stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
main
git.stella-ops.org/docs/devops/contracts-and-rules.md
master 15b4a1de6a feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries 
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2025-10-31 14:37:45 +02:00

3.1 KiB
Raw Permalink Blame History

DevOps Governance Rules Anchor (Sprint33)

Scope · Exit deliverable for DEVOPS-RULES-33-001
Audience · DevOps Guild, Platform leads, service owners
Related · ops/devops/TASKS.md, docs/backlog/2025-10-cleanup.md, docs/modules/platform/architecture-overview.md

This note consolidates the platform governance rules ratified on 30October2025.
Each rule captures intent, affected surfaces, enforcement actions, and references to the source-of-truth backlogs so that subsequent sprints do not reintroduce conflicting work.

Rule Intent & Rationale Enforcement & Ownership Follow-ups
Gateway is a proxy only; Policy Engine owns overlays/simulations. Keep Gateway thin and deterministic: it authenticates, authorises, and forwards requests. All overlay composition, simulation, and policy evaluation stays inside Policy Engine so we avoid duplicated logic and time-of-check drift. Owners: BEBase Platform Guild + Policy Engine Guild.
Enforcement: Gateway PR reviews block embedded overlay code, new endpoints require Policy Engine contracts, CI parity checks compare Gateway ↔ Policy overlay schemas.		 - Update open tasks referencing “gateway overlay” work to point at POLICY-ENGINE-20-00x.
- Close or rewrite backlog items WEB-POLICY-20-00x that attempted to compute overlays in Gateway.
AOC ingestion is canonical-only; no merges at ingest. Concelier/Excititor persist upstream truth plus provenance. Derived severity, merges, or dedupe belong to downstream Policy workflows. This keeps ingestion auditable and replayable. Owners: Concelier & Excititor guilds, DevOps Guild for CI pipelines.
Enforcement: StellaOps.Aoc guard library, Mongo validators, Roslyn analyzer backlog (WEB-AOC-19-003), CI job stella aoc verify.		 - Ensure ingestion tasks reference the guard library (StellaOps.Aoc).
- Retire legacy tasks that still mention merge-at-ingest (see backlog cleanup note).
Single graph platform: Graph Indexer + Graph API (Cartographer retired). Replace the historical Cartographer service with the Graph Indexer + Graph API pairing so graph storage, overlays, and explorer flows share one platform. Owners: Graph Platform Guild, Scheduler Guild, DevOps Guild.
Enforcement: New graph work lands in docs/modules/graph/** and src/Graph/**. Gateway/UI/CLI tickets reference the Graph API endpoints only.		 - Archive Cartographer handshake docs and mark Cartographer backlog items as historical.
- Update Scheduler/SBOM/Console tickets to depend on GRAPH-* IDs instead of CARTO-*.

Tracking & documentation

  • Rules recorded in docs/implplan/SPRINTS.md (Sprint33) and ops/devops/TASKS.md.
  • Repository-wide references to “Cartographer as active platform” updated (see backlog note amendment and doc banner).
  • Changelog entry (docs/updates/2025-10-30-devops-governance.md) captures reviewer acknowledgement.

Future adjustments to these rules must update this file and reference DEVOPS-RULES-33-001 when proposing changes so the DevOps Guild can track history.