themesd advisories enhanced
This commit is contained in:
StellaOps Bot
@@ -10,6 +10,16 @@
|
||||
|
||||
---
|
||||
|
||||
## 0. WHERE TO START (IN-REPO)
|
||||
|
||||
- `docs/README.md` (doc map and module dossiers)
|
||||
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md` (end-to-end system model)
|
||||
- `docs/18_CODING_STANDARDS.md` (C# conventions, repo rules, gates)
|
||||
- `docs/19_TEST_SUITE_OVERVIEW.md` (test layers, CI expectations)
|
||||
- `docs/technical/development/README.md` (developer tooling and workflows)
|
||||
- `docs/10_PLUGIN_SDK_GUIDE.md` (plugin SDK + packaging)
|
||||
- `LICENSE` (AGPL-3.0-or-later obligations)
|
||||
|
||||
## 1. CORE ENGINEERING PRINCIPLES
|
||||
|
||||
- **SOLID First**: Interface and dependency inversion required
|
||||
@@ -20,6 +30,15 @@
|
||||
- **Fail-fast Startup**: Validate configuration before web host starts
|
||||
- **Hot-load Compatibility**: Avoid static singletons that survive plugin unload
|
||||
|
||||
### 1.1 Product Non-Negotiables
|
||||
|
||||
- **Determinism first**: stable ordering + canonicalization; no hidden clocks/entropy in core algorithms
|
||||
- **Offline-first**: no silent network dependency; every workflow has an offline/mirrored path
|
||||
- **Evidence over UI**: the API + signed artifacts must fully explain what the UI shows
|
||||
- **Contracts are contracts**: version schemas; add fields with defaults; never silently change semantics
|
||||
- **Golden fixtures required**: any change to scanning/policy/proofs must be covered by deterministic fixtures + replay tests
|
||||
- **Respect service boundaries**: do not re-implement scanner/policy logic in downstream services or UI
|
||||
|
||||
## 2. REPOSITORY LAYOUT RULES
|
||||
|
||||
- No "Module" folders or nested solution hierarchies
|
||||
@@ -221,6 +240,34 @@ cosign sign --key $COSIGN_KEY out/MyPlugin.Schedule.dll
|
||||
- Merge strategies named and versioned
|
||||
- Artifacts record which lattice algorithm used
|
||||
|
||||
### 14.5 Sbomer Module
|
||||
|
||||
- Emit SPDX 3.0.1 and CycloneDX 1.6 with stable ordering and deterministic IDs
|
||||
- Persist raw bytes + canonical form; hash canonical bytes for digest binding
|
||||
- Produce DSSE attestations for SBOM linkage and generation provenance
|
||||
|
||||
### 14.6 Feedser Module
|
||||
|
||||
- Treat every feed import as a versioned snapshot (URI + time + content hashes)
|
||||
- Support deterministic export/import for offline bundles
|
||||
- Imports are idempotent (same snapshot digest is a no-op)
|
||||
|
||||
### 14.7 Concelier Module
|
||||
|
||||
- Never mutate evidence; attach business context and build views only
|
||||
- Never re-implement scanner/policy risk logic; consume signed decisions + proofs
|
||||
|
||||
### 14.8 UI / Console
|
||||
|
||||
- UI is an explainer and navigator; the evidence chain must be retrievable via API and export
|
||||
- Any UI state must be reproducible from persisted evidence + graph revision identifiers
|
||||
|
||||
### 14.9 Zastava / Advisory AI
|
||||
|
||||
- AI consumes evidence graph IDs/digests; it is never a source of truth for vulnerability states
|
||||
- Pipelines must never pass/fail based on AI text; enforcement is always policy + lattice + evidence
|
||||
- Any AI output must reference evidence IDs and remain optional/offline-safe
|
||||
|
||||
## 15. COMMON PITFALLS & SOLUTIONS
|
||||
|
||||
### 15.1 Avoid
|
||||
|
||||
Reference in New Issue
Block a user