stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
master
2025-11-01 02:21:46 +02:00
parent e5629454cf
commit 66cb6c4b8a
227 changed files with 9913 additions and 6210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md
View File

@@ -1,29 +1,40 @@
# AGENTS
## Role
Japan JVN/MyJVN connector; national CERT enrichment with strong identifiers (JVNDB) and vendor status; authoritative only where concrete package evidence exists; otherwise enriches text, severity, references, and aliases.
## Scope
- Fetch JVNRSS (overview) and VULDEF (detail) via MyJVN API; window by dateFirstPublished/dateLastUpdated; paginate; respect rate limits.
- Validate XML or JSON payloads; normalize titles, CVEs, JVNDB ids, vendor status, categories; map references and severity text; attach jp_flags.
- Persist raw docs with sha256 and headers; manage source_state cursor; idempotent parse/map.
## Participants
- Source.Common (HTTP, pagination, XML or XSD validators, retries/backoff).
- Storage.Mongo (document, dto, advisory, alias, affected (when concrete), reference, jp_flags, source_state).
- Models (canonical Advisory/Affected/Provenance).
- Core/WebService (jobs: source:jvn:fetch|parse|map).
- Merge engine applies enrichment precedence (does not override distro or PSIRT ranges unless JVN gives explicit package truth).
## Interfaces & contracts
- Aliases include JVNDB-YYYY-NNNNN and CVE ids; scheme "JVNDB".
- jp_flags: { jvndb_id, jvn_category, vendor_status }.
- References typed: advisory/vendor/bulletin; URLs normalized and deduped.
- Affected only when VULDEF gives concrete coordinates; otherwise omit.
- Provenance: method=parser; kind=api; value=endpoint plus query window; recordedAt=fetched time.
## In/Out of scope
In: JVN/MyJVN ingestion, aliases, jp_flags, enrichment mapping, watermarking.
Out: overriding distro or PSIRT ranges without concrete evidence; scraping unofficial mirrors.
## Observability & security expectations
- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=jvn`, enabling dashboards to track fetch requests, item counts, parse failures, and enrichment/map activity (including jp_flags) via tag filters.
- Logs: window bounds, jvndb ids processed, vendor_status distribution; redact API keys.
## Tests
- Author and review coverage in `../StellaOps.Concelier.Connector.Jvn.Tests`.
- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`.
- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios.
# AGENTS
## Role
Japan JVN/MyJVN connector; national CERT enrichment with strong identifiers (JVNDB) and vendor status; authoritative only where concrete package evidence exists; otherwise enriches text, severity, references, and aliases.
## Scope
- Fetch JVNRSS (overview) and VULDEF (detail) via MyJVN API; window by dateFirstPublished/dateLastUpdated; paginate; respect rate limits.
- Validate XML or JSON payloads; normalize titles, CVEs, JVNDB ids, vendor status, categories; map references and severity text; attach jp_flags.
- Persist raw docs with sha256 and headers; manage source_state cursor; idempotent parse/map.
## Participants
- Source.Common (HTTP, pagination, XML or XSD validators, retries/backoff).
- Storage.Mongo (document, dto, advisory, alias, affected (when concrete), reference, jp_flags, source_state).
- Models (canonical Advisory/Affected/Provenance).
- Core/WebService (jobs: source:jvn:fetch|parse|map).
- Merge engine applies enrichment precedence (does not override distro or PSIRT ranges unless JVN gives explicit package truth).
## Interfaces & contracts
- Aliases include JVNDB-YYYY-NNNNN and CVE ids; scheme "JVNDB".
- jp_flags: { jvndb_id, jvn_category, vendor_status }.
- References typed: advisory/vendor/bulletin; URLs normalized and deduped.
- Affected only when VULDEF gives concrete coordinates; otherwise omit.
- Provenance: method=parser; kind=api; value=endpoint plus query window; recordedAt=fetched time.
## In/Out of scope
In: JVN/MyJVN ingestion, aliases, jp_flags, enrichment mapping, watermarking.
Out: overriding distro or PSIRT ranges without concrete evidence; scraping unofficial mirrors.
## Observability & security expectations
- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=jvn`, enabling dashboards to track fetch requests, item counts, parse failures, and enrichment/map activity (including jp_flags) via tag filters.
- Logs: window bounds, jvndb ids processed, vendor_status distribution; redact API keys.
## Tests
- Author and review coverage in `../StellaOps.Concelier.Connector.Jvn.Tests`.
- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`.
- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios.
## Required Reading
- `docs/modules/concelier/architecture.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.