stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
master
2025-11-01 02:21:46 +02:00
parent e5629454cf
commit 66cb6c4b8a
227 changed files with 9913 additions and 6210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md Normal file
View File

@@ -0,0 +1,30 @@
# Scanner Surface.Secrets Guild Charter
## Mission
Provide a unified secret access layer for Scanner, Zastava, and related services to retrieve registry credentials, CAS tokens, and bundle decryptors securely and deterministically. Surface.Secrets abstracts secret stores (Kubernetes, file bundles, in-memory) while supporting offline and air-gapped deployments.
## Scope
- Secret provider interfaces and implementations in `StellaOps.Scanner.Surface.Secrets`.
- Integration with Surface.Env & Surface.Validation for configuration/inputs.
- Backend adapters (Kubernetes Secret, file-based, offline bundle) and rotation hooks.
- Audit logging, caching policies, and error handling for secret access.
## Required Reading
- `docs/modules/scanner/design/surface-secrets.md`
- `docs/modules/scanner/design/surface-env.md`
- `docs/modules/scanner/design/surface-fs.md`
- `docs/modules/scanner/design/surface-validation.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/zastava/architecture.md`
- `docs/modules/airgap/airgap-mode.md`
- Security guidance in `docs/security/redaction-and-privacy.md`
## Working Agreement
1. **Status synchronisation**: update task state in both `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever you start or complete work.
2. **Security posture**: enforce least privilege, short cache TTLs, redaction in logs, and Authority scope checks where applicable.
3. **Deterministic behaviour**: deterministic secret selection & failure modes; avoid random jitter unless documented.
4. **Offline readiness**: support sealed-mode bundles; document required manifest formats and verification steps.
5. **Testing**: add unit/integration tests for each backend, rotation scenario, and failure path; include air-gap fixtures.
6. **Documentation**: keep `surface-secrets.md` current; collaborate with DevOps to update Helm/Compose/offline-kit instructions.
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.

10
src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md Normal file
View File

@@ -0,0 +1,10 @@
# Surface.Secrets Task Board (Epic: SURFACE-SHARING)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SURFACE-SECRETS-01 | TODO | Scanner Guild, Security Guild | ARCH-SURFACE-EPIC | Produce `docs/modules/scanner/design/surface-secrets.md` defining secret reference schema, storage backends, scopes, and rotation. | Spec approved by Security + Authority guilds; threat model ticket logged. |
| SURFACE-SECRETS-02 | TODO | Scanner Guild | SURFACE-SECRETS-01 | Implement `StellaOps.Scanner.Surface.Secrets` core provider interfaces, secret models, and in-memory test backend. | Library builds; tests pass; XML docs cover public API. |
| SURFACE-SECRETS-03 | TODO | Scanner Guild | SURFACE-SECRETS-02 | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Backends integrated; integration tests simulate rotation + offline bundles. |
| SURFACE-SECRETS-04 | TODO | Scanner Guild | SURFACE-SECRETS-02 | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner components consume library; legacy secret code removed; smoke tests updated. |
| SURFACE-SECRETS-05 | TODO | Zastava Guild | SURFACE-SECRETS-02 | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava uses shared provider; admission + observer tests cover secret errors. |
| SURFACE-SECRETS-06 | TODO | Ops Guild | SURFACE-SECRETS-03 | Update deployment manifests/offline kit bundles to provision secret references instead of raw values. | Templates merged; docs & runbooks updated; offline kit instructions validated. |