FUll implementation plan (first draft)

2025-10-19 00:28:48 +03:00
parent 052da7a7d0
commit 8dc7273e27
125 changed files with 5438 additions and 166 deletions
--- a/src/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md
+++ b/src/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md
@@ -0,0 +1,12 @@
+# StellaOps.Scanner.Sbomer.BuildXPlugin — Agent Charter
+
+## Mission
+Implement the build-time SBOM generator described in `docs/ARCHITECTURE_SCANNER.md` and new buildx dossier requirements:
+- Provide a deterministic BuildKit/Buildx generator that produces layer SBOM fragments and uploads them to local CAS.
+- Emit OCI annotations (+provenance) compatible with Scanner.Emit and Attestor hand-offs.
+- Respect restart-time plug-in policy (`plugins/scanner/buildx/` manifests) and keep CI overhead ≤300 ms per layer.
+
+## Expectations
+- Read architecture + upcoming Buildx addendum before coding.
+- Ensure graceful fallback to post-build scan when generator unavailable.
+- Provide integration tests with mock BuildKit, and update `TASKS.md` as states change.
--- a/src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj
+++ b/src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj
@@ -0,0 +1,8 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+</Project>
--- a/src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md
+++ b/src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md
@@ -0,0 +1,7 @@
+# BuildX Plugin Task Board (Sprint 9)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| SP9-BLDX-09-001 | TODO | BuildX Guild | SCANNER-EMIT-10-601 (awareness) | Scaffold buildx driver, manifest, local CAS handshake; ensure plugin loads from `plugins/scanner/buildx/`. | Plugin manifest + loader tests; local CAS writes succeed; restart required to activate. |
+| SP9-BLDX-09-002 | TODO | BuildX Guild | SP9-BLDX-09-001 | Emit OCI annotations + provenance metadata for Attestor handoff (image + SBOM). | OCI descriptors include DSSE/provenance placeholders; Attestor mock accepts payload. |
+| SP9-BLDX-09-003 | TODO | BuildX Guild | SP9-BLDX-09-002 | CI demo pipeline: build sample image, produce SBOM, verify backend report wiring. | GitHub/CI job runs sample build within 5 s overhead; artifacts saved; documentation updated. |