# Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)

Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API.
Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.

## CI Jobs
- `build-vuln`: dotnet restore/build for `src/VulnExplorer/StellaOps.VulnExplorer.Api` and projector; use `DOTNET_DISABLE_BUILTIN_GRAPH=1` and `local-nugets/`.
- `test-vuln`: focused tests with `dotnet test src/VulnExplorer/__Tests/...` and `--filter Category!=GraphHeavy`; publish TRX + coverage.
- `replay-smoke`: run projector against fixture event log (`samples/vuln/events/replay.ndjson`) and assert deterministic materialized view hash; fail on divergence.
- `sbom+attest`: reuse `ops/devops/docker/sbom_attest.sh` post-build.

## Backup & DR
- Mongo: enable point-in-time snapshots (if available) or nightly `mongodump` of `vuln_explorer` db; store in object storage with retention 30d.
- Redis (if used for cache): not authoritative; no backup required.
- Replay-first recovery: keep latest event log snapshot in `release artifacts`; replay task rehydrates materialized views.

## Merkle Anchoring Verification
- Monitor projector metrics: `ledger_projection_lag_seconds`, `ledger_projection_errors_total`.
- Add periodic job `verify-merkle`: fetch latest Merkle root from projector state, cross-check against transparency log (`rekor` or configured log) using `cosign verify-tree` or custom verifier.
- Alert when last anchored root age > 15m or mismatch detected.

## Verification Automation
- Script `ops/devops/vuln/verify_projection.sh` (to be added) should:
  - Run projector against fixture events and compute hash of materialized view snapshot (`sha256sum` over canonical JSON export).
  - Compare with expected hash stored in `ops/devops/vuln/expected_projection.sha256`.
  - Exit non-zero on mismatch.

## Fixtures
- Store deterministic replay fixture under `samples/vuln/events/replay.ndjson` (generated offline, includes mixed tenants, disputed findings, remediation states).
- Export canonical projection snapshot to `samples/vuln/events/projection.json` and hash to `ops/devops/vuln/expected_projection.sha256`.

## Dashboards / Alerts (DEVOPS-VULN-29-002/003)
- Dashboard panels: projection lag, replay throughput, API latency (`/findings`, `/findings/{id}`), query budget enforcement hits, and Merkle anchoring status.
- Alerts: `vuln_projection_lag_gt_60s`, `vuln_projection_error_rate_gt_1pct`, `vuln_api_latency_p95_gt_300ms`, `merkle_anchor_stale_gt_15m`.

## Offline posture
- CI and verification use in-repo fixtures; no external downloads.
- Use mirrored images and `local-nugets/` for all builds/tests.

## Local run
```
DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy
```