# Runtime Data Assets Manifest
# Pinned versions, checksums, and licensing for all runtime data assets.
# Used by acquire.sh for download verification and by CI for release gating.
#
# To update a pinned version:
#   1. Change the entry below
#   2. Run: ./devops/runtime-assets/acquire.sh --verify
#   3. Update NOTICE.md and third-party-licenses/ if license changed

version: "1.0.0"
updated: "2026-02-25"

assets:

  # ---------------------------------------------------------------------------
  # ML Models
  # ---------------------------------------------------------------------------
  onnx-embedding-model:
    name: "all-MiniLM-L6-v2 (ONNX)"
    category: "ml-models"
    required: true
    degraded_without: true  # falls back to character-ngram encoder
    source: "https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/onnx/model.onnx"
    license: "Apache-2.0"
    license_file: "third-party-licenses/all-MiniLM-L6-v2-Apache-2.0.txt"
    notice_entry: true  # listed in NOTICE.md
    destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/models/all-MiniLM-L6-v2.onnx"
    runtime_path: "models/all-MiniLM-L6-v2.onnx"
    env_override: "KnowledgeSearch__OnnxModelPath"
    size_approx: "80 MB"
    sha256: "6fd5d72fe4589f189f8ebc006442dbb529bb7ce38f8082112682524616046452"
    used_by:
      - "StellaOps.AdvisoryAI (OnnxVectorEncoder)"
    notes: >
      Current file in repo is a 120-byte placeholder.
      Must be replaced with actual weights before production release.

  # ---------------------------------------------------------------------------
  # JDK (for Ghidra)
  # ---------------------------------------------------------------------------
  jdk:
    name: "Eclipse Temurin JRE 17"
    category: "binary-analysis"
    required: false  # only if GhidraOptions__Enabled=true
    source: "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.13%2B11/OpenJDK17U-jre_x64_linux_hotspot_17.0.13_11.tar.gz"
    license: "GPL-2.0-with-classpath-exception"
    destination: "/opt/java/openjdk/"
    env_override: "GhidraOptions__JavaHome"
    size_approx: "55 MB"
    sha256: "PENDING"  # TODO: pin after first verified download
    used_by:
      - "StellaOps.BinaryIndex.Ghidra (GhidraHeadlessManager)"
    notes: >
      GPLv2+CE allows linking without copyleft obligation.
      Only needed for deployments using Ghidra binary analysis.

  # ---------------------------------------------------------------------------
  # Ghidra
  # ---------------------------------------------------------------------------
  ghidra:
    name: "Ghidra 11.2 PUBLIC"
    category: "binary-analysis"
    required: false  # only if GhidraOptions__Enabled=true
    source: "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.2_build/ghidra_11.2_PUBLIC_20241105.zip"
    license: "Apache-2.0"
    destination: "/opt/ghidra/"
    env_override: "GhidraOptions__GhidraHome"
    size_approx: "1.5 GB"
    sha256: "PENDING"  # TODO: pin after first verified download
    used_by:
      - "StellaOps.BinaryIndex.Ghidra (GhidraService, GhidraHeadlessManager)"
    notes: >
      Full Ghidra installation with analyzers, BSim, and Version Tracking.
      Disable with GhidraOptions__Enabled=false to skip entirely.

  # ---------------------------------------------------------------------------
  # Certificates (development defaults — replace for production)
  # ---------------------------------------------------------------------------
  dev-certificates:
    name: "Development TLS certificates"
    category: "certificates"
    required: true
    source: "local"  # shipped in etc/authority/keys/
    destination: "etc/authority/keys/"
    runtime_path: "/app/etc/certs/"
    env_override: "Kestrel__Certificates__Default__Path"
    mount: "ro"
    used_by:
      - "All services (Kestrel TLS)"
    notes: >
      Dev-only. Replace with production certificates before deployment.
      See docs/SECURITY_HARDENING_GUIDE.md.

  trust-bundle:
    name: "CA trust bundle"
    category: "certificates"
    required: true
    source: "local"  # shipped in etc/trust-profiles/assets/
    destination: "etc/trust-profiles/assets/"
    runtime_path: "/etc/ssl/certs/ca-certificates.crt"
    mount: "ro"
    used_by:
      - "All services (HTTPS verification, attestation)"
    notes: >
      Combined CA bundle. For regional deployments include additional
      trust anchors (russian_trusted_bundle.pem, etc).

  rekor-public-key:
    name: "Rekor transparency log public key"
    category: "certificates"
    required: true  # for Sigstore verification
    source: "local"
    destination: "etc/trust-profiles/assets/rekor-public.pem"
    used_by:
      - "Attestor (Sigstore receipt verification)"
      - "AirGapTrustStoreIntegration"

  # ---------------------------------------------------------------------------
  # Regional crypto configuration
  # ---------------------------------------------------------------------------
  crypto-profiles:
    name: "Regional crypto configuration"
    category: "configuration"
    required: false  # only for regional compliance
    source: "local"
    files:
      - "etc/appsettings.crypto.international.yaml"
      - "etc/appsettings.crypto.eu.yaml"
      - "etc/appsettings.crypto.russia.yaml"
      - "etc/appsettings.crypto.china.yaml"
      - "etc/crypto-plugins-manifest.json"
    used_by:
      - "All services (crypto provider selection)"
    notes: >
      Selected via compose overlay (docker-compose.compliance-*.yml).
      See devops/compose/README.md.

  # ---------------------------------------------------------------------------
  # Evidence storage
  # ---------------------------------------------------------------------------
  evidence-storage:
    name: "Evidence object store"
    category: "persistent-storage"
    required: true
    type: "volume"
    runtime_path: "/data/evidence"
    env_override: "EvidenceLocker__ObjectStore__FileSystem__RootPath"
    mount: "rw"
    sizing: "~1 GB per 1000 scans"
    used_by:
      - "EvidenceLocker"
      - "Attestor"
    notes: >
      Persistent named volume. Content-addressed, append-only.
      Include in backup strategy.

  # ---------------------------------------------------------------------------
  # Search seed snapshots (included in dotnet publish — no acquisition needed)
  # ---------------------------------------------------------------------------
  search-snapshots:
    name: "Unified search seed snapshots"
    category: "search-data"
    required: true
    source: "included"  # part of dotnet publish output
    destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/UnifiedSearch/Snapshots/"
    files:
      - "findings.snapshot.json"
      - "vex.snapshot.json"
      - "policy.snapshot.json"
      - "graph.snapshot.json"
      - "scanner.snapshot.json"
      - "opsmemory.snapshot.json"
      - "timeline.snapshot.json"
    used_by:
      - "UnifiedSearchIndexer (bootstrap on first start)"
    notes: >
      Copied to output by .csproj Content items.
      Live data adapters refresh the index every 300s at runtime.

  # ---------------------------------------------------------------------------
  # Translations (included in Angular build — no acquisition needed)
  # ---------------------------------------------------------------------------
  translations:
    name: "UI translation bundles"
    category: "i18n"
    required: true
    source: "included"  # part of Angular dist build
    destination: "src/Web/StellaOps.Web/src/i18n/"
    locales:
      - "en-US"
      - "de-DE"
      - "bg-BG"
      - "ru-RU"
      - "es-ES"
      - "fr-FR"
      - "uk-UA"
      - "zh-CN"
      - "zh-TW"
    used_by:
      - "Console (Angular frontend)"
      - "TranslationRegistry (backend override)"
    notes: >
      Baked into Angular dist bundle. Backend can override via
      database-backed ITranslationBundleProvider (priority 100).