stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
f72c5c513ab83428d371d6d0704761fcb8342c47
git.stella-ops.org/docs/implplan/SPRINTS.md
master b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

15 KiB
Raw Blame History

Sprint Index

Follow the sprint files below in order. Update task status in both SPRINTS and module TASKS.md as you progress.

2025-11-03: AIRGAP-POL-57-002 confirmed DOING (AirGap Policy Guild, Task Runner Guild) continuing Task Runner sealed-mode egress validation and test sweep. 2025-11-03: AIRGAP-POL-57-002 marked DONE (AirGap Policy Guild, Task Runner Guild) worker now injects IEgressPolicy, filesystem dispatcher enforces sealed-mode egress, planner grants normalized, sealed-mode dispatcher test added; follow-up queued to lift remaining dispatchers/executors onto the shared policy before sealing the full worker loop. 2025-11-03: MERGE-LNM-21-001 moved to DOING (BE-Merge, Architecture Guild) drafting no-merge migration playbook outline and capturing rollout/backfill checkpoints. 2025-11-03: MERGE-LNM-21-001 marked DONE published docs/migration/no-merge.md with rollout, backfill, validation, and rollback guidance for the LNM cutover. 2025-11-03: MERGE-LNM-21-002 moved to DOING (BE-Merge) auditing AdvisoryMergeService call sites to scope removal and analyzer enforcement. 2025-11-03: DOCS-LNM-22-008 moved to DOING (Docs Guild, DevOps Guild) aligning migration playbook structure and readiness checklist. 2025-11-03: DOCS-LNM-22-008 marked DONE /docs/migration/no-merge.md published for DevOps/Export Center planning with checklist for cutover readiness. 2025-11-01: SCANNER-ANALYZERS-LANG-10-308R marked DONE (Language Analyzer Guild) heuristics fixtures, benchmarks, and coverage comparison published. 2025-11-01: SCANNER-ANALYZERS-LANG-10-309R marked DONE (Language Analyzer Guild) Rust analyzer packaged with offline kit smoke tests and docs. 2025-11-01: ENTRYTRACE-SURFACE-01 moved to DOING (EntryTrace Guild) wiring Surface.Validation and Surface.FS reuse ahead of EntryTrace runs. 2025-11-01: AUTH-OBS-50-001 (Sprint 50 Observability & Forensics) moved to DOING (Authority Core & Security Guild). 2025-11-01: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) add Packs.* scopes to Authority. 2025-11-01: AUTH-OBS-55-001 (Sprint 55 Observability & Forensics) moved to DOING (Authority Core & Security Guild, Ops Guild). 2025-11-01: TASKRUN-41-001 moved to DOING (Task Runner Guild) request packs.* scopes when calling Authority. 2025-11-01: PACKS-REG-41-001 moved to DOING (Packs Registry Guild) enforce packs.* scopes for registry publish/run flows. 2025-11-01: ATTEST-VERIFY-74-001 re-opened and set to DOING to unblock build/test regressions (Verification Guild, Observability Guild). 2025-11-01: ATTEST-VERIFY-74-001 marked DONE after configuration and test fixes (Verification Guild, Observability Guild). 2025-11-01: AUTH-AIAI-31-001 marked DONE (Authority Core & Security Guild) Advisory AI scopes published and remote inference toggles documented. 2025-11-01: AUTH-AIRGAP-56-001 moved to DOING (Authority Core & Security Guild) add airgap scope catalogue and defaults. 2025-11-01: AUTH-AIRGAP-56-002 moved to DOING (Authority Core & Security Guild) implement airgap audit endpoint and logging. 2025-11-01: ISSUER-30-001 marked DONE (Issuer Directory Guild) Issuer Directory service scaffolded with CRUD APIs, audit sink, CSAF seed import, and unit tests. 2025-11-01: ISSUER-30-002 marked DONE (Issuer Directory Guild, Security Guild) Key management domain, Mongo persistence, CRUD/rotate/revoke endpoints, validation, and tests delivered. 2025-11-01: ISSUER-30-004 marked DONE (Issuer Directory Guild, VEX Lens Guild) Excititor worker consumes issuer directory client for key/trust lookup with cached offline support. 2025-11-01: ISSUER-30-005 marked DONE (Issuer Directory Guild, Observability Guild) Issuer Directory service emits structured logs + metrics for issuer/key flows with OTEL meter. 2025-11-02: SURFACE-ENV-01 moved to DOING (Surface Env Guild) drafting shared environment spec for Scanner/Zastava. 2025-11-02: SURFACE-ENV-02 moved to DOING (Surface Env Guild) implementing typed environment resolver and unit tests. 2025-11-02: SURFACE-VAL-01 moved to DOING (Surface Validation Guild) aligning design document with implementation plan. 2025-11-02: SURFACE-FS-01 moved to DOING (Surface FS Guild) finalising cache layout and manifest spec. 2025-11-02: SURFACE-FS-02 moved to DOING (Surface FS Guild) building core abstractions and deterministic serializers. 2025-11-02: SURFACE-SECRETS-01 moved to DOING (Surface Secrets Guild) updating secrets design for provider matrix. 2025-11-02: SURFACE-SECRETS-02 moved to DOING (Surface Secrets Guild) implementing base providers + tests. 2025-11-02: AUTH-POLICY-27-002 marked DONE (Authority Core & Security Guild) interactive-only policy publish/promote scopes delivered with metadata, fresh-auth enforcement, and audit/docs updates. 2025-11-02: SCANNER-ENTRYTRACE-18-506 moved to DOING (EntryTrace Guild, Scanner WebService Guild) surfacing EntryTrace results via WebService/CLI with confidence metadata. 2025-11-02: ATTESTOR-74-001 marked DONE (Attestor Service Guild) witness client integration, repository schema, and verification/reporting updates landed with tests. 2025-11-02: AUTH-OAS-63-001 moved to DOING (Authority Core & Security Guild, API Governance Guild) verifying legacy /oauth/* deprecation signalling and notifications ahead of sunset. 2025-11-02: AUTH-OAS-63-001 marked DONE (Authority Core & Security Guild, API Governance Guild) legacy shims emit Deprecation/Sunset/Warning headers, audit event coverage validated, and migration guide published. 2025-11-02: AUTH-NOTIFY-40-001 marked DONE (Authority Core & Security Guild) /notify/ack-tokens/rotate (notify.admin) now rotates DSSE keys with audit trails and integration tests. 2025-11-02: AUTH-OAS-62-001 moved to DOING (Authority Core & Security Guild, SDK Generator Guild) wiring SDK helpers for OAuth2/PAT flows and tenancy override header. 2025-11-02: AUTH-OAS-62-001 marked DONE (Authority Core & Security Guild, SDK Generator Guild) HttpClient auth helper (OAuth2/PAT) shipped with tenant header support and unit tests. 2025-11-02: AUTH-OBS-50-001 moved to DOING (Authority Core & Security Guild) defining observability scopes and updating discovery/offline defaults. 2025-11-02: AUTH-OBS-52-001 moved to DOING (Authority Core & Security Guild) rolling observability scopes through resource server policies and audit wiring. 2025-11-02: AUTH-OBS-55-001 marked DONE (Authority Core & Security Guild, Ops Guild) incident-mode tokens now require fresh auth, audit records expose incident.reason, and /authority/audit/incident verification path documented. 2025-11-02: AUTH-ORCH-34-001 marked DONE (Authority Core & Security Guild) orch:backfill scope enforced with reason/ticket metadata, Authority + CLI updated, docs/config refreshed for Orchestrator admins. 2025-11-02: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) defining packs scope catalogue, issuer templates, and offline defaults. 2025-11-02: AUTH-PACKS-41-001 added shared OpenSSL 1.1 test libs so Authority & Signals Mongo2Go suites run on OpenSSL 3. 2025-11-02: AUTH-NOTIFY-42-001 moved to DOING (Authority Core & Security Guild) investigating /notify/ack-tokens/rotate 500 responses when key metadata missing. 2025-11-02: AUTH-NOTIFY-42-001 marked DONE (Authority Core & Security Guild) bootstrap rotate defaults fixed, StellaOpsBearer test alias added, and notify ack rotation regression passes. 2025-11-02: ENTRYTRACE-SURFACE-02 moved to DOING (EntryTrace Guild) replacing direct env/secret access with Surface.Secrets provider for EntryTrace runs. 2025-11-02: ENTRYTRACE-SURFACE-01 marked DONE (EntryTrace Guild) Surface.Validation + Surface.FS cache now drive EntryTrace reuse with regression tests. 2025-11-02: ENTRYTRACE-SURFACE-02 marked DONE (EntryTrace Guild) EntryTrace environment placeholders resolved via Surface.Secrets with updated docs/tests. 2025-11-02: SCANNER-ENTRYTRACE-18-506 marked DONE (EntryTrace Guild, Scanner WebService Guild) EntryTrace graph surfaced via WebService and CLI with confidence metadata. 2025-11-02: SCANNER-ENTRYTRACE-18-509 moved to DOING (EntryTrace Guild, QA Guild) adding regression coverage for EntryTrace surfaces and NDJSON hashing. 2025-11-02: SCANNER-ENTRYTRACE-18-509 marked DONE (EntryTrace Guild, QA Guild) regression coverage landed for result store/WebService/CLI with NDJSON hashing snapshot. 2025-11-02: SCANNER-ENTRYTRACE-18-507 marked DONE (EntryTrace Guild) fallback candidate discovery now covers history, supervisor configs, service directories, and entrypoint scripts with tests. 2025-11-02: SCANNER-ENTRYTRACE-18-508 marked DONE (EntryTrace Guild) wrapper catalogue expanded for bundle, docker-php-entrypoint, npm, yarn, pipenv, and poetry with wrapper metadata assertions. 2025-11-02: CONCELIER-WEB-OAS-61-001 moved to DOING (Concelier WebService Guild) implementing discovery endpoint for .well-known/openapi with version metadata and ETag. 2025-11-02: CONCELIER-WEB-OAS-61-001 marked DONE (Concelier WebService Guild) discovery endpoint now serves signed OpenAPI 3.1 document with ETag support. 2025-11-02: DOCS-SCANNER-BENCH-62-001 moved to DOING (Docs Guild, Scanner Guild) refreshing Trivy/Grype/Snyk comparison docs and ecosystem matrix with source-linked coverage. 2025-11-02: DOCS-SCANNER-BENCH-62-001 marked DONE (Docs Guild, Scanner Guild) matrix updated with Windows/macOS coverage row and secret detection techniques; deep dives cite Trivy/Grype/Snyk sources. 2025-11-02: DOCS-SCANNER-BENCH-62-003 added (Docs Guild, Product Guild) recording Python lockfile/editable-install demand signals for policy guidance follow-up. 2025-11-02: DOCS-SCANNER-BENCH-62-004 added (Docs Guild, Java Analyzer Guild) documenting Java lockfile ingestion plan and policy templates. 2025-11-02: DOCS-SCANNER-BENCH-62-005 added (Docs Guild, Go Analyzer Guild) documenting Go stripped-binary fallback enrichment guidance. 2025-11-02: DOCS-SCANNER-BENCH-62-006 added (Docs Guild, Rust Analyzer Guild) documenting Rust fingerprint enrichment guidance. 2025-11-02: DOCS-SCANNER-BENCH-62-007 added (Docs Guild, Security Guild) documenting secret leak detection guidance. 2025-11-02: DOCS-SCANNER-BENCH-62-008 added (Docs Guild, EntryTrace Guild) documenting EntryTrace heuristic maintenance guidance. 2025-11-02: DOCS-SCANNER-BENCH-62-009 added (Docs Guild, Ruby Analyzer Guild) deepening Ruby gap analysis with detection tables; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-010 added (Docs Guild, PHP Analyzer Guild) documenting PHP analyzer parity gaps; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-011 added (Docs Guild, Language Analyzer Guild) capturing Deno runtime gap analysis; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-012 added (Docs Guild, Language Analyzer Guild) expanding Dart ecosystem comparison; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-013 added (Docs Guild, Swift Analyzer Guild) expanding Swift coverage analysis; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-014 added (Docs Guild, Runtime Guild) detailing Kubernetes/VM coverage plan; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-015 added (Docs Guild, Export Center Guild) outlining DSSE/Rekor operator enablement guidance; status set to DOING. 2025-11-02: DOCS-SCANNER-BENCH-62-009 marked DONE (Docs Guild, Ruby Analyzer Guild) Ruby gap section delivered with detection tables and backlog links. 2025-11-02: DOCS-SCANNER-BENCH-62-010 marked DONE (Docs Guild, PHP Analyzer Guild) PHP gap analysis updated with implementation notes. 2025-11-02: DOCS-SCANNER-BENCH-62-011 marked DONE (Docs Guild, Language Analyzer Guild) Deno plan documented with detection technique table. 2025-11-02: DOCS-SCANNER-BENCH-62-012 marked DONE (Docs Guild, Language Analyzer Guild) Dart coverage section fleshed out with detection strategies. 2025-11-02: DOCS-SCANNER-BENCH-62-013 marked DONE (Docs Guild, Swift Analyzer Guild) Swift analyzer roadmap captured with policy hooks. 2025-11-02: DOCS-SCANNER-BENCH-62-014 marked DONE (Docs Guild, Runtime Guild) Kubernetes/VM alignment section published. 2025-11-02: DOCS-SCANNER-BENCH-62-015 marked DONE (Docs Guild, Export Center Guild) DSSE/Rekor enablement guidance appended to gap doc. 2025-11-02: SCANNER-ENG-0009 moved to DOING (Ruby Analyzer Guild) drafting Ruby analyzer parity design package. 2025-11-02: SCANNER-ENG-0016 added (Ruby Analyzer Guild) implementing Ruby lock collector & vendor cache ingestion. 2025-11-02: SCANNER-ENG-0016 moved to DOING (Ruby Analyzer Guild) lockfile parser skeleton committed with initial Gemfile.lock parsing. 2025-11-02: SCANNER-ENG-0017 added (Ruby Analyzer Guild) building runtime require/autoload graph builder. 2025-11-02: SCANNER-ENG-0018 added (Ruby Analyzer Guild) emitting Ruby capability and framework signals. 2025-11-02: SCANNER-ENG-0019 added (Ruby Analyzer Guild, CLI Guild) delivering Ruby CLI verbs and Offline Kit packaging. 2025-11-02: SCANNER-LIC-0001 added (Scanner Guild, Legal Guild) vetting tree-sitter Ruby licensing/offline packaging. 2025-11-02: SCANNER-LIC-0001 moved to DOING (Scanner Guild, Legal Guild) SPDX review in progress. 2025-11-02: SCANNER-POLICY-0001 added (Policy Guild, Ruby Analyzer Guild) defining Ruby capability predicates in Policy Engine. 2025-11-02: SCANNER-CLI-0001 added (CLI Guild, Ruby Analyzer Guild) coordinating CLI UX/docs for Ruby verbs. 2025-11-02: AIAI-31-011 moved to DOING (Advisory AI Guild) implementing Excititor VEX document provider. 2025-11-02: AIAI-31-011 marked DONE (Advisory AI Guild) Excititor VEX provider + OpenVEX chunking shipped with tests. 2025-11-02: AIAI-31-002 moved to DOING (Advisory AI Guild, SBOM Service Guild) building SBOM context retriever for timelines/paths/blast radius. 2025-11-02: AIAI-31-002 progressing SBOM context models/tests landed; awaiting SBOM guild client hookup.

2025-11-02: AIAI-31-003 moved to DOING kicking off deterministic tooling (comparators, dependency lookup). First drop covers semver range evaluator + RPM EVR comparator.

2025-11-02: AIAI-31-004 moved to DOING starting deterministic orchestration pipeline (summary/conflict/remediation flow).

2025-11-02: ISSUER-30-006 moved to DOING (Issuer Directory Guild, DevOps Guild) deployment manifests, backup/restore, secret handling, and offline kit docs in progress.