docs consolidation

2025-12-24 21:45:46 +02:00
parent 4231305fec
commit 43e2af88f6
76 changed files with 2887 additions and 796 deletions
--- a/docs/modules/scanner/architecture.md
+++ b/docs/modules/scanner/architecture.md
@@ -26,7 +26,7 @@ src/
 â”œâ”€ StellaOps.Scanner.Worker/                # queue consumer; executes analyzers
 â”œâ”€ StellaOps.Scanner.Models/                # DTOs, evidence, graph nodes, CDX/SPDX adapters
 â”œâ”€ StellaOps.Scanner.Storage/               # PostgreSQL repositories; RustFS object client (default) + S3 fallback; ILM/GC
- â”œâ”€ StellaOps.Scanner.Queue/                 # queue abstraction (Redis/NATS/RabbitMQ)
+ â”œâ”€ StellaOps.Scanner.Queue/                 # queue abstraction (Valkey/NATS/RabbitMQ)
 â”œâ”€ StellaOps.Scanner.Cache/                 # layer cache; file CAS; bloom/bitmap indexes
 â”œâ”€ StellaOps.Scanner.EntryTrace/            # ENTRYPOINT/CMD â†’ terminal program resolver (shell AST)
 â”œâ”€ StellaOps.Scanner.Analyzers.OS.[Apk|Dpkg|Rpm]/
@@ -92,20 +92,20 @@ CLI usage: `stella scan --semantic <image>` enables semantic analysis in output.
 - **Hybrid attestation**: emit **graph-level DSSE** for every `richgraph-v1` (mandatory) and optional **edge-bundle DSSE** (â‰¤512 edges) for runtime/init-root/contested edges or third-party provenance. Publish graph DSSE digests to Rekor by default; edge-bundle Rekor publish is policy-driven. CAS layout: `cas://reachability/graphs/{blake3}` for graph body, `.../{blake3}.dsse` for envelope, and `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]` for bundles. Deterministic ordering before hashing/signing is required.
 - **Deterministic call-graph manifest**: capture analyzer versions, feed hashes, toolchain digests, and flags in a manifest stored alongside `richgraph-v1`; replaying with the same manifest MUST yield identical node/edge sets and hashes (see `docs/reachability/lead.md`).

-### 1.1 Queue backbone (Redis / NATS)
+### 1.1 Queue backbone (Valkey / NATS)

 `StellaOps.Scanner.Queue` exposes a transport-agnostic contract (`IScanQueue`/`IScanQueueLease`) used by the WebService producer and Worker consumers. Sprint 9 introduces two first-party transports:

- **Redis Streams** (default). Uses consumer groups, deterministic idempotency keys (`scanner:jobs:idemp:*`), and supports lease claim (`XCLAIM`), renewal, exponential-backoff retries, and a `scanner:jobs:dead` stream for exhausted attempts.
+- **Valkey Streams** (default). Uses consumer groups, deterministic idempotency keys (`scanner:jobs:idemp:*`), and supports lease claim (`XCLAIM`), renewal, exponential-backoff retries, and a `scanner:jobs:dead` stream for exhausted attempts.
 - **NATS JetStream**. Provisions the `SCANNER_JOBS` work-queue stream + durable consumer `scanner-workers`, publishes with `MsgId` for dedupe, applies backoff via `NAK` delays, and routes dead-lettered jobs to `SCANNER_JOBS_DEAD`.

-Metrics are emitted via `Meter` counters (`scanner_queue_enqueued_total`, `scanner_queue_retry_total`, `scanner_queue_deadletter_total`), and `ScannerQueueHealthCheck` pings the active backend (Redis `PING`, NATS `PING`). Configuration is bound from `scanner.queue`:
+Metrics are emitted via `Meter` counters (`scanner_queue_enqueued_total`, `scanner_queue_retry_total`, `scanner_queue_deadletter_total`), and `ScannerQueueHealthCheck` pings the active backend (Valkey `PING`, NATS `PING`). Configuration is bound from `scanner.queue`:

 ```yaml
 scanner:
  queue:
-    kind: redis # or nats
-    redis:
+    kind: valkey # or nats (valkey uses redis:// protocol)
+    valkey:
      connectionString: "redis://queue:6379/0"
      streamName: "scanner:jobs"
    nats:
@@ -133,7 +133,7 @@ The DI extension (`AddScannerQueue`) wires the selected transport, so future add
 * **OCI registry** with **Referrers API** (discover attached SBOMs/signatures).
 * **RustFS** (default, offline-first) for SBOM artifacts; optional S3/MinIO compatibility retained for migration; **Object Lock** semantics emulated via retention headers; **ILM** for TTL.
 * **PostgreSQL** for catalog, job state, diffs, ILM rules.
-* **Queue** (Redis Streams/NATS/RabbitMQ).
+* **Queue** (Valkey Streams/NATS/RabbitMQ).
 * **Authority** (onâ€‘prem OIDC) for **OpToks** (DPoP/mTLS).
 * **Signer** + **Attestor** (+ **Fulcio/KMS** + **Rekor v2**) for DSSE + transparency.

@@ -390,7 +390,7 @@ Diffs are stored as artifacts and feed **UI** and **CLI**.
 ```yaml
 scanner:
  queue:
-    kind: redis
+    kind: valkey  # uses redis:// protocol
    url: "redis://queue:6379/0"
  postgres:
    connectionString: "Host=postgres;Port=5432;Database=scanner;Username=stellaops;Password=stellaops"
--- a/docs/modules/scanner/implementation_plan.md
+++ b/docs/modules/scanner/implementation_plan.md
@@ -2,7 +2,7 @@

 ## Delivery phases
 - **Phase 1 – Control plane & job queue**  
-  Finalise Scanner WebService, queue abstraction (Redis/NATS), job leasing, CAS layer cache, artifact catalog, and API endpoints.
+  Finalise Scanner WebService, queue abstraction (Valkey/NATS), job leasing, CAS layer cache, artifact catalog, and API endpoints.
 - **Phase 2 – Analyzer parity & SBOM assembly**  
  Implement OS/Lang/Native analyzers, inventory/usage SBOM views, entry trace resolution, deterministic component identity.
 - **Phase 3 – Diff & attestations**