CD/CD consolidation

devops/database/mongo/indices/README.md

@@ -0,0 +1,16 @@
+# MongoDB Provenance Indexes
+
+Indexes supporting Sprint 401 reachability/provenance queries.
+
+## Available indexes
+- `events_by_subject_kind_provenance`: `(subject.digest.sha256, kind, provenance.dsse.rekor.logIndex)` for subject/kind lookups with Rekor presence.
+- `events_unproven_by_kind`: `(kind, trust.verified, provenance.dsse.rekor.logIndex)` to find unverified or missing-Rekor events per kind.
+- `events_by_rekor_logindex`: `(provenance.dsse.rekor.logIndex)` to audit Rekor alignment.
+
+## Apply
+```js
+// From mongo shell (connected to provenance database)
+load('ops/mongo/indices/events_provenance_indices.js');
+```
+
+Indexes are idempotent; rerunning is safe.

devops/database/mongo/indices/events_provenance_indices.js

@@ -0,0 +1,89 @@
+/**
+ * MongoDB indexes for DSSE provenance queries on the events collection.
+ * Run with: mongosh stellaops_db < events_provenance_indices.js
+ *
+ * These indexes support:
+ * - Proven VEX/SBOM/SCAN lookup by subject digest
+ * - Compliance gap queries (unverified events)
+ * - Rekor log index lookups
+ * - Backfill service queries
+ *
+ * Created: 2025-11-27 (PROV-INDEX-401-030)
+ * C# equivalent: src/StellaOps.Events.Mongo/MongoIndexes.cs
+ */
+
+// Switch to the target database (override via --eval "var dbName='custom'" if needed)
+const targetDb = typeof dbName !== 'undefined' ? dbName : 'stellaops';
+db = db.getSiblingDB(targetDb);
+
+print(`Creating provenance indexes on ${targetDb}.events...`);
+
+// Index 1: Lookup proven events by subject digest + kind
+db.events.createIndex(
+  {
+    "subject.digest.sha256": 1,
+    "kind": 1,
+    "provenance.dsse.rekor.logIndex": 1
+  },
+  {
+    name: "events_by_subject_kind_provenance",
+    background: true
+  }
+);
+print("  - events_by_subject_kind_provenance");
+
+// Index 2: Find unproven evidence by kind (compliance gap queries)
+db.events.createIndex(
+  {
+    "kind": 1,
+    "trust.verified": 1,
+    "provenance.dsse.rekor.logIndex": 1
+  },
+  {
+    name: "events_unproven_by_kind",
+    background: true
+  }
+);
+print("  - events_unproven_by_kind");
+
+// Index 3: Direct Rekor log index lookup
+db.events.createIndex(
+  {
+    "provenance.dsse.rekor.logIndex": 1
+  },
+  {
+    name: "events_by_rekor_logindex",
+    background: true
+  }
+);
+print("  - events_by_rekor_logindex");
+
+// Index 4: Envelope digest lookup (for backfill deduplication)
+db.events.createIndex(
+  {
+    "provenance.dsse.envelopeDigest": 1
+  },
+  {
+    name: "events_by_envelope_digest",
+    background: true,
+    sparse: true
+  }
+);
+print("  - events_by_envelope_digest");
+
+// Index 5: Timestamp + kind for compliance reporting time ranges
+db.events.createIndex(
+  {
+    "ts": -1,
+    "kind": 1,
+    "trust.verified": 1
+  },
+  {
+    name: "events_by_ts_kind_verified",
+    background: true
+  }
+);
+print("  - events_by_ts_kind_verified");
+
+print("\nProvenance indexes created successfully.");
+print("Run 'db.events.getIndexes()' to verify.");

devops/database/mongo/indices/reachability_store_indices.js

@@ -0,0 +1,67 @@
+/**
+ * MongoDB indexes for the shared reachability store collections used by Signals/Policy/Scanner.
+ * Run with: mongosh stellaops_db < reachability_store_indices.js
+ *
+ * Collections:
+ * - func_nodes: canonical function nodes keyed by graph + symbol ID and joinable by (purl, symbolDigest)
+ * - call_edges: canonical call edges keyed by graph and joinable by (purl, symbolDigest)
+ * - cve_func_hits: per-subject mapping of CVE -> affected/reachable functions with evidence pointers
+ *
+ * Created: 2025-12-13 (SIG-STORE-401-016)
+ */
+
+// Switch to the target database (override via --eval "var dbName='custom'" if needed)
+const targetDb = typeof dbName !== 'undefined' ? dbName : 'stellaops';
+db = db.getSiblingDB(targetDb);
+
+print(`Creating reachability store indexes on ${targetDb}...`);
+
+print(`- func_nodes`);
+db.func_nodes.createIndex(
+  { "graphHash": 1, "symbolId": 1 },
+  { name: "func_nodes_by_graph_symbol", unique: true, background: true }
+);
+db.func_nodes.createIndex(
+  { "purl": 1, "symbolDigest": 1 },
+  { name: "func_nodes_by_purl_symboldigest", background: true, sparse: true }
+);
+db.func_nodes.createIndex(
+  { "codeId": 1 },
+  { name: "func_nodes_by_code_id", background: true, sparse: true }
+);
+
+print(`- call_edges`);
+db.call_edges.createIndex(
+  { "graphHash": 1, "sourceId": 1, "targetId": 1, "type": 1 },
+  { name: "call_edges_by_graph_edge", unique: true, background: true }
+);
+db.call_edges.createIndex(
+  { "graphHash": 1, "sourceId": 1 },
+  { name: "call_edges_by_graph_source", background: true }
+);
+db.call_edges.createIndex(
+  { "graphHash": 1, "targetId": 1 },
+  { name: "call_edges_by_graph_target", background: true }
+);
+db.call_edges.createIndex(
+  { "purl": 1, "symbolDigest": 1 },
+  { name: "call_edges_by_purl_symboldigest", background: true, sparse: true }
+);
+
+print(`- cve_func_hits`);
+db.cve_func_hits.createIndex(
+  { "subjectKey": 1, "cveId": 1 },
+  { name: "cve_func_hits_by_subject_cve", background: true }
+);
+db.cve_func_hits.createIndex(
+  { "cveId": 1, "purl": 1, "symbolDigest": 1 },
+  { name: "cve_func_hits_by_cve_purl_symboldigest", background: true, sparse: true }
+);
+db.cve_func_hits.createIndex(
+  { "graphHash": 1 },
+  { name: "cve_func_hits_by_graph", background: true, sparse: true }
+);
+
+print("\nReachability store indexes created successfully.");
+print("Run db.func_nodes.getIndexes(), db.call_edges.getIndexes(), db.cve_func_hits.getIndexes() to verify.");
+