feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
@@ -1,32 +1,43 @@
|
||||
# StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter
|
||||
|
||||
## Role
|
||||
Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views.
|
||||
|
||||
## Scope
|
||||
- Parse `*.dist-info` and `*.data` directories, validating `METADATA`, `RECORD`, and `entry_points.txt`.
|
||||
- Detect editable installs and pip caches, reconciling metadata with actual files.
|
||||
- Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes.
|
||||
- Package plug-in manifest and ensure deterministic fixtures + benchmarks.
|
||||
|
||||
## Out of Scope
|
||||
- Language analyzers for other ecosystems.
|
||||
- Policy evaluation, vulnerability correlation, or packaging into UI flows.
|
||||
- Building Python interpreters or executing scripts (analysis is static only).
|
||||
|
||||
## Expectations
|
||||
- Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged.
|
||||
- Performance target: ≥75 MB/s RECORD verification, end-to-end fixture <2.0 s.
|
||||
- Offline-first: no PyPI calls; relies on local metadata only.
|
||||
- Rich telemetry (components counted, hash mismatches) following Scanner metrics schema.
|
||||
- Keep `TASKS.md` and `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` in sync.
|
||||
|
||||
## Dependencies
|
||||
- Shared language analyzer infrastructure.
|
||||
- EntryTrace usage hints (for script activation).
|
||||
- Worker dispatcher for plug-in loading.
|
||||
|
||||
## Testing & Artifacts
|
||||
- Golden fixtures for venv, virtualenv, pipx, and editable installs.
|
||||
- Benchmark results comparing hash-check throughput against competitor tools.
|
||||
- Offline Kit guidance for bundling standard library metadata if required.
|
||||
# StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter
|
||||
|
||||
## Role
|
||||
Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views.
|
||||
|
||||
## Scope
|
||||
- Parse `*.dist-info` and `*.data` directories, validating `METADATA`, `RECORD`, and `entry_points.txt`.
|
||||
- Detect editable installs and pip caches, reconciling metadata with actual files.
|
||||
- Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes.
|
||||
- Package plug-in manifest and ensure deterministic fixtures + benchmarks.
|
||||
|
||||
## Out of Scope
|
||||
- Language analyzers for other ecosystems.
|
||||
- Policy evaluation, vulnerability correlation, or packaging into UI flows.
|
||||
- Building Python interpreters or executing scripts (analysis is static only).
|
||||
|
||||
## Expectations
|
||||
- Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged.
|
||||
- Performance target: ≥75 MB/s RECORD verification, end-to-end fixture <2.0 s.
|
||||
- Offline-first: no PyPI calls; relies on local metadata only.
|
||||
- Rich telemetry (components counted, hash mismatches) following Scanner metrics schema.
|
||||
- Keep `TASKS.md` and `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` in sync.
|
||||
|
||||
## Dependencies
|
||||
- Shared language analyzer infrastructure.
|
||||
- EntryTrace usage hints (for script activation).
|
||||
- Worker dispatcher for plug-in loading.
|
||||
|
||||
## Testing & Artifacts
|
||||
- Golden fixtures for venv, virtualenv, pipx, and editable installs.
|
||||
- Benchmark results comparing hash-check throughput against competitor tools.
|
||||
- Offline Kit guidance for bundling standard library metadata if required.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
|
||||
## Working Agreement
|
||||
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
|
||||
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
|
||||
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
|
||||
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
|
||||
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
|
||||
|
||||
Reference in New Issue
Block a user