Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,7 +1,14 @@
|
||||
# DevOps agent guide
|
||||
|
||||
## Mission
|
||||
The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
|
||||
## Mission
|
||||
The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
|
||||
|
||||
## Advisory Handling
|
||||
- Any new/updated advisory triggers immediate doc + sprint updates (no approval).
|
||||
- Update high-level + detailed docs; inline only short snippets; put runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
|
||||
- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- Check archived advisories; mark supersedes/extends if overlapping.
|
||||
- Defaults: hybrid reachability, deterministic/frozen feeds; act first, report after.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
|
||||
@@ -3,6 +3,13 @@
|
||||
## Mission
|
||||
Graph module (upcoming) will power graph-indexed queries for SBOM relationships, lineage, and blast-radius analysis.
|
||||
|
||||
## Advisory Handling
|
||||
- Any new/updated advisory triggers doc + sprint updates immediately. No approval.
|
||||
- Update high-level + detailed docs; inline only short snippets; runnable/long code to `docs/benchmarks/**` or `tests/**` (deterministic/offline) with links.
|
||||
- Add tasks and Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- Check archived advisories for overlap; mark supersedes/extends.
|
||||
- Defaults: hybrid reachability posture, deterministic/frozen feeds; execute first, report after.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
- [Architecture](./architecture.md)
|
||||
|
||||
@@ -69,6 +69,7 @@ Key boundaries:
|
||||
- **AOC border.** Everything inside the Ingestion subgraph writes only immutable raw facts plus link hints. Derived severity, consensus, and risk remain outside the border.
|
||||
- **Policy-only derivation.** Policy Engine materialises `effective_finding_*` collections and emits overlays; other services consume but never mutate them.
|
||||
- **Tenant enforcement.** Authority-issued DPoP scopes flow through Gateway to every service; raw stores and overlays include `tenant` strictly.
|
||||
- **Hybrid reachability attestations.** Scanner/Attestor always publish graph-level DSSE for reachability graphs; optional edge-bundle DSSEs capture high-risk/runtime/init edges. Policy/Signals consume both, with graph DSSE as the minimum bar and edge bundles used for quarantine/dispute flows.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC
|
||||
- Materialise effective findings (`effective_finding_{policyId}`) with append-only history and produce explain traces.
|
||||
- Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
|
||||
- Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
|
||||
- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
|
||||
- Operate incrementally: react to change streams (advisory/vex/SBOM deltas) with ≤ 5 min SLA.
|
||||
- Provide simulations with diff summaries for UI/CLI workflows without modifying state.
|
||||
- Enforce strict determinism guard (no wall-clock, RNG, network beyond allow-listed services) and RBAC + tenancy via Authority scopes.
|
||||
|
||||
@@ -53,6 +53,8 @@ Analyzer assemblies and buildx generators are packaged as **restart-time plug-in
|
||||
- **Build-id capture**: read `.note.gnu.build-id` for every ELF, store hex build-id alongside soname/path, propagate into `SymbolID`/`code_id`, and expose it to SBOM + runtime joiners. If missing, fall back to file hash and mark source accordingly.
|
||||
- **PURL-resolved edges**: annotate call edges with the callee purl and `symbol_digest` so graphs merge with SBOM components. See `docs/reachability/purl-resolved-edges.md` for schema rules and acceptance tests.
|
||||
- **Unknowns emission**: when symbol → purl mapping or edge targets remain unresolved, emit structured Unknowns to Signals (see `docs/signals/unknowns-registry.md`) instead of dropping evidence.
|
||||
- **Hybrid attestation**: emit **graph-level DSSE** for every `richgraph-v1` (mandatory) and optional **edge-bundle DSSE** (≤512 edges) for runtime/init-root/contested edges or third-party provenance. Publish graph DSSE digests to Rekor by default; edge-bundle Rekor publish is policy-driven. CAS layout: `cas://reachability/graphs/{blake3}` for graph body, `.../{blake3}.dsse` for envelope, and `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]` for bundles. Deterministic ordering before hashing/signing is required.
|
||||
- **Deterministic call-graph manifest**: capture analyzer versions, feed hashes, toolchain digests, and flags in a manifest stored alongside `richgraph-v1`; replaying with the same manifest MUST yield identical node/edge sets and hashes (see `docs/reachability/lead.md`).
|
||||
|
||||
### 1.1 Queue backbone (Redis / NATS)
|
||||
|
||||
|
||||
@@ -3,6 +3,13 @@
|
||||
## Mission
|
||||
Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
|
||||
|
||||
## Advisory Handling
|
||||
- Any new/updated advisory triggers immediate doc + sprint updates; no approval.
|
||||
- Update high-level + detailed docs; inline only short snippets; put runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
|
||||
- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- Check archived advisories; mark supersedes/extends if overlapping.
|
||||
- Defaults: hybrid reachability (graph DSSE required; edge-bundle optional), deterministic/frozen feeds; act first, report after.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
- [Architecture](./architecture.md)
|
||||
|
||||
@@ -3,6 +3,13 @@
|
||||
## Mission
|
||||
Telemetry module captures deployment and operations guidance for the shared observability stack (collectors, storage, dashboards).
|
||||
|
||||
## Advisory Handling
|
||||
- Any new/updated advisory triggers immediate doc + sprint updates; no approval.
|
||||
- Update high-level + detailed docs; inline only short snippets; place runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
|
||||
- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- Check archived advisories; mark supersedes/extends if overlapping.
|
||||
- Defaults: hybrid reachability, deterministic/frozen feeds; act first, report after.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
- [Architecture](./architecture.md)
|
||||
|
||||
@@ -3,6 +3,12 @@
|
||||
## Mission
|
||||
The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
|
||||
|
||||
## Advisory Handling
|
||||
- New/updated advisories require immediate doc + sprint updates (no approval): high-level + detailed docs; inline only short snippets; runnable/long code to `docs/benchmarks/**` or `tests/**` (deterministic/offline) with links.
|
||||
- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- Check archived advisories for overlaps; mark supersedes/extends.
|
||||
- Defaults: hybrid reachability, deterministic/frozen feeds; act first, report after.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
- [Architecture](./architecture.md)
|
||||
|
||||
@@ -3,6 +3,13 @@
|
||||
## Mission
|
||||
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
|
||||
|
||||
## Advisory Handling
|
||||
- Trigger: any new/updated advisory triggers doc + sprint updates; no approval required.
|
||||
- Docs: update high-level + detailed pages; inline only small snippets; put runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
|
||||
- Sprints: add tasks + Execution Log in the relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
|
||||
- De-dup: check archived advisories; mark supersedes/extends where overlapping.
|
||||
- Defaults: hybrid reachability posture, deterministic/frozen feeds; execute immediately, then report.
|
||||
|
||||
## Key docs
|
||||
- [Module README](./README.md)
|
||||
- [Architecture](./architecture.md)
|
||||
|
||||
Reference in New Issue
Block a user