feat: Add comprehensive product advisories for improved scanner functionality
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
This commit is contained in:
master
56
src/Findings/AGENTS.md
Normal file
56
src/Findings/AGENTS.md
Normal file
@@ -0,0 +1,56 @@
|
||||
# Findings Ledger · AGENTS.md
|
||||
|
||||
## Working directory
|
||||
- Primary path: `src/Findings/StellaOps.Findings.Ledger` (and sibling test project under `src/Findings/__Tests` when exercising tests).
|
||||
- Do not touch other modules unless the sprint explicitly permits cross-module edits; Orchestrator/AirGap/Attestor integration work must land behind feature flags and be coordinated via their sprints.
|
||||
|
||||
## Roles covered
|
||||
- Backend engineer: .NET 10/C# for ledger services, projections, provenance links, Merkle anchoring.
|
||||
- QA / determinism: replay harness, property/integration tests, load testing at ≥5M findings/tenant.
|
||||
- Observability / DevOps: metrics, logs, dashboards, alert wiring, deployment/backup/offline kits.
|
||||
|
||||
## Required reading before DOING
|
||||
- Global: `docs/README.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/modules/platform/architecture-overview.md`.
|
||||
- Ledger module:
|
||||
- `docs/modules/findings-ledger/observability.md`
|
||||
- `docs/modules/findings-ledger/replay-harness.md`
|
||||
- `docs/modules/findings-ledger/deployment.md`
|
||||
- `docs/modules/findings-ledger/implementation_plan.md`
|
||||
- `docs/modules/findings-ledger/airgap-provenance.md`
|
||||
- `docs/modules/findings-ledger/schema.md` (sealed-mode and Merkle root structure)
|
||||
- `docs/modules/findings-ledger/workflow-inference.md` (projection rules)
|
||||
- Observability policy: `docs/observability/policy.md`.
|
||||
|
||||
## Execution rules
|
||||
- Update sprint `Delivery Tracker` status when you start/stop/finish: TODO → DOING → DONE/BLOCKED.
|
||||
- If a contract/design decision is missing, mark the task BLOCKED in the sprint, add the decision needed under **Decisions & Risks**, then continue with other unblocked tasks.
|
||||
- Keep outputs deterministic: UTC ISO-8601 timestamps, stable ordering, seeded property tests, repeatable replay runs.
|
||||
|
||||
## Coding & data guidelines
|
||||
- Target .NET 10; prefer latest C# preview features allowed by repo tooling.
|
||||
- Logging: structured `Ledger.*` logs; no PII; include `tenant`, `chain`, `policy`, `status`, `anchor` labels where applicable.
|
||||
- Metrics: emit only metric names/labels listed in `observability.md`; new series require Observability Guild approval.
|
||||
- Storage: follow schema in `schema.md`; preserve Merkle invariants and provenance pointers (orchestrator job IDs, bundle IDs, DSSE/attestation IDs).
|
||||
- Feature flags: gate Orchestrator/AirGap/Attestor integrations; defaults must be safe for air-gapped/offline mode.
|
||||
|
||||
## Testing
|
||||
- Mandatory: unit + property tests for ledger state/merkle roots; integration tests for projections and provenance pointers.
|
||||
- Replay/determinism: use the harness in `replay-harness.md` (5M findings/tenant scenario); produce signed harness report (DSSE) for LEDGER-29-008.
|
||||
- Load tests should record CPU/memory budgets as part of run artifacts; keep seeds and fixtures under version control.
|
||||
|
||||
## Observability & operations
|
||||
- Metrics/logs/traces via OpenTelemetry → OTLP → Prometheus/Tempo/Loki; respect `observability.enabled` flag.
|
||||
- Dashboards: include Grafana JSON exports under `offline/telemetry/dashboards/ledger`.
|
||||
- Alerts: wire as documented in `observability.md`; for air-gap emit to syslog + CLI incident scripts.
|
||||
- Deployments: follow `deployment.md` for Helm/Compose overlays, migrations, backup/restore, and offline kits.
|
||||
|
||||
## Offline/air-gap
|
||||
- Never assume external network; rely on mirrored feeds and bundled assets.
|
||||
- Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) when importing advisories/VEX/policies as per `airgap-provenance.md`.
|
||||
- Exports that become stale beyond documented thresholds must be blocked with remediation messaging.
|
||||
|
||||
## Acceptance checklist for changes
|
||||
- Tests updated/added and passing locally (`dotnet test` within module scope).
|
||||
- Metrics/logs follow approved names and labels; dashboards/alerts updated if schemas change.
|
||||
- Replay harness run (or planned) for determinism-impacting changes; attach/report results.
|
||||
- Docs updated when contracts or workflows change (module docs, observability policy, sprint Decisions & Risks).
|
||||
Reference in New Issue
Block a user