stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat(advisory-ai): Add deployment guide, Dockerfile, and Helm chart for on-prem packaging
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced a comprehensive deployment guide for AdvisoryAI, detailing local builds, remote inference toggles, and scaling guidance.
- Created a multi-role Dockerfile for building WebService and Worker images.
- Added a docker-compose file for local and offline deployment.
- Implemented a Helm chart for Kubernetes deployment with persistence and remote inference options.
- Established a new API endpoint `/advisories/summary` for deterministic summaries of observations and linksets.
- Introduced a JSON schema for risk profiles and a validator to ensure compliance with the schema.
- Added unit tests for the risk profile validator to ensure functionality and error handling.
This commit is contained in:
StellaOps Bot
2025-11-23 00:35:33 +02:00
parent 2e89a92d92
commit 8d78dd219b
33 changed files with 1254 additions and 259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/implplan/tasks-all.md
View File

@@ -403,13 +403,13 @@
| CONCELIER-CORE-AOC-19-013 | TODO | | SPRINT_112_concelier_i | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Must reference AOC guardrails from docs | AGCN0101 |
| CONCELIER-DOCS-0001 | DONE | 2025-11-05 | SPRINT_317_docs_modules_concelier | Docs Guild | docs/modules/concelier | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Reference (baseline) | CCDO0101 |
| CONCELIER-ENG-0001 | TODO | | SPRINT_317_docs_modules_concelier | Module Team · Concelier Guild | docs/modules/concelier | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Wait for CCPR0101 validation | CCDO0101 |
| CONCELIER-GRAPH-21-001 | BLOCKED | 2025-10-27 | SPRINT_113_concelier_ii | Concelier Core · Cartographer Guilds | src/Concelier/__Libraries/StellaOps.Concelier.Core | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Waiting on Cartographer schema (052_CAGR0101) | AGCN0101 |
| CONCELIER-GRAPH-21-002 | BLOCKED | 2025-10-27 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001; blocked pending Platform Events/Scheduler contract + event publisher. | Depends on #5 outputs | AGCN0101 |
| CONCELIER-GRAPH-21-001 | DONE | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core · Cartographer Guilds | src/Concelier/__Libraries/StellaOps.Concelier.Core | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Waiting on Cartographer schema (052_CAGR0101) | AGCN0101 |
| CONCELIER-GRAPH-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001; blocked pending Platform Events/Scheduler contract + event publisher. | Depends on #5 outputs | AGCN0101 |
| CONCELIER-GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Wait for CAGR0101 + storage migrations | CCGH0101 |
| CONCELIER-GRAPH-28-102 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Depends on #1 | CCGH0101 |
| CONCELIER-LNM-21-001 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Needs Link-Not-Merge approval (005_ATLN0101) | AGCN0101 |
| CONCELIER-LNM-21-002 | BLOCKED | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core Guild · Data Science Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Depends on #7 for precedence rules | AGCN0101 |
| CONCELIER-LNM-21-003 | BLOCKED | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Requires #8 heuristics | AGCN0101 |
| CONCELIER-LNM-21-001 | DONE | 2025-11-17 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Needs Link-Not-Merge approval (005_ATLN0101) | AGCN0101 |
| CONCELIER-LNM-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild · Data Science Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Depends on #7 for precedence rules | AGCN0101 |
| CONCELIER-LNM-21-003 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Requires #8 heuristics | AGCN0101 |
| CONCELIER-LNM-21-004 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Depends on #9 | AGCN0101 |
| CONCELIER-LNM-21-005 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Requires CCLN0101 store changes | CCCO0101 |
| CONCELIER-LNM-21-101 | TODO | | SPRINT_113_concelier_ii | Concelier Storage Guild | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Wait for schema freeze | CCLN0101 |
@@ -1438,7 +1438,7 @@
| POLICY-OBS-55-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · DevOps Guild | src/Policy/StellaOps.Policy.Engine | Implement incident mode sampling overrides | POLICY-OBS-54-001 | PLOB0101 |
| POLICY-READINESS-0001 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Capture policy module readiness checklist aligned with current sprint goals. | | |
| POLICY-READINESS-0002 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Track outstanding prerequisites/risk items for policy releases and mirror into sprint updates. | | |
| POLICY-RISK-66-001 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-001 | DONE | 2025-11-22 | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-002 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | |
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |
@@ -2615,8 +2615,8 @@
| CONCELIER-GRAPH-21-002 | BLOCKED | 2025-10-27 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001. | Depends on #5 outputs | AGCN0101 |
| CONCELIER-GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Wait for CAGR0101 + storage migrations | CCGH0101 |
| CONCELIER-GRAPH-28-102 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Depends on #1 | CCGH0101 |
| CONCELIER-LNM-21-001 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Needs Link-Not-Merge approval (005_ATLN0101) | AGCN0101 |
| CONCELIER-LNM-21-002 | BLOCKED | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core Guild · Data Science Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Depends on #7 for precedence rules | AGCN0101 |
| CONCELIER-LNM-21-001 | DONE | 2025-11-17 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Needs Link-Not-Merge approval (005_ATLN0101) | AGCN0101 |
| CONCELIER-LNM-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild · Data Science Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Depends on #7 for precedence rules | AGCN0101 |
| CONCELIER-LNM-21-003 | BLOCKED | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Requires #8 heuristics | AGCN0101 |
| CONCELIER-LNM-21-004 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Depends on #9 | AGCN0101 |
| CONCELIER-LNM-21-005 | TODO | | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Requires CCLN0101 store changes | CCCO0101 |
@@ -3648,7 +3648,7 @@
| POLICY-OBS-55-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · DevOps Guild | src/Policy/StellaOps.Policy.Engine | Implement incident mode sampling overrides | POLICY-OBS-54-001 | PLOB0101 |
| POLICY-READINESS-0001 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Capture policy module readiness checklist aligned with current sprint goals. | | |
| POLICY-READINESS-0002 | TODO | | SPRINT_325_docs_modules_policy | Policy Guild (docs/modules/policy) | docs/modules/policy | Track outstanding prerequisites/risk items for policy releases and mirror into sprint updates. | | |
| POLICY-RISK-66-001 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-001 | DONE | 2025-11-22 | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | | |
| POLICY-RISK-66-002 | TODO | | SPRINT_127_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Implement inheritance/merge logic with conflict detection and deterministic content hashing | POLICY-RISK-66-001 | |
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |