stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

enrich the setup. setup fixes. minimize the consolidation plan

Browse Source
This commit is contained in:
master
2026-02-26 08:46:06 +02:00
parent 63c70a6d37
commit 4fe8eb56ae
26 changed files with 1568 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
devops/runtime-assets/manifest.yaml Normal file
View File

@@ -0,0 +1,204 @@
# Runtime Data Assets Manifest
# Pinned versions, checksums, and licensing for all runtime data assets.
# Used by acquire.sh for download verification and by CI for release gating.
#
# To update a pinned version:
# 1. Change the entry below
# 2. Run: ./devops/runtime-assets/acquire.sh --verify
# 3. Update NOTICE.md and third-party-licenses/ if license changed
version: "1.0.0"
updated: "2026-02-25"
assets:
# ---------------------------------------------------------------------------
# ML Models
# ---------------------------------------------------------------------------
onnx-embedding-model:
name: "all-MiniLM-L6-v2 (ONNX)"
category: "ml-models"
required: true
degraded_without: true # falls back to character-ngram encoder
source: "https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/onnx/model.onnx"
license: "Apache-2.0"
license_file: "third-party-licenses/all-MiniLM-L6-v2-Apache-2.0.txt"
notice_entry: true # listed in NOTICE.md
destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/models/all-MiniLM-L6-v2.onnx"
runtime_path: "models/all-MiniLM-L6-v2.onnx"
env_override: "KnowledgeSearch__OnnxModelPath"
size_approx: "80 MB"
sha256: "6fd5d72fe4589f189f8ebc006442dbb529bb7ce38f8082112682524616046452"
used_by:
- "StellaOps.AdvisoryAI (OnnxVectorEncoder)"
notes: >
Current file in repo is a 120-byte placeholder.
Must be replaced with actual weights before production release.
# ---------------------------------------------------------------------------
# JDK (for Ghidra)
# ---------------------------------------------------------------------------
jdk:
name: "Eclipse Temurin JRE 17"
category: "binary-analysis"
required: false # only if GhidraOptions__Enabled=true
source: "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.13%2B11/OpenJDK17U-jre_x64_linux_hotspot_17.0.13_11.tar.gz"
license: "GPL-2.0-with-classpath-exception"
destination: "/opt/java/openjdk/"
env_override: "GhidraOptions__JavaHome"
size_approx: "55 MB"
sha256: "PENDING" # TODO: pin after first verified download
used_by:
- "StellaOps.BinaryIndex.Ghidra (GhidraHeadlessManager)"
notes: >
GPLv2+CE allows linking without copyleft obligation.
Only needed for deployments using Ghidra binary analysis.
# ---------------------------------------------------------------------------
# Ghidra
# ---------------------------------------------------------------------------
ghidra:
name: "Ghidra 11.2 PUBLIC"
category: "binary-analysis"
required: false # only if GhidraOptions__Enabled=true
source: "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.2_build/ghidra_11.2_PUBLIC_20241105.zip"
license: "Apache-2.0"
destination: "/opt/ghidra/"
env_override: "GhidraOptions__GhidraHome"
size_approx: "1.5 GB"
sha256: "PENDING" # TODO: pin after first verified download
used_by:
- "StellaOps.BinaryIndex.Ghidra (GhidraService, GhidraHeadlessManager)"
notes: >
Full Ghidra installation with analyzers, BSim, and Version Tracking.
Disable with GhidraOptions__Enabled=false to skip entirely.
# ---------------------------------------------------------------------------
# Certificates (development defaults — replace for production)
# ---------------------------------------------------------------------------
dev-certificates:
name: "Development TLS certificates"
category: "certificates"
required: true
source: "local" # shipped in etc/authority/keys/
destination: "etc/authority/keys/"
runtime_path: "/app/etc/certs/"
env_override: "Kestrel__Certificates__Default__Path"
mount: "ro"
used_by:
- "All services (Kestrel TLS)"
notes: >
Dev-only. Replace with production certificates before deployment.
See docs/SECURITY_HARDENING_GUIDE.md.
trust-bundle:
name: "CA trust bundle"
category: "certificates"
required: true
source: "local" # shipped in etc/trust-profiles/assets/
destination: "etc/trust-profiles/assets/"
runtime_path: "/etc/ssl/certs/ca-certificates.crt"
mount: "ro"
used_by:
- "All services (HTTPS verification, attestation)"
notes: >
Combined CA bundle. For regional deployments include additional
trust anchors (russian_trusted_bundle.pem, etc).
rekor-public-key:
name: "Rekor transparency log public key"
category: "certificates"
required: true # for Sigstore verification
source: "local"
destination: "etc/trust-profiles/assets/rekor-public.pem"
used_by:
- "Attestor (Sigstore receipt verification)"
- "AirGapTrustStoreIntegration"
# ---------------------------------------------------------------------------
# Regional crypto configuration
# ---------------------------------------------------------------------------
crypto-profiles:
name: "Regional crypto configuration"
category: "configuration"
required: false # only for regional compliance
source: "local"
files:
- "etc/appsettings.crypto.international.yaml"
- "etc/appsettings.crypto.eu.yaml"
- "etc/appsettings.crypto.russia.yaml"
- "etc/appsettings.crypto.china.yaml"
- "etc/crypto-plugins-manifest.json"
used_by:
- "All services (crypto provider selection)"
notes: >
Selected via compose overlay (docker-compose.compliance-*.yml).
See devops/compose/README.md.
# ---------------------------------------------------------------------------
# Evidence storage
# ---------------------------------------------------------------------------
evidence-storage:
name: "Evidence object store"
category: "persistent-storage"
required: true
type: "volume"
runtime_path: "/data/evidence"
env_override: "EvidenceLocker__ObjectStore__FileSystem__RootPath"
mount: "rw"
sizing: "~1 GB per 1000 scans"
used_by:
- "EvidenceLocker"
- "Attestor"
notes: >
Persistent named volume. Content-addressed, append-only.
Include in backup strategy.
# ---------------------------------------------------------------------------
# Search seed snapshots (included in dotnet publish — no acquisition needed)
# ---------------------------------------------------------------------------
search-snapshots:
name: "Unified search seed snapshots"
category: "search-data"
required: true
source: "included" # part of dotnet publish output
destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/UnifiedSearch/Snapshots/"
files:
- "findings.snapshot.json"
- "vex.snapshot.json"
- "policy.snapshot.json"
- "graph.snapshot.json"
- "scanner.snapshot.json"
- "opsmemory.snapshot.json"
- "timeline.snapshot.json"
used_by:
- "UnifiedSearchIndexer (bootstrap on first start)"
notes: >
Copied to output by .csproj Content items.
Live data adapters refresh the index every 300s at runtime.
# ---------------------------------------------------------------------------
# Translations (included in Angular build — no acquisition needed)
# ---------------------------------------------------------------------------
translations:
name: "UI translation bundles"
category: "i18n"
required: true
source: "included" # part of Angular dist build
destination: "src/Web/StellaOps.Web/src/i18n/"
locales:
- "en-US"
- "de-DE"
- "bg-BG"
- "ru-RU"
- "es-ES"
- "fr-FR"
- "uk-UA"
- "zh-CN"
- "zh-TW"
used_by:
- "Console (Angular frontend)"
- "TranslationRegistry (backend override)"
notes: >
Baked into Angular dist bundle. Backend can override via
database-backed ITranslationBundleProvider (priority 100).