stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages

Browse Source 
- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling.
- Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings.
- Create ApkVersion for parsing Alpine APK version strings with suffix support.
- Define IVersionComparator interface for version comparison with proof-line generation.
- Implement VersionComparisonResult struct to encapsulate comparison results and proof lines.
- Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling.
- Create project files for the version comparison library and its tests.
This commit is contained in:
StellaOps Bot
2025-12-22 09:49:38 +02:00
parent aff0ceb2fe
commit 634233dfed
112 changed files with 31925 additions and 1813 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
docs/implplan/SPRINT_4300_MOAT_SUMMARY.md Normal file
View File

@@ -0,0 +1,126 @@
# SPRINT_4300 MOAT HARDENING: Verdict Attestation & Epistemic Mode
## Program Overview
| Field | Value |
|-------|-------|
| **Program ID** | 4300 (Moat Series) |
| **Theme** | Moat Hardening: Signed Verdicts & Epistemic Operations |
| **Priority** | P0-P1 (Critical to High) |
| **Total Effort** | ~9 weeks |
| **Advisory Source** | 19-Dec-2025 - Stella Ops candidate features mapped to moat strength |
---
## Strategic Context
This sprint program addresses the highest-moat features identified in the competitive analysis advisory. The goal is to harden StellaOps' structural advantages in:
1. **Signed, replayable risk verdicts (Moat 5)** — The anchor differentiator
2. **Unknowns as first-class state (Moat 4)** — Governance primitive
3. **Air-gapped epistemic mode (Moat 4)** — Reproducibility moat
---
## Sprint Breakdown
### P0 Sprints (Critical)
| Sprint ID | Title | Effort | Moat |
|-----------|-------|--------|------|
| 4300_0001_0001 | OCI Verdict Attestation Referrer Push | 2 weeks | 5 |
| 4300_0001_0002 | One-Command Audit Replay CLI | 2 weeks | 5 |
**Outcome**: Verdicts become portable "ship tokens" that can be pushed to registries and replayed offline.
### P1 Sprints (High)
| Sprint ID | Title | Effort | Moat |
|-----------|-------|--------|------|
| 4300_0002_0001 | Unknowns Budget Policy Integration | 2 weeks | 4 |
| 4300_0002_0002 | Unknowns Attestation Predicates | 1 week | 4 |
| 4300_0003_0001 | Sealed Knowledge Snapshot Export/Import | 2 weeks | 4 |
**Outcome**: Uncertainty becomes actionable through policy gates and attestable for audits. Air-gap customers get sealed knowledge bundles.
---
## Related Sprint Programs
| Program | Theme | Moat Focus |
|---------|-------|------------|
| **4400** | Delta Verdicts & Reachability Attestations | Smart-Diff, Reachability |
| **4500** | VEX Hub & Trust Scoring | VEX Distribution Network |
| **4600** | SBOM Lineage & BYOS | SBOM Ledger |
---
## Dependency Graph
```
SPRINT_4300_0001_0001 (OCI Verdict Push)
├──► SPRINT_4300_0001_0002 (Audit Replay CLI)
└──► SPRINT_4400_0001_0001 (Signed Delta Verdict)
SPRINT_4300_0002_0001 (Unknowns Budget)
└──► SPRINT_4300_0002_0002 (Unknowns Attestation)
SPRINT_4300_0003_0001 (Sealed Snapshot)
└──► [Standalone, enables air-gap scenarios]
```
---
## Success Metrics
| Metric | Target | Measurement |
|--------|--------|-------------|
| Verdict push success rate | >99% | OTEL metrics |
| Audit replay pass rate | 100% on same inputs | CI tests |
| Unknown budget violations detected | >0 in test suite | Integration tests |
| Air-gap import success rate | >99% | Manual testing |
---
## Risks & Dependencies
| Risk | Impact | Mitigation |
|------|--------|------------|
| OCI registry incompatibility | Cannot push verdicts | Fallback to tag-based |
| Bundle size too large | Transfer issues | Streaming, compression |
| Key management complexity | Security | Document rotation procedures |
---
## Timeline Recommendation
**Phase 1 (Weeks 1-4)**: P0 Sprints
- OCI Verdict Push + Audit Replay
**Phase 2 (Weeks 5-7)**: P1 Sprints
- Unknowns Budget + Attestations
**Phase 3 (Weeks 8-9)**: P1 Sprints
- Sealed Knowledge Snapshots
---
## Documentation Deliverables
- [ ] `docs/operations/verdict-attestation-guide.md`
- [ ] `docs/operations/audit-replay-guide.md`
- [ ] `docs/operations/unknown-budgets-guide.md`
- [ ] `docs/operations/airgap-knowledge-sync.md`
- [ ] Update attestation type catalog
- [ ] Update CLI reference
---
**Sprint Series Status:** TODO
**Created:** 2025-12-22
**Origin:** Gap analysis of 19-Dec-2025 moat strength advisory