Add tests for SBOM generation determinism across multiple formats
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
@@ -7,6 +7,11 @@ Envelope types
|
||||
- Orchestrator events: versioned envelopes with idempotency keys and trace context.
|
||||
- Legacy Redis envelopes: transitional schemas used for older consumers.
|
||||
|
||||
Event catalog (examples)
|
||||
- scanner.event.report.ready@1 and scanner.event.scan.completed@1 (orchestrator envelopes).
|
||||
- scanner.report.ready@1 and scanner.scan.completed@1 (legacy Redis envelopes).
|
||||
- scheduler.rescan.delta@1, scheduler.graph.job.completed@1, attestor.logged@1.
|
||||
|
||||
Orchestrator envelope fields (v1)
|
||||
- eventId, kind, version, tenant
|
||||
- occurredAt, recordedAt
|
||||
@@ -26,6 +31,8 @@ Versioning rules
|
||||
Validation
|
||||
- Schemas and samples live under docs/events/ and docs/events/samples/.
|
||||
- Offline validation uses ajv-cli; keep schema checks deterministic.
|
||||
- Validate schemas with ajv compile and validate samples against matching schemas.
|
||||
- Add new samples for each new schema version.
|
||||
|
||||
Related references
|
||||
- docs/events/README.md
|
||||
|
||||
@@ -32,3 +32,5 @@ Migration notes
|
||||
Related references
|
||||
- ADR: docs/adr/0001-postgresql-for-control-plane.md
|
||||
- Module architecture: docs/modules/*/architecture.md
|
||||
- data/postgresql-operations.md
|
||||
- data/postgresql-patterns.md
|
||||
|
||||
36
docs2/data/postgresql-operations.md
Normal file
36
docs2/data/postgresql-operations.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# PostgreSQL operations
|
||||
|
||||
Purpose
|
||||
- Operate the canonical PostgreSQL control plane with deterministic behavior.
|
||||
|
||||
Schema topology
|
||||
- Per-module schemas: authority, vuln, vex, scheduler, notify, policy, concelier, audit.
|
||||
- Tenant isolation enforced via tenant_id and RLS policies.
|
||||
|
||||
Performance setup
|
||||
- Enable pg_stat_statements for query analysis.
|
||||
- Tune shared_buffers, effective_cache_size, work_mem, and WAL sizes per host.
|
||||
- Use PgBouncer in transaction pooling mode for high concurrency.
|
||||
|
||||
Session defaults
|
||||
- SET app.tenant_id per connection.
|
||||
- SET timezone to UTC.
|
||||
- Enforce statement_timeout for long-running queries.
|
||||
|
||||
Query analysis
|
||||
- Use pg_stat_statements to find high total and high mean latency queries.
|
||||
- Use EXPLAIN ANALYZE with BUFFERS to detect missing indexes.
|
||||
|
||||
Backups and restore
|
||||
- Use scheduled logical or physical backups with tested restore paths.
|
||||
- Keep PITR capability where required by retention policies.
|
||||
- Validate backups with deterministic restore tests.
|
||||
|
||||
Monitoring
|
||||
- Track connection count, replication lag, and slow query rates.
|
||||
- Alert on pool saturation and replication delays.
|
||||
|
||||
Related references
|
||||
- data/postgresql-patterns.md
|
||||
- data/persistence.md
|
||||
- docs/operations/postgresql-guide.md
|
||||
33
docs2/data/postgresql-patterns.md
Normal file
33
docs2/data/postgresql-patterns.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# PostgreSQL patterns
|
||||
|
||||
Row-level security (RLS)
|
||||
- Require tenant context via app.tenant_id session setting.
|
||||
- Policies filter by tenant_id on all tenant-scoped tables.
|
||||
- Admin operations use explicit bypass roles and audited access.
|
||||
|
||||
Validating RLS
|
||||
- Run staging tests that attempt cross-tenant reads and writes.
|
||||
- Use deterministic replay tests for RLS regressions.
|
||||
|
||||
Bitemporal unknowns
|
||||
- Store current and historical states with valid_from and valid_to.
|
||||
- Support point-in-time queries and deterministic ordering.
|
||||
|
||||
Time-based partitioning
|
||||
- Partition high-volume tables by time.
|
||||
- Pre-create future partitions and archive old partitions.
|
||||
- Use deterministic maintenance checklists for partition health.
|
||||
|
||||
Generated columns
|
||||
- Use generated columns for derived flags and query optimization.
|
||||
- Add columns via migrations and backfill deterministically.
|
||||
|
||||
Troubleshooting
|
||||
- RLS failures: verify tenant context and policy attachment.
|
||||
- Partition issues: check missing partitions and default tables.
|
||||
- Bitemporal queries: confirm valid time windows and index usage.
|
||||
|
||||
Related references
|
||||
- data/postgresql-operations.md
|
||||
- security/multi-tenancy.md
|
||||
- docs/operations/postgresql-patterns-runbook.md
|
||||
Reference in New Issue
Block a user