stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

work work hard work

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-18 00:47:24 +02:00
parent dee252940b
commit b4235c134c
189 changed files with 9627 additions and 3258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/db/SPECIFICATION.md
View File

@@ -2,7 +2,7 @@
**Version:** 1.0.0
**Status:** DRAFT
**Last Updated:** 2025-12-15
**Last Updated:** 2025-12-17
---
@@ -44,9 +44,14 @@ This document specifies the PostgreSQL database design for StellaOps control-pla
| `policy` | Policy | Policy packs, rules, risk profiles, evaluations |
| `packs` | PacksRegistry | Package attestations, mirrors, lifecycle |
| `issuer` | IssuerDirectory | Trust anchors, issuer keys, certificates |
| `proofchain` | Attestor | Content-addressed proof/evidence chain (entries, DSSE envelopes, spines, trust anchors, Rekor) |
| `unknowns` | Unknowns | Bitemporal ambiguity tracking for scan gaps |
| `audit` | Shared | Cross-cutting audit log (optional) |
**ProofChain references:**
- DDL migration: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Migrations/20251214000001_AddProofChainSchema.sql`
- Perf report: `docs/db/reports/proofchain-schema-perf-2025-12-17.md`
### 2.3 Multi-Tenancy Model
**Strategy:** Single database, single schema set, `tenant_id` column on all tenant-scoped tables with **mandatory Row-Level Security (RLS)**.

127
docs/db/reports/proofchain-schema-perf-2025-12-17.md Normal file
View File

@@ -0,0 +1,127 @@
# ProofChain schema performance report (2025-12-17)
## Environment
- Postgres image: `postgres:16`
- DB: `proofchain_perf`
- Port: `54329`
- Host: `localhost`
## Dataset
- Source: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Perf/seed.sql`
- Rows:
- `trust_anchors`: 50
- `sbom_entries`: 20000
- `dsse_envelopes`: 60000
- `spines`: 20000
- `rekor_entries`: 2000
## Query Output
```text
Timing is on.
trust_anchors | sbom_entries | dsse_envelopes | spines | rekor_entries
---------------+--------------+----------------+--------+---------------
50 | 20000 | 60000 | 20000 | 2000
(1 row)
Time: 18.788 ms
QUERY PLAN
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Index Scan using uq_sbom_entry on sbom_entries (cost=0.41..8.44 rows=1 width=226) (actual time=0.024..0.024 rows=1 loops=1)
Index Cond: (((bom_digest)::text = 'd2cb2e2d7955252437da988dd4484f1dfcde81750ce0175d9fb9a85134a8de9a'::text) AND (purl = format('pkg:npm/vendor-%02s/pkg-%05s'::text, 1, 1)) AND (version = '1.0.1'::text))
Buffers: shared hit=4
Planning:
Buffers: shared hit=24
Planning Time: 0.431 ms
Execution Time: 0.032 ms
(7 rows)
Time: 1.119 ms
QUERY PLAN
---------------------------------------------------------------------------------------------------------------------------------------------------
Limit (cost=173.99..174.13 rows=56 width=80) (actual time=0.331..0.340 rows=100 loops=1)
Buffers: shared hit=8
-> Sort (cost=173.99..174.13 rows=56 width=80) (actual time=0.330..0.335 rows=100 loops=1)
Sort Key: purl
Sort Method: quicksort Memory: 38kB
Buffers: shared hit=8
-> Bitmap Heap Scan on sbom_entries (cost=4.72..172.37 rows=56 width=80) (actual time=0.019..0.032 rows=100 loops=1)
Recheck Cond: ((bom_digest)::text = 'd2cb2e2d7955252437da988dd4484f1dfcde81750ce0175d9fb9a85134a8de9a'::text)
Heap Blocks: exact=3
Buffers: shared hit=5
-> Bitmap Index Scan on idx_sbom_entries_bom_digest (cost=0.00..4.71 rows=56 width=0) (actual time=0.015..0.015 rows=100 loops=1)
Index Cond: ((bom_digest)::text = 'd2cb2e2d7955252437da988dd4484f1dfcde81750ce0175d9fb9a85134a8de9a'::text)
Buffers: shared hit=2
Planning:
Buffers: shared hit=12 read=1
Planning Time: 0.149 ms
Execution Time: 0.355 ms
(17 rows)
Time: 0.867 ms
QUERY PLAN
-------------------------------------------------------------------------------------------------------------------------------------------
Index Scan using idx_dsse_entry_predicate on dsse_envelopes (cost=0.41..8.43 rows=1 width=226) (actual time=0.008..0.009 rows=1 loops=1)
Index Cond: ((entry_id = '924258f2-921e-9694-13a4-400abfdf00d6'::uuid) AND (predicate_type = 'evidence.stella/v1'::text))
Buffers: shared hit=4
Planning:
Buffers: shared hit=23
Planning Time: 0.150 ms
Execution Time: 0.014 ms
(7 rows)
Time: 0.388 ms
QUERY PLAN
----------------------------------------------------------------------------------------------------------------------------
Index Scan using idx_spines_bundle on spines (cost=0.41..8.43 rows=1 width=194) (actual time=0.016..0.017 rows=1 loops=1)
Index Cond: ((bundle_id)::text = '2f9ef44d93b4520b2296d5b73bd1cc87156a304c757feb4c78926452db61abf8'::text)
Buffers: shared hit=4
Planning Time: 0.096 ms
Execution Time: 0.025 ms
(5 rows)
Time: 0.318 ms
QUERY PLAN
----------------------------------------------------------------------------------------------------------------------------
Bitmap Heap Scan on rekor_entries (cost=4.34..27.60 rows=8 width=186) (actual time=0.024..0.024 rows=0 loops=1)
Recheck Cond: (log_index = 10)
Buffers: shared hit=5
-> Bitmap Index Scan on idx_rekor_log_index (cost=0.00..4.34 rows=8 width=0) (actual time=0.023..0.023 rows=0 loops=1)
Index Cond: (log_index = 10)
Buffers: shared hit=5
Planning:
Buffers: shared hit=5
Planning Time: 0.097 ms
Execution Time: 0.040 ms
(10 rows)
Time: 0.335 ms
QUERY PLAN
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Limit (cost=637.30..637.30 rows=1 width=226) (actual time=0.649..0.660 rows=100 loops=1)
Buffers: shared hit=405
-> Sort (cost=637.30..637.30 rows=1 width=226) (actual time=0.648..0.653 rows=100 loops=1)
Sort Key: e.purl
Sort Method: quicksort Memory: 50kB
Buffers: shared hit=405
-> Nested Loop (cost=5.13..637.29 rows=1 width=226) (actual time=0.074..0.385 rows=100 loops=1)
Buffers: shared hit=405
-> Bitmap Heap Scan on sbom_entries e (cost=4.72..172.37 rows=56 width=48) (actual time=0.061..0.071 rows=100 loops=1)
Recheck Cond: ((bom_digest)::text = 'd2cb2e2d7955252437da988dd4484f1dfcde81750ce0175d9fb9a85134a8de9a'::text)
Heap Blocks: exact=3
Buffers: shared hit=5
-> Bitmap Index Scan on idx_sbom_entries_bom_digest (cost=0.00..4.71 rows=56 width=0) (actual time=0.057..0.057 rows=100 loops=1)
Index Cond: ((bom_digest)::text = 'd2cb2e2d7955252437da988dd4484f1dfcde81750ce0175d9fb9a85134a8de9a'::text)
Buffers: shared hit=2
-> Index Scan using idx_dsse_entry_predicate on dsse_envelopes d (cost=0.41..8.29 rows=1 width=194) (actual time=0.003..0.003 rows=1 loops=100)
Index Cond: ((entry_id = e.entry_id) AND (predicate_type = 'evidence.stella/v1'::text))
Buffers: shared hit=400
Planning:
Buffers: shared hit=114
Planning Time: 0.469 ms
Execution Time: 0.691 ms
(22 rows)
Time: 1.643 ms
```