f98cea3bcf
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings. - Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations. - Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration. - Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options. - Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations. - Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client. - Updated project file to include necessary package references for the new Issuer Directory Client library.
17 KiB
17 KiB
Sprint 160 - Export & Evidence
[Export & Evidence] 160.A) EvidenceLocker Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on EvidenceLocker).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EVID-OBS-53-001 | TODO | Bootstrap StellaOps.Evidence.Locker service with Postgres schema for evidence_bundles, evidence_artifacts, evidence_holds, tenant RLS, and object-store abstraction (WORM optional). |
Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. Dependencies: EVID-OBS-53-001. | Evidence Locker Guild, Orchestrator Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-53-003 | TODO | Expose REST APIs (POST /evidence/snapshot, GET /evidence/:id, POST /evidence/verify, POST /evidence/hold/:case_id) with audit logging, tenant enforcement, and size quotas. Dependencies: EVID-OBS-53-002. |
Evidence Locker Guild, Security Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-54-001 | TODO | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. Dependencies: EVID-OBS-53-003. | Evidence Locker Guild, Provenance Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-54-002 | TODO | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. Dependencies: EVID-OBS-54-001. | Evidence Locker Guild, DevEx/CLI Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-55-001 | TODO | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. Dependencies: EVID-OBS-54-002. | Evidence Locker Guild, DevOps Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
| EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments: generate sealed bundles with checksum manifest, redacted metadata, and offline verification script. Document air-gapped import/verify procedures. Dependencies: EVID-OBS-55-001. | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.I Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on ExportCenter (phase I).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DVOFF-64-001 | TODO | Implement Export Center job devportal --offline bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. |
DevPortal Offline Guild, Exporter Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) |
| DVOFF-64-002 | TODO | Provide verification CLI (stella devportal verify bundle.tgz) ensuring integrity before import. Dependencies: DVOFF-64-001. |
DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) |
| EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. Dependencies: EXPORT-AIRGAP-56-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. Dependencies: EXPORT-AIRGAP-56-002. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. Dependencies: EXPORT-AIRGAP-57-001. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. Dependencies: EXPORT-ATTEST-74-001. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. Dependencies: EXPORT-ATTEST-74-001. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-75-001 | TODO | Provide CLI command stella attest bundle verify/import for air-gap usage. Dependencies: EXPORT-ATTEST-74-002. |
Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. Dependencies: EXPORT-ATTEST-75-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-ATTEST-75-002 | TODO | Document /docs/modules/attestor/airgap.md with bundle workflows and verification steps. Dependencies: EXPORT-ATTEST-75-001. |
Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) |
| EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OAS-61-002 | TODO | Provide /.well-known/openapi discovery endpoint with version metadata and ETag. Dependencies: EXPORT-OAS-61-001. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. Dependencies: EXPORT-OAS-61-002. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.II Depends on: Sprint 160.B - ExportCenter.I Summary: Export & Evidence focus on ExportCenter (phase II).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. Dependencies: EXPORT-OAS-62-001. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. Dependencies: EXPORT-OBS-50-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (export.requested, export.built, export.distributed, export.failed) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. Dependencies: EXPORT-OBS-51-001. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. Dependencies: EXPORT-OBS-52-001. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API /exports/{id}/attestation, and integrate with CLI verify path. Dependencies: EXPORT-OBS-53-001. |
Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. Dependencies: EXPORT-OBS-54-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-69-001 | TODO | Add Export Center job handler risk-bundle with provider selection, manifest signing, and audit logging. |
Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. Dependencies: EXPORT-RISK-69-001. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. Dependencies: EXPORT-RISK-69-002. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for export_profiles, export_runs, export_inputs, export_distributions with tenant scoping + tests. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. Dependencies: EXPORT-SVC-35-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (json:raw, json:policy) with canonical normalization, redaction allowlists, compression, and manifest counts. Dependencies: EXPORT-SVC-35-002. |
Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. Dependencies: EXPORT-SVC-35-003. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. Dependencies: EXPORT-SVC-35-004. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
[Export & Evidence] 160.B) ExportCenter.III Depends on: Sprint 160.B - ExportCenter.II Summary: Export & Evidence focus on ExportCenter (phase III).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. Dependencies: EXPORT-SVC-35-005. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. Dependencies: EXPORT-SVC-35-006. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. Dependencies: EXPORT-SVC-36-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-003 | TODO | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. Dependencies: EXPORT-SVC-36-002. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. Dependencies: EXPORT-SVC-36-003. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. Dependencies: EXPORT-SVC-36-004. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-002 | TODO | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. Dependencies: EXPORT-SVC-37-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-003 | TODO | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. Dependencies: EXPORT-SVC-37-002. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-37-004 | TODO | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. Dependencies: EXPORT-SVC-37-003. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-SVC-43-001 | TODO | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. Dependencies: EXPORT-SVC-37-004. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| EXPORT-TEN-48-001 | TODO | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) |
| RISK-BUNDLE-69-001 | TODO | Implement stella export risk-bundle job producing tarball with provider datasets, manifests, and DSSE signatures. |
Risk Bundle Export Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-69-002 | TODO | Integrate bundle job into CI/offline kit pipelines with checksum publication. Dependencies: RISK-BUNDLE-69-001. | Risk Bundle Export Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-70-001 | TODO | Provide CLI stella risk bundle verify command to validate bundles before import. Dependencies: RISK-BUNDLE-69-002. |
Risk Bundle Export Guild, CLI Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
| RISK-BUNDLE-70-002 | TODO | Publish /docs/airgap/risk-bundles.md detailing build/import/verification workflows. Dependencies: RISK-BUNDLE-70-001. |
Risk Bundle Export Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) |
[Export & Evidence] 160.C) TimelineIndexer Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator Summary: Export & Evidence focus on TimelineIndexer).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| TIMELINE-OBS-52-001 | TODO | Bootstrap StellaOps.Timeline.Indexer service with Postgres migrations for timeline_events, timeline_event_details, timeline_event_digests; enable RLS scaffolding and deterministic migration scripts. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on (event_id, tenant_id), correlation to trace IDs, and backpressure metrics. Dependencies: TIMELINE-OBS-52-001. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-003 | TODO | Expose REST/gRPC APIs for timeline queries (GET /timeline, /timeline/{id}) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. Dependencies: TIMELINE-OBS-52-002. |
Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-52-004 | TODO | Finalize RLS policies, scope checks (timeline:read), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. Dependencies: TIMELINE-OBS-52-003. |
Timeline Indexer Guild, Security Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
| TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests + attestation subjects; expose /timeline/{id}/evidence endpoint returning signed manifest references. Dependencies: TIMELINE-OBS-52-004. |
Timeline Indexer Guild, Evidence Locker Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) |
If all tasks are done - read next sprint section - SPRINT_170_notifications_telemetry.md