feat(scanner): Complete PoE implementation with Windows compatibility fix
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
38
docs2/architecture/overview.md
Normal file
38
docs2/architecture/overview.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# Architecture overview
|
||||
|
||||
## System boundary
|
||||
- Self-hosted by default with optional licensing validation.
|
||||
- Offline-first, with all critical verification paths available without network access.
|
||||
|
||||
## Core infrastructure
|
||||
- PostgreSQL: the only canonical database, with schema isolation per module.
|
||||
- Valkey: cache, queues, and streams (Redis compatible).
|
||||
- RustFS: object storage for content-addressed artifacts.
|
||||
- Optional: NATS JetStream as an alternative queue and stream transport.
|
||||
|
||||
## External dependencies
|
||||
- OCI registry with referrers for SBOM and attestation discovery.
|
||||
- Fulcio or KMS-backed signing (optional, depending on crypto profile).
|
||||
- Rekor (optional) for transparency log anchoring.
|
||||
|
||||
## Core services (high level)
|
||||
- Authority: OIDC and OAuth2 token issuance, DPoP and mTLS sender constraints.
|
||||
- Signer: DSSE signing with entitlement checks and scanner integrity verification.
|
||||
- Attestor: transparency logging and attestation verification.
|
||||
- Scanner (Web + Worker): SBOM generation, analyzers, inventory and usage views, diffs.
|
||||
- Concelier: advisory ingest under the Aggregation-Only Contract (AOC).
|
||||
- Excititor: VEX ingest under AOC with consensus and evidence preservation.
|
||||
- Policy Engine: deterministic policy evaluation with explain traces.
|
||||
- Scheduler: impact selection and analysis-only re-evaluation.
|
||||
- Notify: rules, channels, and delivery workflows.
|
||||
- Export Center: deterministic exports and offline bundles.
|
||||
- UI and CLI: operator and automation surfaces.
|
||||
- Zastava: runtime observer and optional admission enforcement.
|
||||
- Advisory AI: evidence-based guidance with guardrails.
|
||||
- Orchestrator: job DAGs and pack runs.
|
||||
|
||||
## Trust boundaries
|
||||
- Authority issues short-lived OpTok tokens with sender constraints (DPoP or mTLS).
|
||||
- Signer enforces Proof of Entitlement (PoE) and scanner image integrity before signing.
|
||||
- Only Signer produces DSSE; only Attestor writes to Rekor.
|
||||
- All evidence is content-addressed and immutable once written.
|
||||
Reference in New Issue
Block a user