feat(scanner): Complete PoE implementation with Windows compatibility fix
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
34
docs2/operations/airgap.md
Normal file
34
docs2/operations/airgap.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Air-gap and offline kit
|
||||
|
||||
## Offline Kit contents (typical)
|
||||
- Signed advisory and VEX feeds
|
||||
- Container images for core services
|
||||
- Analyzer plugins and manifests
|
||||
- Debug symbol store for deterministic diagnostics
|
||||
- Telemetry collector bundle
|
||||
- Task packs and operator docs
|
||||
- Signed manifests and checksums
|
||||
|
||||
## Verify and import
|
||||
- Verify the kit tarball signature before import.
|
||||
- Verify the manifest signature and checksum list.
|
||||
- Import is atomic and retains the previous feed set until validation passes.
|
||||
|
||||
## Delta updates
|
||||
- Daily deltas apply only changed artifacts.
|
||||
- Full kits are used as reset baselines when needed.
|
||||
- Deltas must reference a known baseline manifest digest.
|
||||
|
||||
## Sealed mode and time anchors
|
||||
- Sealed mode forbids external egress by default.
|
||||
- Time anchors and staleness budgets keep offline verification deterministic.
|
||||
- Air-gap installs should pin trusted roots and time anchor bundles.
|
||||
|
||||
## AOC and raw-data verification
|
||||
- Run AOC verify checks against advisory_raw and vex_raw collections.
|
||||
- Reject any raw data that violates provenance or append-only rules.
|
||||
|
||||
## Offline verification
|
||||
- DSSE envelopes and cached transparency proofs enable local verification.
|
||||
- Reachability and replay bundles can be verified without network access.
|
||||
- Keep analyzer manifests and policy hashes with the replay bundle.
|
||||
32
docs2/operations/install-deploy.md
Normal file
32
docs2/operations/install-deploy.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Install and deploy
|
||||
|
||||
## Prerequisites (baseline)
|
||||
- Linux host with sufficient CPU, memory, and disk for SBOM and artifact storage.
|
||||
- Docker Compose or Kubernetes (Helm) for deployment.
|
||||
- TLS termination for external access.
|
||||
|
||||
## Required infrastructure
|
||||
- PostgreSQL (single cluster, schema isolation per module).
|
||||
- Valkey for cache, queues, and streams.
|
||||
- RustFS for content-addressed artifacts.
|
||||
|
||||
## Optional infrastructure
|
||||
- Rekor mirror for transparency log anchoring.
|
||||
- Fulcio or KMS-backed signing provider.
|
||||
- NATS JetStream as an alternative queue and stream transport.
|
||||
|
||||
## Deployment models
|
||||
- Compose profiles for single-node and lab environments.
|
||||
- Helm charts for multi-node and HA deployments.
|
||||
- Air-gap deployment via Offline Kit (see operations/airgap.md).
|
||||
|
||||
## Configuration hierarchy
|
||||
1) Environment variables
|
||||
2) appsettings.{Environment}.json
|
||||
3) appsettings.json
|
||||
4) YAML overlays under etc/
|
||||
|
||||
## Operational baselines
|
||||
- Enforce non-root containers and read-only filesystems where possible.
|
||||
- Use digest-pinned images for releases.
|
||||
- Keep clocks synchronized and use UTC everywhere.
|
||||
Reference in New Issue
Block a user