stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Add UI benchmark driver and scenarios for graph interactions
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details

Browse Source 
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.
This commit is contained in:
StellaOps Bot
2025-12-02 01:28:17 +02:00
parent 909d9b6220
commit 44171930ff
94 changed files with 3606 additions and 271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
ops/devops/scanner-java/release-plan.md Normal file
View File

@@ -0,0 +1,48 @@
# Java Analyzer Release Plan (DEVOPS-SCANNER-JAVA-21-011-REL)
## Goal
Publish the Java analyzer plug-in with signed artifacts and offline-ready bundles for CLI/Offline Kit.
## Inputs
- Analyzer JAR(s) + native helpers from dev task 21-011.
- SBOM (SPDX JSON) for plugin + native components.
- Test suite outputs (unit + integration).
## Artifacts
- OCI image (optional) or zip bundle containing:
- `analyzer.jar`
- `lib/` natives (if any)
- `LICENSE`, `NOTICE`
- `SBOM` (spdx.json)
- `SIGNATURES` (cosign/PGP)
- Cosign attestations for OCI/zip (provenance + SBOM).
- Checksums: `SHA256SUMS`, `SHA256SUMS.sig`.
- Offline kit slice: tarball with bundle + attestations + SBOM.
## Pipeline steps
1) **Build**: run gradle/mvn with `--offline` using vendored deps; produce JAR + natives.
2) **SBOM**: `syft packages -o spdx-json` over build output.
3) **Package**: zip bundle with fixed ordering (`zip -X`) and normalized timestamps (`SOURCE_DATE_EPOCH`).
4) **Sign**:
- cosign sign blob (zip) and/or image.
- generate in-toto provenance (SLSA level 1) referencing git commit + toolchain hashes.
5) **Checksums**: create `SHA256SUMS` and sign with cosign/PGP.
6) **Verify stage**: pipeline step runs `cosign verify-blob`, `sha256sum --check`, and `syft validate spdx`.
7) **Publish**:
- Upload to artifact store (release bucket) with metadata (version, commit, digest).
- Produce offline kit slice tarball (`scanner-java-<ver>-offline.tgz`) containing bundle, SBOM, attestations, checksums.
## Security/hardening
- Non-root build container; disable gradle/mvn network (`--offline`).
- Strip debug info unless required; ensure reproducible JAR (sorted entries, normalized timestamps).
- Telemetry disabled.
## Evidence to capture
- Bundle SHA256, cosign signatures, provenance statement.
- SBOM hash.
- Verification logs from pipeline.
## Owners
- Build/pipeline: DevOps Guild
- Signing policy: Platform Security
- Consumer integration: CLI Guild / Offline Kit Guild