75f6942769
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
- Implemented MigrationCategoryTests to validate migration categorization for startup, release, seed, and data migrations. - Added tests for edge cases, including null, empty, and whitespace migration names. - Created StartupMigrationHostTests to verify the behavior of the migration host with real PostgreSQL instances using Testcontainers. - Included tests for migration execution, schema creation, and handling of pending release migrations. - Added SQL migration files for testing: creating a test table, adding a column, a release migration, and seeding data.
8.6 KiB
8.6 KiB
Sprint 132 · Scanner & Surface
Topic & Scope
- Phase III of Scanner & Surface: harden language analyzers with focus on Node.js VFS/resolution and complete remaining surface capture.
- Implementation order stays sequential across Sprint 130–139; complete upstream sprint 131 items before pulling parallel work.
- Working directory:
src/Scanner(language analyzers undersrc/Scanner/__Libraries).
Dependencies & Concurrency
- Upstream: Sprint 131 (
SCANNER-ANALYZERS-LANG-11-001foundation for .NET analyzer heuristics). - Completed native analyzer stream (NATIVE-20-xxx) provides resolver patterns; reuse determinism and explain-trace patterns.
Documentation Prerequisites
- docs/modules/scanner/architecture.md
- docs/modules/platform/architecture-overview.md
- src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md
BLOCKED Tasks: Before working on BLOCKED tasks, review BLOCKED_DEPENDENCY_TREE.md for root blockers and dependencies.
Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---|---|---|---|---|
| 1 | SCANNER-ANALYZERS-LANG-11-002 | BLOCKED | Await SCANNER-ANALYZERS-LANG-11-001 foundation from Sprint 131 | StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. |
| 2 | SCANNER-ANALYZERS-LANG-11-003 | BLOCKED | Depends on 11-002; runtime evidence harness pending | StellaOps.Scanner EPDR Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. |
| 3 | SCANNER-ANALYZERS-LANG-11-004 | BLOCKED | Depends on 11-003 | StellaOps.Scanner EPDR Guild, SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. |
| 4 | SCANNER-ANALYZERS-LANG-11-005 | BLOCKED | Depends on 11-004 | StellaOps.Scanner EPDR Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. |
| 5 | SCANNER-ANALYZERS-NATIVE-20-001 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. |
| 6 | SCANNER-ANALYZERS-NATIVE-20-002 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse ELF dynamic sections: DT_NEEDED, DT_RPATH, DT_RUNPATH, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason elf-dtneeded and attach version needs. |
| 7 | SCANNER-ANALYZERS-NATIVE-20-003 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons pe-import and pe-delayimport, plus SxS policy metadata. |
| 8 | SCANNER-ANALYZERS-NATIVE-20-004 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse Mach-O load commands (LC_LOAD_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_UUID, fat headers). Handle @rpath/@loader_path placeholders and slice separation. |
| 9 | SCANNER-ANALYZERS-NATIVE-20-005 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (@rpath expansion). Works against virtual image roots, producing explain traces. |
| 10 | SCANNER-ANALYZERS-NATIVE-20-006 | DONE | — | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Build heuristic scanner for dlopen/LoadLibrary strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with reason_code (string-dlopen, config-plugin, ecosystem-heuristic) and confidence levels. |
| 11 | SCANNER-ANALYZERS-NATIVE-20-007 | DONE | — | Native Analyzer Guild, SBOM Service Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. |
| 12 | SCANNER-ANALYZERS-NATIVE-20-008 | DONE | — | Native Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). |
| 13 | SCANNER-ANALYZERS-NATIVE-20-009 | DONE | — | Native Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Provide optional runtime capture adapters (Linux eBPF dlopen, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. |
| 14 | SCANNER-ANALYZERS-NATIVE-20-010 | DONE | — | Native Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. |
| 15 | SCANNER-ANALYZERS-NODE-22-001 | DONE | VFS/input normalizer implemented for dirs/tgz/container layers/pnpm/Yarn PnP; Node version detection wired | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets and workspace roots deterministically. |
| 16 | SCANNER-ANALYZERS-NODE-22-002 | DONE | Entrypoint discovery expanded; condition sets emitted | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. |
| 17 | SCANNER-ANALYZERS-NODE-22-003 | DONE | Import walker supports dynamic patterns + source maps with confidence tagging | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Parse JS/TS sources for static import, require, import() and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. |
| 18 | SCANNER-ANALYZERS-NODE-22-004 | DONE | Node resolver engine integrated (core modules, exports/imports maps, extension precedence, self refs) | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. |
| 19 | SCANNER-ANALYZERS-NODE-22-005 | DONE | Yarn PnP + pnpm virtual store adapters operational via VFS | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-01 | Normalized sprint file to standard template; preserved existing tasks and statuses. | Planning |
| 2025-12-01 | Started Node stream tasks 22-001 → 22-005 (Scanner & Surface phase III). | Node Analyzer Guild |
| 2025-12-01 | Completed Node stream tasks 22-001 → 22-005; VFS/resolver/import walker shipped with updated fixtures and tests. | Node Analyzer Guild |
Decisions & Risks
- DotNet analyzer stream (11-002 → 11-005) remains blocked pending foundation task
SCANNER-ANALYZERS-LANG-11-001from Sprint 131. - Native analyzer stream (NATIVE-20-001 → NATIVE-20-010) completed with 165 passing tests; serves as reference for determinism and resolver explain traces.
- Missing components for Sprint 132 (Node stream): VFS for container layers/pnpm/Yarn PnP, exports/imports condition builder, dynamic import analysis with confidence, Node resolver, pnpm virtual store adapter.
Next Checkpoints
- None scheduled; align asynchronously with upstream Sprint 131 completion and Node guild milestones.