feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
@@ -1,40 +1,51 @@
|
||||
# AGENTS
|
||||
## Role
|
||||
Bootstrap the ACSC (Australian Cyber Security Centre) advisories connector so the Concelier pipeline can ingest, normalise, and enrich ACSC security bulletins.
|
||||
|
||||
## Scope
|
||||
- Research the authoritative ACSC advisory feed (RSS/Atom, JSON API, or HTML).
|
||||
- Implement fetch windowing, cursor persistence, and retry strategy consistent with other external connectors.
|
||||
- Parse advisory content (summary, affected products, mitigation guidance, references).
|
||||
- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and provenance metadata.
|
||||
- Provide deterministic fixtures and regression tests that cover fetch/parse/map flows.
|
||||
|
||||
## Participants
|
||||
- `Source.Common` for HTTP client creation, fetch service, and DTO persistence helpers.
|
||||
- `Storage.Mongo` for raw/document/DTO/advisory storage plus cursor management.
|
||||
- `Concelier.Models` for canonical advisory structures and provenance utilities.
|
||||
- `Concelier.Testing` for integration harnesses and snapshot helpers.
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Job kinds should follow the pattern `acsc:fetch`, `acsc:parse`, `acsc:map`.
|
||||
- Documents persisted to Mongo must include ETag/Last-Modified metadata when the source exposes it.
|
||||
- Canonical advisories must emit aliases (ACSC ID + CVE IDs) and references (official bulletin + vendor notices).
|
||||
|
||||
## In/Out of scope
|
||||
In scope:
|
||||
- Initial end-to-end connector implementation with tests, fixtures, and range primitive coverage.
|
||||
- Minimal telemetry (logging + diagnostics counters) consistent with other connectors.
|
||||
|
||||
Out of scope:
|
||||
- Upstream remediation automation or vendor-specific enrichment beyond ACSC data.
|
||||
- Export-related changes (handled by exporter teams).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Log key lifecycle events (fetch/page processed, parse success/error counts, mapping stats).
|
||||
- Sanitise HTML safely and avoid persisting external scripts or embedded media.
|
||||
- Handle transient fetch failures gracefully with exponential backoff and mark failures in source state.
|
||||
|
||||
## Tests
|
||||
- Add integration-style tests under `StellaOps.Concelier.Connector.Acsc.Tests` covering fetch/parse/map with canned fixtures.
|
||||
- Snapshot canonical advisories; provide UPDATE flag flow for regeneration.
|
||||
- Validate determinism (ordering, casing, timestamps) to satisfy pipeline reproducibility requirements.
|
||||
# AGENTS
|
||||
## Role
|
||||
Bootstrap the ACSC (Australian Cyber Security Centre) advisories connector so the Concelier pipeline can ingest, normalise, and enrich ACSC security bulletins.
|
||||
|
||||
## Scope
|
||||
- Research the authoritative ACSC advisory feed (RSS/Atom, JSON API, or HTML).
|
||||
- Implement fetch windowing, cursor persistence, and retry strategy consistent with other external connectors.
|
||||
- Parse advisory content (summary, affected products, mitigation guidance, references).
|
||||
- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and provenance metadata.
|
||||
- Provide deterministic fixtures and regression tests that cover fetch/parse/map flows.
|
||||
|
||||
## Participants
|
||||
- `Source.Common` for HTTP client creation, fetch service, and DTO persistence helpers.
|
||||
- `Storage.Mongo` for raw/document/DTO/advisory storage plus cursor management.
|
||||
- `Concelier.Models` for canonical advisory structures and provenance utilities.
|
||||
- `Concelier.Testing` for integration harnesses and snapshot helpers.
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Job kinds should follow the pattern `acsc:fetch`, `acsc:parse`, `acsc:map`.
|
||||
- Documents persisted to Mongo must include ETag/Last-Modified metadata when the source exposes it.
|
||||
- Canonical advisories must emit aliases (ACSC ID + CVE IDs) and references (official bulletin + vendor notices).
|
||||
|
||||
## In/Out of scope
|
||||
In scope:
|
||||
- Initial end-to-end connector implementation with tests, fixtures, and range primitive coverage.
|
||||
- Minimal telemetry (logging + diagnostics counters) consistent with other connectors.
|
||||
|
||||
Out of scope:
|
||||
- Upstream remediation automation or vendor-specific enrichment beyond ACSC data.
|
||||
- Export-related changes (handled by exporter teams).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Log key lifecycle events (fetch/page processed, parse success/error counts, mapping stats).
|
||||
- Sanitise HTML safely and avoid persisting external scripts or embedded media.
|
||||
- Handle transient fetch failures gracefully with exponential backoff and mark failures in source state.
|
||||
|
||||
## Tests
|
||||
- Add integration-style tests under `StellaOps.Concelier.Connector.Acsc.Tests` covering fetch/parse/map with canned fixtures.
|
||||
- Snapshot canonical advisories; provide UPDATE flag flow for regeneration.
|
||||
- Validate determinism (ordering, casing, timestamps) to satisfy pipeline reproducibility requirements.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/concelier/architecture.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
|
||||
## Working Agreement
|
||||
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
|
||||
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
|
||||
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
|
||||
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
|
||||
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
|
||||
|
||||
Reference in New Issue
Block a user