feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
@@ -1,40 +1,51 @@
|
||||
# AGENTS
|
||||
## Role
|
||||
Design and ship deterministic Linux operating-system analyzers that transform container root filesystems into canonical package evidence for SBOM emission.
|
||||
|
||||
## Scope
|
||||
- Provide shared helpers for reading apk, dpkg, and rpm metadata and emitting normalized package identities with provenance.
|
||||
- Implement analyzer plug-ins for Alpine (apk), Debian (dpkg), and RPM-based distributions that operate on extracted rootfs snapshots.
|
||||
- Enrich package records with vendor-origin metadata (source packages, declared licenses, CVE hints) and evidence linking files to packages.
|
||||
- Expose restart-time plug-in manifests so the Scanner.Worker can load analyzers in offline or air-gapped environments.
|
||||
- Supply deterministic fixtures and a regression harness that verifies analyzer outputs remain stable across runs.
|
||||
|
||||
## Participants
|
||||
- `StellaOps.Scanner.Core` for shared contracts, observability, and plug-in catalog guardrails.
|
||||
- `StellaOps.Scanner.Worker` which executes analyzers inside the scan pipeline.
|
||||
- `StellaOps.Scanner.Cache` (future) for layer cache integration; analyzers must be cache-aware via deterministic inputs/outputs.
|
||||
- `StellaOps.Scanner.Emit` and `StellaOps.Scanner.Diff` rely on analyzer outputs to build SBOMs and change reports.
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Analyzers implement `IOSPackageAnalyzer` (defined in this module) and register via plug-in manifests; they must be restart-time only.
|
||||
- Input rootfs paths are read-only; analyzers must never mutate files and must tolerate missing metadata gracefully.
|
||||
- Package records emit canonical purls (`pkg:alpine`, `pkg:deb`, `pkg:rpm`) plus NEVRA/EVR details, source package identifiers, declared licenses, and evidence (file lists with layer attribution placeholders).
|
||||
- Outputs must be deterministic: ordering is lexicographic, timestamps removed or normalized, hashes (SHA256) calculated when required.
|
||||
|
||||
## In/Out of Scope
|
||||
In scope:
|
||||
- Linux apk/dpkg/rpm analyzers, shared helpers, plug-in manifests, deterministic regression harness.
|
||||
|
||||
Out of scope:
|
||||
- Windows MSI/SxS analyzers, native (ELF) analyzers, language analyzers, EntryTrace pipeline, or SBOM assembly logic (handled by other guilds).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Emit structured logs with correlation/job identifiers provided by `StellaOps.Scanner.Core`.
|
||||
- Surface metrics for package counts, elapsed time, and cache hits (metrics hooks stubbed until Cache module lands).
|
||||
- Do not perform outbound network calls; operate entirely on provided filesystem snapshot.
|
||||
- Validate plug-in manifests via `IPluginCatalogGuard` to enforce restart-only loading.
|
||||
|
||||
## Tests
|
||||
- `StellaOps.Scanner.Analyzers.OS.Tests` hosts regression tests with canned rootfs fixtures to verify determinism.
|
||||
- Fixtures store expected analyzer outputs under `Fixtures/` with golden JSON (normalized, sorted).
|
||||
- Tests cover apk/dpkg/rpm analyzers, shared helper edge cases, and plug-in catalog enforcement.
|
||||
# AGENTS
|
||||
## Role
|
||||
Design and ship deterministic Linux operating-system analyzers that transform container root filesystems into canonical package evidence for SBOM emission.
|
||||
|
||||
## Scope
|
||||
- Provide shared helpers for reading apk, dpkg, and rpm metadata and emitting normalized package identities with provenance.
|
||||
- Implement analyzer plug-ins for Alpine (apk), Debian (dpkg), and RPM-based distributions that operate on extracted rootfs snapshots.
|
||||
- Enrich package records with vendor-origin metadata (source packages, declared licenses, CVE hints) and evidence linking files to packages.
|
||||
- Expose restart-time plug-in manifests so the Scanner.Worker can load analyzers in offline or air-gapped environments.
|
||||
- Supply deterministic fixtures and a regression harness that verifies analyzer outputs remain stable across runs.
|
||||
|
||||
## Participants
|
||||
- `StellaOps.Scanner.Core` for shared contracts, observability, and plug-in catalog guardrails.
|
||||
- `StellaOps.Scanner.Worker` which executes analyzers inside the scan pipeline.
|
||||
- `StellaOps.Scanner.Cache` (future) for layer cache integration; analyzers must be cache-aware via deterministic inputs/outputs.
|
||||
- `StellaOps.Scanner.Emit` and `StellaOps.Scanner.Diff` rely on analyzer outputs to build SBOMs and change reports.
|
||||
|
||||
## Interfaces & Contracts
|
||||
- Analyzers implement `IOSPackageAnalyzer` (defined in this module) and register via plug-in manifests; they must be restart-time only.
|
||||
- Input rootfs paths are read-only; analyzers must never mutate files and must tolerate missing metadata gracefully.
|
||||
- Package records emit canonical purls (`pkg:alpine`, `pkg:deb`, `pkg:rpm`) plus NEVRA/EVR details, source package identifiers, declared licenses, and evidence (file lists with layer attribution placeholders).
|
||||
- Outputs must be deterministic: ordering is lexicographic, timestamps removed or normalized, hashes (SHA256) calculated when required.
|
||||
|
||||
## In/Out of Scope
|
||||
In scope:
|
||||
- Linux apk/dpkg/rpm analyzers, shared helpers, plug-in manifests, deterministic regression harness.
|
||||
|
||||
Out of scope:
|
||||
- Windows MSI/SxS analyzers, native (ELF) analyzers, language analyzers, EntryTrace pipeline, or SBOM assembly logic (handled by other guilds).
|
||||
|
||||
## Observability & Security Expectations
|
||||
- Emit structured logs with correlation/job identifiers provided by `StellaOps.Scanner.Core`.
|
||||
- Surface metrics for package counts, elapsed time, and cache hits (metrics hooks stubbed until Cache module lands).
|
||||
- Do not perform outbound network calls; operate entirely on provided filesystem snapshot.
|
||||
- Validate plug-in manifests via `IPluginCatalogGuard` to enforce restart-only loading.
|
||||
|
||||
## Tests
|
||||
- `StellaOps.Scanner.Analyzers.OS.Tests` hosts regression tests with canned rootfs fixtures to verify determinism.
|
||||
- Fixtures store expected analyzer outputs under `Fixtures/` with golden JSON (normalized, sorted).
|
||||
- Tests cover apk/dpkg/rpm analyzers, shared helper edge cases, and plug-in catalog enforcement.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
|
||||
## Working Agreement
|
||||
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
|
||||
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
|
||||
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
|
||||
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
|
||||
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
|
||||
|
||||
Reference in New Issue
Block a user