feat: Add new projects to solution and implement contract testing documentation
- Added "StellaOps.Policy.Engine", "StellaOps.Cartographer", and "StellaOps.SbomService" projects to the StellaOps solution. - Created AGENTS.md to outline the Contract Testing Guild Charter, detailing mission, scope, and definition of done. - Established TASKS.md for the Contract Testing Task Board, outlining tasks for Sprint 62 and Sprint 63 related to mock servers and replay testing.
This commit is contained in:
master
@@ -1,39 +1,39 @@
|
||||
# StellaOps.Scanner.Analyzers.Lang.Node — Agent Charter
|
||||
|
||||
## Role
|
||||
Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace graphs, symlinks, and script metadata for Scanner Workers.
|
||||
|
||||
## Scope
|
||||
- Deterministic filesystem walker for `node_modules`, PNPM store, Yarn Plug'n'Play, and workspace roots.
|
||||
- Component identity normalization to `pkg:npm` with provenance evidence (manifest path, integrity hashes, lockfile references).
|
||||
- Workspace + symlink attribution, script metadata (postinstall, lifecycle), and policy hints for risky scripts.
|
||||
- Plug-in manifest authoring, DI bootstrap, and benchmark harness integration.
|
||||
|
||||
## Out of Scope
|
||||
- OS package detection, native library linkage, or vulnerability joins.
|
||||
- Language analyzers for other ecosystems (Python, Go, .NET, Rust).
|
||||
- CLI/UI surfacing of analyzer diagnostics (handed to UI guild post-gate).
|
||||
|
||||
## Expectations
|
||||
- Deterministic output across Yarn/NPM/PNPM variations; normalized casing and path separators.
|
||||
- Performance targets: 10 k-module fixture <1.8 s, <220 MB RSS on 4 vCPU runner.
|
||||
- Offline-first; no network dependency to resolve registries.
|
||||
- Emit structured metrics + logs (`analyzer=node`) compatible with Scanner telemetry model.
|
||||
- Update `TASKS.md`, `SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, and corresponding fixtures as progress occurs.
|
||||
|
||||
## Dependencies
|
||||
- Shared language analyzer core (`StellaOps.Scanner.Analyzers.Lang`).
|
||||
- Worker dispatcher for plug-in discovery.
|
||||
- EntryTrace usage hints (for script usage classification).
|
||||
|
||||
## Testing & Artifacts
|
||||
- Determinism golden fixtures under `Fixtures/lang/node/`.
|
||||
- Benchmark CSV + flamegraph stored in `bench/Scanner.Analyzers/`.
|
||||
- Plug-in manifest + cosign workflow added to Offline Kit instructions once analyzer is production-ready.
|
||||
|
||||
## Telemetry & Policy Hints
|
||||
- Metrics: `scanner_analyzer_node_scripts_total{script}` increments for each install lifecycle script discovered.
|
||||
- Metadata keys:
|
||||
- `policyHint.installLifecycle` lists lifecycle scripts (`preinstall;install;postinstall`) observed for a package.
|
||||
- `script.<name>` stores the canonical command string for each lifecycle script.
|
||||
- Evidence: lifecycle script entries emit `LanguageEvidenceKind.Metadata` pointing to `package.json#scripts.<name>` with SHA-256 hashes for determinism.
|
||||
# StellaOps.Scanner.Analyzers.Lang.Node — Agent Charter
|
||||
|
||||
## Role
|
||||
Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace graphs, symlinks, and script metadata for Scanner Workers.
|
||||
|
||||
## Scope
|
||||
- Deterministic filesystem walker for `node_modules`, PNPM store, Yarn Plug'n'Play, and workspace roots.
|
||||
- Component identity normalization to `pkg:npm` with provenance evidence (manifest path, integrity hashes, lockfile references).
|
||||
- Workspace + symlink attribution, script metadata (postinstall, lifecycle), and policy hints for risky scripts.
|
||||
- Plug-in manifest authoring, DI bootstrap, and benchmark harness integration.
|
||||
|
||||
## Out of Scope
|
||||
- OS package detection, native library linkage, or vulnerability joins.
|
||||
- Language analyzers for other ecosystems (Python, Go, .NET, Rust).
|
||||
- CLI/UI surfacing of analyzer diagnostics (handed to UI guild post-gate).
|
||||
|
||||
## Expectations
|
||||
- Deterministic output across Yarn/NPM/PNPM variations; normalized casing and path separators.
|
||||
- Performance targets: 10 k-module fixture <1.8 s, <220 MB RSS on 4 vCPU runner.
|
||||
- Offline-first; no network dependency to resolve registries.
|
||||
- Emit structured metrics + logs (`analyzer=node`) compatible with Scanner telemetry model.
|
||||
- Update `TASKS.md`, `SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, and corresponding fixtures as progress occurs.
|
||||
|
||||
## Dependencies
|
||||
- Shared language analyzer core (`StellaOps.Scanner.Analyzers.Lang`).
|
||||
- Worker dispatcher for plug-in discovery.
|
||||
- EntryTrace usage hints (for script usage classification).
|
||||
|
||||
## Testing & Artifacts
|
||||
- Determinism golden fixtures under `Fixtures/lang/node/`.
|
||||
- Benchmark CSV + flamegraph stored in `src/StellaOps.Bench/Scanner.Analyzers/`.
|
||||
- Plug-in manifest + cosign workflow added to Offline Kit instructions once analyzer is production-ready.
|
||||
|
||||
## Telemetry & Policy Hints
|
||||
- Metrics: `scanner_analyzer_node_scripts_total{script}` increments for each install lifecycle script discovered.
|
||||
- Metadata keys:
|
||||
- `policyHint.installLifecycle` lists lifecycle scripts (`preinstall;install;postinstall`) observed for a package.
|
||||
- `script.<name>` stores the canonical command string for each lifecycle script.
|
||||
- Evidence: lifecycle script entries emit `LanguageEvidenceKind.Metadata` pointing to `package.json#scripts.<name>` with SHA-256 hashes for determinism.
|
||||
|
||||
Reference in New Issue
Block a user