stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/advisory-ai/packaging.md
StellaOps Bot f43e828b4e
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats 
- Added NullAdvisoryObservationEventTransport for handling advisory observation events.
- Created IOrchestratorRegistryStore interface for orchestrator registry operations.
- Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data.
- Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling.
- Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking.
- Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management.
- Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality.
- Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports.
- Added incident mode rules sample JSON for notifier configuration.
2025-11-22 12:35:38 +02:00

3.6 KiB
Raw Permalink Blame History

Advisory AI Packaging & SBOM Bundle (AIAI-PACKAGING-31-002)

Updated: 2025-11-22 · Owner: Advisory AI Release · Status: Draft

Defines the artefacts and provenance required to ship Advisory AI in Sprint 0111, covering offline kits and on-prem deployments.

1) Bundle contents

Artefact Purpose Provenance
advisory-ai-web image API surface + plan cache SBOM: SBOM-AIAI-31-001:web; DSSE attestation signed by Release key
advisory-ai-worker image Queue + inference executor SBOM: SBOM-AIAI-31-001:worker; DSSE attestation
Prompt + guardrail pack Deterministic prompts, redaction lists, validation rules DSSE sealed; hash recorded in prompts.manifest
Profile catalog default, fips-local, gost-local, cloud-openai (disabled) Versioned JSON, hashed; tenant consent flags captured
Policy bundle policyVersion digest for baseline evaluation; Authority importable DSSE + provenance to Policy Engine digests
LNM evidence export (optional) Concelier advisory_linksets + advisory_observations for air-gap replay Hash list aligned to provenanceHash in RAG bundles
SBOM context client config Example AddSbomContextHttpClient settings (BaseAddress, Endpoint, ApiKey) Signed sbom-context.example.json

2) Directory layout (Offline Kit)

/offline-kit/advisory-ai/
  images/
    advisory-ai-web.tar.zst
    advisory-ai-worker.tar.zst
  sboms/
    SBOM-AIAI-31-001-web.json
    SBOM-AIAI-31-001-worker.json
  provenance/
    advisory-ai-web.intoto.jsonl
    advisory-ai-worker.intoto.jsonl
    prompts.manifest.dsse
    profiles.catalog.json
    policy-bundle.intoto.jsonl
  config/
    advisoryai.appsettings.example.json
    sbom-context.example.json
  evidence/
    lnm-linksets.ndjson      # optional; aligns to linkset hashes in RAG bundles
    lnm-observations.ndjson  # optional; immutable raw docs
  • All files hashed into SHA256SUMS with DSSE signature (SHA256SUMS.dsse).
  • Profiles catalog and prompt pack hashes must be propagated into AdvisoryAI:Provenance settings for runtime verification.

3) SBOM & provenance rules

  • SBOMs must follow SPDX 3.0.1; embed image digest (sha256:<...>) and build args.
  • Attestations use DSSE + SPDX predicate; signer key matches Release guild key referenced in DEVOPS-AIAI-31-001.
  • For air-gapped installs, operators verify: slsa-verifier verify-attestation --source=stellaops/advisory-ai-web --bundle advisory-ai-web.intoto.jsonl --digest <image-digest>.

4) Deployment checklist

  • Import advisory-ai-web and advisory-ai-worker images to registry.
  • Apply profiles.catalog.json; ensure remote profiles disabled unless Authority consent granted.
  • Load prompt pack and set AdvisoryAI:Prompts:ManifestHash to prompts.manifest.
  • Configure SBOM client (or keep NullSbomContextClient default).
  • If shipping LNM evidence, seed advisory_linksets and advisory_observations collections before enabling inference.
  • Record hashes in deployment log; surface in Authority audit via advisory_ai.output.generated events.

5) Update obligations

  • Any change to prompts, guardrails, or profiles → bump manifest hash and regenerate DSSE.
  • SBOM updates follow the same SBOM-AIAI-31-001 idempotent contract; replace files, update SHA256SUMS, resign.
  • Link all changes into the sprint Execution Log and Decisions & Risks sections.
  • CLI/Policy artefacts must be present before enabling cloud-openai or default profiles for tenants; if missing, keep profiles disabled and record the reason in Decisions & Risks.