stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Implement Runtime Facts ingestion service and NDJSON reader
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Added RuntimeFactsNdjsonReader for reading NDJSON formatted runtime facts.
- Introduced IRuntimeFactsIngestionService interface and its implementation.
- Enhanced Program.cs to register new services and endpoints for runtime facts.
- Updated CallgraphIngestionService to include CAS URI in stored artifacts.
- Created RuntimeFactsValidationException for validation errors during ingestion.
- Added tests for RuntimeFactsIngestionService and RuntimeFactsNdjsonReader.
- Implemented SignalsSealedModeMonitor for compliance checks in sealed mode.
- Updated project dependencies for testing utilities.
This commit is contained in:
master
2025-11-10 07:56:15 +02:00
parent 9df52d84aa
commit 69c59defdc
132 changed files with 19718 additions and 9334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
docs/modules/cli/guides/cli-reference.md
View File

@@ -189,6 +189,137 @@ Replays the AOC guard against stored raw documents. By default it checks all adv
}
```
---
## 4·`stella node lock-validate`
### 4.1Synopsis
```bash
stella node lock-validate \
[--path <directory>] \
[--format table|json] \
[--verbose]
```
### 4.2Description
Runs the Node analyzer locally against a working directory to compare lockfiles (`package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`) with what is actually present in `node_modules`. The command is read-only and never schedules a scan; it reuses the same deterministic collector that powers Scanner so results match backend evidence. Output highlights two conditions that policy cares about:
- **Declared Only** packages present in lockfiles but missing from the filesystem or final image.
- **Missing Lock** packages discovered at runtime without corresponding lock metadata (no registry provenance, integrity hash, or repository information).
This helps catch drift before images are built, keeps lockfiles trustworthy, and feeds policy predicates such as `node.lock.declaredMissing`.
### 4.3Options
| Option | Description |
|--------|-------------|
| `--path`, `-p` | Directory containing `package.json` and lockfiles. Defaults to the current working directory. |
| `--format table|json` | `table` (default) renders a Spectre table with status badges; `json` prints the underlying report for CI automation. |
| `--verbose` | Enables detailed logging (shared root option). |
### 4.4Output & exit codes
- `table` mode prints a summary row and two sections: `Declared Only` (red) and `Missing Lock` (yellow). Columns show package, version, lock source/locator, and filesystem path so engineers can reconcile quickly.
- `json` mode emits `{ declaredOnly: [], missingLockMetadata: [], totalDeclared, totalInstalled }`, mirroring the analyzer telemetry.
Exit codes:
| Code | Meaning |
|------|---------|
| `0` | No inconsistencies detected. |
| `1` | Declared-only or missing-lock packages were found. |
| `71` | The requested directory could not be read (missing path, permissions, etc.). |
The CLI also records `stellaops.cli.node.lock_validate.count{outcome}` so operators can monitor adoption in telemetry.
### 4.5Offline notes
- Works entirely offline; point `--path` at a workspace checked out from an Offline Kit or build cache.
- Honors the same `Surface.Validation` limits configured for Scanner once those knobs (`scanner.lockfiles.node.*`) are deployed cluster-wide.
- Combine with `stella scan` by running lock validation in CI before images are built to fail fast on inconsistent manifests.
---
## 5·`stella python lock-validate`
### 5.1Synopsis
```bash
stella python lock-validate \
[--path <directory>] \
[--format table|json] \
[--verbose]
```
### 5.2Description
Validates Python lockfiles (currently `requirements*.txt`, `Pipfile.lock`, and `poetry.lock`) against what exists in `site-packages`. It uses the same analyzer Scanner runs so declared-only packages, missing locks, and editable installs are detected deterministically and without internet access. This catches drift between lock manifests and baked images before scanners or policy gates fail later.
### 5.3Options
| Option | Description |
|--------|-------------|
| `--path`, `-p` | Directory containing `lib/python*/site-packages` and lockfiles. Defaults to `$PWD`. |
| `--format table|json` | `table` (default) prints a human summary; `json` emits the raw report for CI. |
| `--verbose` | Enables detailed logging. |
### 5.4Output & exit codes
Output shape mirrors the Node command: declared-only packages are shown with lock provenance, and runtime packages missing lock metadata are highlighted separately. JSON mode returns the same object schema `{ declaredOnly, missingLockMetadata, totalDeclared, totalInstalled }`.
Exit codes follow the same contract (`0` success, `1` violations, `71` for unreadable path). Telemetry is published via `stellaops.cli.python.lock_validate.count{outcome}`.
### 5.5Offline notes
- Works entirely offline—lockfiles and `site-packages` must already be present (from a venv snapshot, container rootfs, or Offline Kit).
- Honors upcoming `scanner.lockfiles.python.*` guardrails once Surface.Validation is wired in so CLI + Scanner enforce the same registry/size limits.
- Recommended CI flow: run `stella python lock-validate` before building containers and fail fast when declared-only packages remain.
## 6·`stella java lock-validate`
### 6.1Synopsis
```bash
stella java lock-validate \\
[--path <directory>] \\
[--format table|json] \\
[--verbose]
```
### 6.2Description
Executes the Java language analyzer locally so Gradle `gradle.lockfile`, `gradle/dependency-locks/**/*.lockfile`, and `pom.xml` declarations can be compared with the jars that actually ship in a workspace. The command reuses the new `JavaLockFileCollector` plus the `JavaLanguageAnalyzer` merge logic, so it emits the same `DeclaredOnly` and `Missing Lock` evidence that Scanner and Policy consume. Engineers can see which coordinates exist only in lockfiles (no jar on disk) and which installed jars lack lock metadata (no repository/provenance) before a scan ever runs.
### 6.3Options
| Option | Description |
|--------|-------------|
| `--path`, `-p` | Directory containing jars (e.g., `build/libs`) and lockfiles. Defaults to the current working directory. |
| `--format table|json` | `table` (default) renders the Spectre table; `json` outputs the raw `LockValidationReport`. |
| `--verbose` | Enables detailed logging and surfaces the analyzer paths being inspected. |
### 6.4Output & exit codes
Output mirrors the Node/Python verbs: `Declared Only` rows include the lock source/locator (e.g., `gradle.lockfile`, `gradle/dependency-locks/app.lockfile`) plus configuration/repository hints, while `Missing Lock` rows highlight jars that Scanner would tag with `lockMissing=true`. JSON responses return `{ declaredOnly, missingLockMetadata, totalDeclared, totalInstalled }`.
Exit codes align with the other lock validators:
| Code | Meaning |
|------|---------|
| `0` | No inconsistencies detected. |
| `1` | Declared-only or missing-lock jars detected. |
| `71` | Directory could not be read. |
Telemetry is recorded via `stellaops.cli.java.lock_validate.count{outcome}` so adoption can be monitored alongside the Node/Python verbs.
### 6.5Offline notes
- Works with any workspace (Gradle, Maven, or extracted container layers) no network access or build tool metadata is required at runtime.
- Honors forthcoming `scanner.lockfiles.java.*` Surface.Validation limits once they are deployed so CLI + Scanner stay in lockstep.
- Recommended CI flow: run `stella java lock-validate` before packaging containers to surface missing locks/declared-only coordinates early.
### 3.5Exit codes
| Exit code | Meaning |