feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
@@ -1,38 +1,49 @@
|
||||
# AGENTS
|
||||
## Role
|
||||
Create a dedicated CVE connector when we need raw CVE stream ingestion outside of NVD/OSV/National feeds (e.g., CVE JSON 5 API or CNA disclosures).
|
||||
|
||||
## Scope
|
||||
- Determine whether this connector should consume the official CVE JSON 5 API, CNA disclosures, or another stream.
|
||||
- Implement fetch/windowing aligned with CVE publication cadence; manage cursors for incremental backfills.
|
||||
- Parse CVE payloads into DTOs capturing descriptions, affected vendors/products, references, and metrics.
|
||||
- Map CVEs into canonical `Advisory` records (aliases, references, affected packages, range primitives).
|
||||
- Deliver deterministic fixtures/tests for fetch/parse/map lifecycle.
|
||||
|
||||
## Participants
|
||||
- `Source.Common` (HTTP/fetch utilities, DTO storage).
|
||||
- `Storage.Mongo` (raw/document/DTO/advisory stores & source state).
|
||||
- `Concelier.Models` (canonical data model).
|
||||
- `Concelier.Testing` (integration fixtures, snapshot helpers).
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Job kinds: `cve:fetch`, `cve:parse`, `cve:map`.
|
||||
- Persist upstream metadata (e.g., `If-Modified-Since`, `cveMetadataDate`) for incremental fetching.
|
||||
- Aliases must include primary CVE ID along with CNA-specific identifiers when available.
|
||||
|
||||
## In/Out of scope
|
||||
In scope:
|
||||
- Core pipeline for CVE ingestion with provenance/range primitives.
|
||||
|
||||
Out of scope:
|
||||
- Downstream impact scoring or enrichment (handled by other teams).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Log fetch batch sizes, update timestamps, and mapping counts.
|
||||
- Handle rate limits politely with exponential backoff.
|
||||
- Sanitize and validate payloads before persistence.
|
||||
|
||||
## Tests
|
||||
- Add `StellaOps.Concelier.Connector.Cve.Tests` with canned CVE JSON fixtures covering fetch/parse/map.
|
||||
- Snapshot canonical advisories; include env flag for fixture regeneration.
|
||||
- Ensure deterministic ordering and timestamp handling.
|
||||
# AGENTS
|
||||
## Role
|
||||
Create a dedicated CVE connector when we need raw CVE stream ingestion outside of NVD/OSV/National feeds (e.g., CVE JSON 5 API or CNA disclosures).
|
||||
|
||||
## Scope
|
||||
- Determine whether this connector should consume the official CVE JSON 5 API, CNA disclosures, or another stream.
|
||||
- Implement fetch/windowing aligned with CVE publication cadence; manage cursors for incremental backfills.
|
||||
- Parse CVE payloads into DTOs capturing descriptions, affected vendors/products, references, and metrics.
|
||||
- Map CVEs into canonical `Advisory` records (aliases, references, affected packages, range primitives).
|
||||
- Deliver deterministic fixtures/tests for fetch/parse/map lifecycle.
|
||||
|
||||
## Participants
|
||||
- `Source.Common` (HTTP/fetch utilities, DTO storage).
|
||||
- `Storage.Mongo` (raw/document/DTO/advisory stores & source state).
|
||||
- `Concelier.Models` (canonical data model).
|
||||
- `Concelier.Testing` (integration fixtures, snapshot helpers).
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Job kinds: `cve:fetch`, `cve:parse`, `cve:map`.
|
||||
- Persist upstream metadata (e.g., `If-Modified-Since`, `cveMetadataDate`) for incremental fetching.
|
||||
- Aliases must include primary CVE ID along with CNA-specific identifiers when available.
|
||||
|
||||
## In/Out of scope
|
||||
In scope:
|
||||
- Core pipeline for CVE ingestion with provenance/range primitives.
|
||||
|
||||
Out of scope:
|
||||
- Downstream impact scoring or enrichment (handled by other teams).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Log fetch batch sizes, update timestamps, and mapping counts.
|
||||
- Handle rate limits politely with exponential backoff.
|
||||
- Sanitize and validate payloads before persistence.
|
||||
|
||||
## Tests
|
||||
- Add `StellaOps.Concelier.Connector.Cve.Tests` with canned CVE JSON fixtures covering fetch/parse/map.
|
||||
- Snapshot canonical advisories; include env flag for fixture regeneration.
|
||||
- Ensure deterministic ordering and timestamp handling.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/concelier/architecture.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
|
||||
## Working Agreement
|
||||
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
|
||||
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
|
||||
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
|
||||
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
|
||||
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
|
||||
|
||||
Reference in New Issue
Block a user