stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 23:20:14 +02:00
parent 3411e825cd
commit b058dbe031
356 changed files with 68310 additions and 1108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/AirGap/StellaOps.AirGap.Importer/AGENTS.md
View File

@@ -9,15 +9,47 @@ Deliver offline bundle verification and ingestion tooling for sealed environment
- CLI + API surfaces for dry-run verification, import, and status queries.
- Integration hooks for Conseiller, Excitor, Policy Engine, and Export Center.
- Negative-case handling (tampering, expired signatures, root rotation) with operator guidance.
- **Monotonicity enforcement** for version rollback prevention (Sprint 0338).
- **Quarantine service** for failed bundle forensic analysis (Sprint 0338).
- **Evidence reconciliation** with VEX lattice precedence (Sprint 0342).
## Key Interfaces (per Advisory Implementation)
### Versioning (Sprint 0338)
- `IVersionMonotonicityChecker` - Validates incoming versions are newer than active
- `IBundleVersionStore` - Postgres-backed version tracking per tenant/type
- `BundleVersion` - SemVer + timestamp model with `IsNewerThan()` comparison
### Quarantine (Sprint 0338)
- `IQuarantineService` - Preserves failed bundles with diagnostics
- `FileSystemQuarantineService` - Implementation with TTL cleanup
- Structure: `/updates/quarantine/<timestamp>-<reason>/` with bundle, manifest, verification.log, failure-reason.txt
### Telemetry (Sprint 0341)
- `OfflineKitMetrics` - Prometheus metrics (import counts, latencies)
- `OfflineKitLogFields` - Standardized structured logging constants
- `IOfflineKitAuditEmitter` - Audit event emission to Authority schema
### Reconciliation (Sprint 0342)
- `IEvidenceReconciler` - Orchestrates 5-step algorithm per advisory §5
- `ArtifactIndex` - Digest-keyed, deterministically ordered artifact store
- `IEvidenceCollector` - Collects SBOMs, attestations, VEX from evidence directory
- `PrecedenceLattice` - VEX merge with vendor > maintainer > 3rd-party precedence
- `EvidenceGraphEmitter` - Deterministic graph output with DSSE signing
## Definition of Done
- Deterministic fixtures for valid/invalid bundles committed.
- Integration tests prove catalog + object-store updates are idempotent.
- Import audit trail viewable via API and timeline events.
- **Monotonicity check blocks rollback unless force-activated with reason.**
- **Failed bundles are quarantined with full diagnostic context.**
- **Evidence reconciliation produces identical output for identical input.**
## Required Reading
- `docs/airgap/airgap-mode.md`
- `docs/airgap/advisory-implementation-roadmap.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.