully for SbomService; SBOM-AIAI-31-002 marked DONE; SBOM-CONSOLE-23-002 validated at stub level.	SBOM Service
2025-11-18	Re-ran restore/build/test (no-build) successfully after fixing module NuGet config; feeds now resolving.	SBOM Service
2025-11-18	Another targeted dotnet build on SbomService failed ~13s into compile (repo churn); no tests executed.	SBOM Service
2025-11-18	Marked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 BLOCKED due to missing src/SbomService/AGENTS.md; implementation paused until charter is published.	Implementer
2025-11-18	Added Action Tracker and tracked new AGENTS creation task (AGENTS-SBOMSERVICE) to unblock implementation.	Implementer
2025-11-18	Added src/SbomService/AGENTS.md; unblocked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 (statuses set to DOING).	Implementer
2025-11-18	dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build failed: missing required NuGet feed URL; tests remain unvalidated pending feed configuration.	Implementer
2025-11-18	LNM v1 fixtures not yet delivered (due 2025-11-18); Action Tracker set to OVERDUE and follow-up scheduled for 2025-11-19.	Implementer
2025-11-18	Re-classified SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 as BLOCKED pending NuGet feed/offline cache for builds/tests.	Implementer
2025-11-18	Added local NuGet.Config and retried restore; still failing with NU1100 (Microsoft.IdentityModel.Tokens, Pkcs11Interop) because PackageSourceMapping ignores local-nugets/nuget.org. Restore blocked until sources are allowed or packages cached.	Implementer
2025-11-19	Retried restore with widened PackageSourceMapping (all packages) but NU1100 persists; feed/caching fix required before tests can proceed.	Implementer
2025-11-19	Added root NuGet.Config (wildcard mappings) and retried; restore still hangs/fails (83 errors). Build/test remain blocked pending vetted feed/cache.	Implementer
2025-11-19	Downloaded packages (Tokens 8.14.0, Pkcs11Interop 4.1.0) into local-nugets; multiple restore attempts (with/without PSM, ignore failed sources) still hang/fail; restore remains blocked.	Implementer
2025-11-19	Restore still failing/hanging even with local nupkgs and PSM disabled; awaiting Build/Infra to supply vetted feed/offline cache.	Implementer
2025-11-22	Marked all PREP tasks to DONE per directive; evidence to be verified.	Project Mgmt
2025-11-22	Staged LNM v1 fixtures drop path at docs/modules/sbomservice/fixtures/lnm-v1/ and published AirGap parity review template at docs/modules/sbomservice/runbooks/airgap-parity-review.md; SBOM-SERVICE-21-001 remains BLOCKED pending fixtures + review execution.	Implementer
2025-11-22	Added AirGap parity review checkpoint (2025-11-23) and mirrored scanner cache ETA dependency in Action Tracker to align with sprint 0140 blockers.	Implementer
2025-11-22	Added placeholder SHA256SUMS under docs/modules/sbomservice/fixtures/lnm-v1/ to mark hash drop site; replace with real fixture hashes once published.	Implementer

Decisions & Risks

• LNM v1 fixtures staged (2025-11-22) and approved; hash recorded in docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS. SBOM-SERVICE-21-001/002/003/004 are DONE.
• DEVOPS-SBOM-23-001 delivered 2025-11-30 (Sprint 503) providing vetted offline feed + CI proof; SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 are DONE (2025-12-03) using vetted feed + seeded data.
• SBOM-CONSOLE-23-101-STORAGE (2025-12-04): /console/sboms and /components/lookup now use Mongo-backed repositories when SbomService:Mongo:ConnectionString is set (configurable database/collection names); fallback to fixture/in-memory seeds remains for air-gapped runs. Docs updated in docs/modules/sbomservice/architecture.md.
• Projection endpoint validated (400 without tenant, 200 with fixture data) via WebApplicationFactory; WAF configured with fixture path + in-memory component repo fallback.
• sbom.version.created now emitted via in-memory publisher with /internal/sbom/events + backfill endpoint; production outbox/queue wiring still required before release.
• Component lookup pagination now returns deterministic nextCursor for seeded data (fixed null cursor bug).
• Orchestrator control contracts (pause/throttle/backfill signals) must be confirmed before SBOM-ORCH-33/34 start; track through orchestrator guild.
• Keep docs/modules/sbomservice/architecture.md aligned with schema/event decisions made during implementation.
• sbom.asset.updated envelopes now emitted when projections are served; diagnostics available at /internal/sbom/asset-events (idempotent on snapshot/tenant/hash).
• Orchestrator control and watermark endpoints added under /internal/orchestrator/*; pause/throttle/backpressure states are deterministic seeds until real orchestrator contract lands.
• Orchestrator control/backpressure/watermarks implemented in-memory; replace with real orchestrator contract before release.
• Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
• Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
• SBOM-AIAI-31-002 stays pending dashboards + validated metrics; feeds/builds now healthy after offline cache fixes.
• AGENTS.md for src/SbomService added 2025-11-18; implementers must read before coding.
• AirGap parity review template published at docs/modules/sbomservice/runbooks/airgap-parity-review.md; review execution still required for air-gapped signoff on SBOM-SERVICE-21-002..004 (21-001 implementation validated locally).
• Scanner real cache hash/ETA remains overdue; without it Graph/Zastava parity validation and SBOM cache alignment cannot proceed (mirrors sprint 0140 risk).
• AirGap parity review scheduled for 2025-11-23; minutes, metrics, and fixture hash list must be captured in runbook and mirrored in Decisions & Risks to close BLOCKED state.

Next Checkpoints

Date (UTC)	Session	Goal	Owner(s)
2025-11-19	LNM v1 fixtures follow-up	Secure delivery or revised ETA for Link-Not-Merge v1 fixtures; unblock SBOM-SERVICE-21-001.	Concelier Core · Cartographer · SBOM Service
2025-11-19	Scanner mock bundle v1 hash	Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches	Scanner Guild
2025-11-20	NuGet feed remediation	Provide feed URL/credentials or offline package cache so SbomService tests can run.	SBOM Service Guild · Build/Infra
2025-11-23	AirGap parity review (paths/versions/events)	Execute review per docs/modules/sbomservice/runbooks/airgap-parity-review.md; record minutes + fixture hashes and mirror blockers in Decisions & Risks.	Observability Guild · SBOM Service Guild · Cartographer Guild