feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added NullAdvisoryObservationEventTransport for handling advisory observation events. - Created IOrchestratorRegistryStore interface for orchestrator registry operations. - Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data. - Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling. - Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking. - Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management. - Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality. - Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports. - Added incident mode rules sample JSON for notifier configuration.
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,22 @@
|
||||
# Policy Export · Console 23-001 Prep
|
||||
|
||||
Status: **Ready for implementation** (2025-11-22)
|
||||
Owners: Policy Guild · Scheduler Guild · Observability Guild
|
||||
Scope: Define the export bundle + scheduler job surface needed for Console export task 23-001.
|
||||
|
||||
## Export Bundle Contract
|
||||
- Payload: NDJSON of advisory and VEX observations filtered by tenant + product set; include `provenance` block with `source`, `fetchedAt`, `digest`, `evidenceBundleId`.
|
||||
- Envelope: `bundleId`, `createdAt`, `policyHash`, `schemaVersion`, `itemsSha256`, optional `transparency` entry.
|
||||
- Determinism: sort items by `observationId`; timestamps truncated to seconds; hashes sha256 lower-case hex.
|
||||
|
||||
## Scheduler Job Shape
|
||||
- `jobType`: `console-export` with fields `tenantId`, `bundleId`, `filters`, `destinationUri` (file:// or s3://), `retryPolicy`, `notificationChannel`.
|
||||
- Status transitions: `queued → running → completed/failed`; progress fields `exportedCount`, `failedCount`.
|
||||
- Observability: metrics `policy_console_export_jobs_total{status}`, `policy_console_export_duration_seconds`, logs with `bundleId` and `destinationUri`.
|
||||
|
||||
## Acceptance Criteria
|
||||
- Job shape and bundle envelope above referenced from Sprint 123 Delivery Tracker; no other blocking dependencies.
|
||||
- Export artefacts can be consumed offline; notification optional.
|
||||
|
||||
## Notes
|
||||
- Satisfies PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN.
|
||||
@@ -0,0 +1,24 @@
|
||||
# Policy AirGap 56-001 Prep — Mirror Bundle Schema
|
||||
|
||||
Status: **Ready for implementation** (2025-11-22)
|
||||
Owners: Policy Guild · AirGap Policy Guild
|
||||
Scope: Lock the mirror bundle schema required for policy pack distribution in sealed mode.
|
||||
|
||||
## Bundle Schema
|
||||
- Envelope: `bundleId`, `schemaVersion` (`policy-mirror-v1`), `createdAt`, `publisher`, `signature`, `transparencyLog?`.
|
||||
- Contents array entries:
|
||||
- `policyHash`, `policyName`, `version`, `targetProducts[]`, `scope` (tenant/portfolio), `dependencies[]` (other bundleIds), `config` (immutable), `evidenceBundleId?`.
|
||||
- Hashing: manifest sha256 over sorted file list (`policies/*.rego`, `overlays/*.json`), recorded as `manifestSha256`.
|
||||
- Staleness: `validUntil` and `timeAnchor` fields; sealed-mode must reject if `now > validUntil` or time drift > 300s.
|
||||
|
||||
## Determinism & Transport
|
||||
- Files stored in tarball with POSIX mtime `2025-01-01T00:00:00Z` and uid/gid 0.
|
||||
- Manifest path fixed to `MANIFEST.json`; entries sorted alphabetically.
|
||||
- No external fetches permitted during import.
|
||||
|
||||
## Acceptance Criteria
|
||||
- Schema above referenced by Policy AirGap tasks and aligns with Mirror bundle contract (`docs/modules/mirror/assembler.md`).
|
||||
- Import validators know failure codes: `POLICY_BUNDLE_STALE`, `POLICY_BUNDLE_SIGNATURE_INVALID`, `POLICY_BUNDLE_SCHEMA_MISMATCH`.
|
||||
|
||||
## Notes
|
||||
- Completes PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM.
|
||||
@@ -0,0 +1,24 @@
|
||||
# Policy Engine 30-001 Prep — Overlay Projection
|
||||
|
||||
Status: **Ready for implementation** (2025-11-22)
|
||||
Owners: Policy Guild · Cartographer Guild
|
||||
Scope: Freeze overlay projection contract needed for Policy Engine phase III.
|
||||
|
||||
## Inputs
|
||||
- Path/scope schema: `docs/modules/policy/prep/2025-11-20-policy-engine-29-002-prep.md`.
|
||||
- Metrics/log schema: `docs/modules/policy/prep/2025-11-20-policy-engine-29-004-prep.md`.
|
||||
|
||||
## Overlay Projection Contract
|
||||
- Input: evaluation records `{tenantId, policyId, pathScope[], evidenceDigest, decision, reasons[]}`.
|
||||
- Output overlay entry:
|
||||
- `overlayId` (deterministic hash of `tenantId+policyId+pathScope+evidenceDigest`)
|
||||
- `subject` (`purl` or `pkg` tuple), `pathScope`, `decision`, `rationale`, `inputs` (evidence digests), `policyVersion`, `createdAt`.
|
||||
- Determinism: pathScope sorted; reasons sorted by `code`; timestamps set to evaluation clock.
|
||||
- Export shape for downstream components via `/overlays/{overlayId}` and `/overlays/search` with paging.
|
||||
|
||||
## Acceptance Criteria
|
||||
- Overlay schema above referenced in Sprint 125 and 0125 trackers; downstream simulation/bridge tasks can consume it without further schema.
|
||||
- Any future field additions require version bump `overlaySchemaVersion`.
|
||||
|
||||
## Notes
|
||||
- Completes PREP-POLICY-ENGINE-30-001-WAITING-ON-29-004-M.
|
||||
Reference in New Issue
Block a user