7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
18 lines
1.0 KiB
Markdown
18 lines
1.0 KiB
Markdown
# 30 Oct 2025 — Governance rules anchor consolidated
|
||
|
||
**What changed**
|
||
|
||
- Published `docs/devops/contracts-and-rules.md` capturing the Sprint 33 governance rules:
|
||
1. API Gateway remains a proxy; Policy Engine composes overlays/simulations.
|
||
2. AOC ingestion persists upstream truth only (no merge/deduplicate logic).
|
||
3. Graph platform standardised on Graph Indexer + Graph API (Cartographer retired).
|
||
- Updated backlog hygiene note (`docs/backlog/2025-10-cleanup.md`) and archived the Cartographer handshake plan to point at the new graph platform.
|
||
- Logged the rules in `ops/devops/TASKS.md` and corresponding sprint file `docs/implplan/SPRINT_*.md`, removing duplicate references to Cartographer as an active service.
|
||
|
||
**Reviewers / acknowledgements**
|
||
|
||
- Platform Leads (DevOps + Graph) confirmed the retirement of Cartographer in favour of Graph Indexer + Graph API.
|
||
- Policy Engine Guild acknowledged the proxy-only Gateway posture and downstream overlay ownership.
|
||
|
||
See `DEVOPS-RULES-33-001` for the owning task.
|