synergy moats product advisory implementations

2026-01-17 01:30:03 +02:00
parent 77ff029205
commit d8d9c0a6e3
106 changed files with 20603 additions and 123 deletions
--- a/docs/operations/runbooks/COVERAGE.md
+++ b/docs/operations/runbooks/COVERAGE.md
@@ -0,0 +1,112 @@
+# Runbook Coverage Tracking
+
+This document tracks operational runbook coverage across Stella Ops modules.
+
+**Target:** 80% coverage of critical failure modes before declaring operability moat achieved.
+
+---
+
+## Coverage Summary
+
+| Module | Critical Failures | Runbooks | Coverage | Status |
+|--------|-------------------|----------|----------|--------|
+| Scanner | 5 | 0 | 0% | 🔴 Gap |
+| Policy Engine | 5 | 0 | 0% | 🔴 Gap |
+| Release Orchestrator | 5 | 0 | 0% | 🔴 Gap |
+| Attestor | 5 | 0 | 0% | 🔴 Gap |
+| Feed Connectors | 4 | 0 | 0% | 🔴 Gap |
+| **Database (Postgres)** | 4 | 4 | 100% | ✅ Complete |
+| **Crypto Subsystem** | 4 | 4 | 100% | ✅ Complete |
+| **Evidence Locker** | 4 | 4 | 100% | ✅ Complete |
+| **Backup/Restore** | 4 | 4 | 100% | ✅ Complete |
+| Authority (OAuth/OIDC) | 3 | 0 | 0% | 🔴 Gap |
+| **Overall** | **43** | **16** | **37%** | 🟡 In Progress |
+
+---
+
+## Available Runbooks
+
+### Database Operations
+- [postgres-ops.md](postgres-ops.md) - PostgreSQL database operations
+
+### Crypto Subsystem
+- [crypto-ops.md](crypto-ops.md) - Regional crypto operations (FIPS, eIDAS, GOST, SM)
+
+### Evidence Locker
+- [evidence-locker-ops.md](evidence-locker-ops.md) - Evidence locker operations
+
+### Backup/Restore
+- [backup-restore-ops.md](backup-restore-ops.md) - Backup and restore procedures
+
+### Vulnerability Operations
+- [vuln-ops.md](vuln-ops.md) - Vulnerability management operations
+
+### VEX Operations
+- [vex-ops.md](vex-ops.md) - VEX statement operations
+
+### Policy Incidents
+- [policy-incident.md](policy-incident.md) - Policy-related incident response
+
+---
+
+## Gap Analysis
+
+### High Priority Gaps (Critical modules without runbooks)
+
+1. **Scanner** - Core scanning functionality
+   - Worker stuck
+   - OOM on large images
+   - Registry auth failures
+
+2. **Policy Engine** - Policy evaluation
+   - Slow evaluation
+   - OPA crashes
+   - Compilation failures
+
+3. **Release Orchestrator** - Promotion workflow
+   - Stuck promotions
+   - Gate timeouts
+   - Missing evidence
+
+### Medium Priority Gaps
+
+4. **Attestor** - Signing and verification
+   - Signing failures
+   - Key expiration
+   - Rekor unavailability
+
+5. **Feed Connectors** - Advisory feeds
+   - NVD failures
+   - Rate limiting
+   - Offline bundle issues
+
+### Lower Priority Gaps
+
+6. **Authority** - Authentication
+   - Token validation failures
+   - OIDC provider issues
+
+---
+
+## Template
+
+New runbooks should use the template: [_template.md](_template.md)
+
+---
+
+## Doctor Check Integration
+
+Runbooks should be linked from Doctor check output. Current integration status:
+
+| Module | Doctor Checks | Linked to Runbook |
+|--------|---------------|-------------------|
+| Postgres | 4 | 0 |
+| Crypto | 8 | 0 |
+| Storage | 3 | 0 |
+| Evidence | 4 | 0 |
+
+**Next step:** Update Doctor check implementations to include runbook links in remediation output.
+
+---
+
+_Last updated: 2026-01-17 (UTC)_