stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/schemas/production-release-manifest.schema.json
StellaOps Bot 0de92144d2
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
mock-dev-release / package-mock-release (push) Has been cancelled
Details
feat(api): Implement Console Export Client and Models 
- Added ConsoleExportClient for managing export requests and responses.
- Introduced ConsoleExportRequest and ConsoleExportResponse models.
- Implemented methods for creating and retrieving exports with appropriate headers.

feat(crypto): Add Software SM2/SM3 Cryptography Provider

- Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography.
- Added support for signing and verification using SM2 algorithm.
- Included hashing functionality with SM3 algorithm.
- Configured options for loading keys from files and environment gate checks.

test(crypto): Add unit tests for SmSoftCryptoProvider

- Created comprehensive tests for signing, verifying, and hashing functionalities.
- Ensured correct behavior for key management and error handling.

feat(api): Enhance Console Export Models

- Expanded ConsoleExport models to include detailed status and event types.
- Added support for various export formats and notification options.

test(time): Implement TimeAnchorPolicyService tests

- Developed tests for TimeAnchorPolicyService to validate time anchors.
- Covered scenarios for anchor validation, drift calculation, and policy enforcement.
2025-12-07 00:27:33 +02:00

685 lines
19 KiB
JSON
Raw Permalink Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/production-release-manifest.schema.json",
"title": "StellaOps Production Release Manifest Schema",
"description": "Schema for production release manifests, image digests, and deployment artifacts. Unblocks DEPLOY-ORCH-34-001, DEPLOY-POLICY-27-001, and downstream deployment tasks (10+ tasks).",
"type": "object",
"definitions": {
"ReleaseManifest": {
"type": "object",
"description": "Production release manifest",
"required": ["release_id", "version", "services"],
"properties": {
"release_id": {
"type": "string",
"description": "Unique release identifier"
},
"version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9.]+)?$",
"description": "Release version (semver)"
},
"codename": {
"type": "string",
"description": "Release codename"
},
"released_at": {
"type": "string",
"format": "date-time"
},
"release_notes_url": {
"type": "string",
"format": "uri"
},
"services": {
"type": "array",
"items": {
"$ref": "#/definitions/ServiceRelease"
}
},
"infrastructure": {
"$ref": "#/definitions/InfrastructureRequirements"
},
"migrations": {
"type": "array",
"items": {
"$ref": "#/definitions/MigrationStep"
}
},
"breaking_changes": {
"type": "array",
"items": {
"$ref": "#/definitions/BreakingChange"
}
},
"signatures": {
"type": "array",
"items": {
"$ref": "#/definitions/ReleaseSignature"
}
},
"manifest_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"ServiceRelease": {
"type": "object",
"description": "Individual service release information",
"required": ["service_id", "image", "digest"],
"properties": {
"service_id": {
"type": "string",
"description": "Service identifier"
},
"name": {
"type": "string"
},
"image": {
"type": "string",
"description": "Container image (without tag)"
},
"tag": {
"type": "string",
"description": "Image tag"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Image digest for pinning"
},
"version": {
"type": "string",
"description": "Service version"
},
"config_version": {
"type": "string",
"description": "Configuration schema version"
},
"ports": {
"type": "array",
"items": {
"$ref": "#/definitions/PortMapping"
}
},
"health_check": {
"$ref": "#/definitions/HealthCheckConfig"
},
"resources": {
"$ref": "#/definitions/ResourceRequirements"
},
"dependencies": {
"type": "array",
"items": {
"type": "string"
},
"description": "Service IDs this depends on"
},
"environment_defaults": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"sbom_ref": {
"type": "string",
"format": "uri",
"description": "Reference to SBOM"
},
"attestation_ref": {
"type": "string",
"format": "uri",
"description": "Reference to build attestation"
}
}
},
"PortMapping": {
"type": "object",
"description": "Port mapping configuration",
"required": ["container_port"],
"properties": {
"name": {
"type": "string"
},
"container_port": {
"type": "integer"
},
"protocol": {
"type": "string",
"enum": ["tcp", "udp"],
"default": "tcp"
},
"service_port": {
"type": "integer"
}
}
},
"HealthCheckConfig": {
"type": "object",
"description": "Health check configuration",
"properties": {
"path": {
"type": "string",
"default": "/health"
},
"port": {
"type": "integer"
},
"interval_seconds": {
"type": "integer",
"default": 30
},
"timeout_seconds": {
"type": "integer",
"default": 10
},
"failure_threshold": {
"type": "integer",
"default": 3
},
"success_threshold": {
"type": "integer",
"default": 1
}
}
},
"ResourceRequirements": {
"type": "object",
"description": "Resource requirements",
"properties": {
"cpu_request": {
"type": "string",
"pattern": "^[0-9]+(m)?$"
},
"cpu_limit": {
"type": "string",
"pattern": "^[0-9]+(m)?$"
},
"memory_request": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi)$"
},
"memory_limit": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi)$"
},
"storage": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi|Ti)$"
}
}
},
"InfrastructureRequirements": {
"type": "object",
"description": "Infrastructure requirements for release",
"properties": {
"kubernetes_version": {
"type": "string",
"description": "Minimum Kubernetes version"
},
"docker_version": {
"type": "string",
"description": "Minimum Docker version"
},
"databases": {
"type": "array",
"items": {
"$ref": "#/definitions/DatabaseRequirement"
}
},
"external_services": {
"type": "array",
"items": {
"$ref": "#/definitions/ExternalServiceRequirement"
}
}
}
},
"DatabaseRequirement": {
"type": "object",
"description": "Database requirement",
"required": ["type", "min_version"],
"properties": {
"type": {
"type": "string",
"enum": ["mongodb", "postgres", "redis", "rabbitmq"]
},
"min_version": {
"type": "string"
},
"recommended_version": {
"type": "string"
},
"storage_estimate": {
"type": "string"
}
}
},
"ExternalServiceRequirement": {
"type": "object",
"description": "External service requirement",
"required": ["service", "required"],
"properties": {
"service": {
"type": "string"
},
"required": {
"type": "boolean"
},
"description": {
"type": "string"
},
"default_url": {
"type": "string",
"format": "uri"
}
}
},
"MigrationStep": {
"type": "object",
"description": "Migration step",
"required": ["migration_id", "type", "description"],
"properties": {
"migration_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["database", "config", "data", "manual"]
},
"description": {
"type": "string"
},
"from_version": {
"type": "string"
},
"to_version": {
"type": "string"
},
"reversible": {
"type": "boolean",
"default": false
},
"script_path": {
"type": "string"
},
"estimated_duration": {
"type": "string"
},
"requires_downtime": {
"type": "boolean",
"default": false
}
}
},
"BreakingChange": {
"type": "object",
"description": "Breaking change documentation",
"required": ["change_id", "description", "migration_guide"],
"properties": {
"change_id": {
"type": "string"
},
"service": {
"type": "string"
},
"description": {
"type": "string"
},
"impact": {
"type": "string",
"enum": ["api", "config", "data", "behavior"]
},
"migration_guide": {
"type": "string"
},
"affected_versions": {
"type": "string"
}
}
},
"ReleaseSignature": {
"type": "object",
"description": "Release signature",
"required": ["signature_type", "signature"],
"properties": {
"signature_type": {
"type": "string",
"enum": ["cosign", "gpg", "dsse"]
},
"signature": {
"type": "string"
},
"key_id": {
"type": "string"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"rekor_log_index": {
"type": "integer"
}
}
},
"DeploymentProfile": {
"type": "object",
"description": "Deployment profile with service overrides",
"required": ["profile_id", "name"],
"properties": {
"profile_id": {
"type": "string",
"enum": ["development", "staging", "production", "airgap"]
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"service_overrides": {
"type": "object",
"additionalProperties": {
"type": "object",
"properties": {
"replicas": {
"type": "integer"
},
"resources": {
"$ref": "#/definitions/ResourceRequirements"
},
"environment": {
"type": "object",
"additionalProperties": {
"type": "string"
}
}
}
}
},
"feature_flags": {
"type": "object",
"additionalProperties": {
"type": "boolean"
}
}
}
},
"ReleaseChannel": {
"type": "object",
"description": "Release channel configuration",
"required": ["channel_id", "name"],
"properties": {
"channel_id": {
"type": "string",
"enum": ["stable", "beta", "alpha", "nightly"]
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"current_version": {
"type": "string"
},
"manifest_url": {
"type": "string",
"format": "uri"
},
"update_frequency": {
"type": "string",
"description": "How often this channel updates"
}
}
}
},
"properties": {
"manifest": {
"$ref": "#/definitions/ReleaseManifest"
},
"profiles": {
"type": "array",
"items": {
"$ref": "#/definitions/DeploymentProfile"
}
},
"channels": {
"type": "array",
"items": {
"$ref": "#/definitions/ReleaseChannel"
}
}
},
"examples": [
{
"manifest": {
"release_id": "stellaops-2025.10.0",
"version": "2025.10.0",
"codename": "Aurora",
"released_at": "2025-12-06T10:00:00Z",
"release_notes_url": "https://github.com/stellaops/stellaops/releases/tag/v2025.10.0",
"services": [
{
"service_id": "orchestrator",
"name": "Orchestrator",
"image": "ghcr.io/stellaops/orchestrator",
"tag": "2025.10.0",
"digest": "sha256:orch123def456789012345678901234567890123456789012345678901234orch",
"version": "2025.10.0",
"ports": [
{
"name": "http",
"container_port": 8080,
"protocol": "tcp"
},
{
"name": "grpc",
"container_port": 9090,
"protocol": "tcp"
}
],
"health_check": {
"path": "/health",
"port": 8080,
"interval_seconds": 30
},
"resources": {
"cpu_request": "100m",
"cpu_limit": "1000m",
"memory_request": "256Mi",
"memory_limit": "1Gi"
},
"dependencies": ["postgres", "redis", "rabbitmq"],
"sbom_ref": "https://sbom.stella-ops.org/orchestrator/2025.10.0.json",
"attestation_ref": "https://attestation.stella-ops.org/orchestrator/2025.10.0.jsonl"
},
{
"service_id": "policy-engine",
"name": "Policy Engine",
"image": "ghcr.io/stellaops/policy-engine",
"tag": "2025.10.0",
"digest": "sha256:policy123def456789012345678901234567890123456789012345678901234pol",
"version": "2025.10.0",
"ports": [
{
"name": "http",
"container_port": 8081
}
],
"health_check": {
"path": "/health",
"port": 8081
},
"resources": {
"cpu_request": "200m",
"cpu_limit": "2000m",
"memory_request": "512Mi",
"memory_limit": "2Gi"
},
"dependencies": ["mongodb", "orchestrator"]
},
{
"service_id": "scanner",
"name": "Scanner",
"image": "ghcr.io/stellaops/scanner",
"tag": "2025.10.0",
"digest": "sha256:scan123def456789012345678901234567890123456789012345678901234scan",
"version": "2025.10.0"
},
{
"service_id": "findings-ledger",
"name": "Findings Ledger",
"image": "ghcr.io/stellaops/findings-ledger",
"tag": "2025.10.0",
"digest": "sha256:ledger123def456789012345678901234567890123456789012345678901234led",
"version": "2025.10.0",
"dependencies": ["postgres", "redis"]
},
{
"service_id": "vex-lens",
"name": "VEX Lens",
"image": "ghcr.io/stellaops/vex-lens",
"tag": "2025.10.0",
"digest": "sha256:vex123def456789012345678901234567890123456789012345678901234vexl",
"version": "2025.10.0"
},
{
"service_id": "concelier",
"name": "Concelier",
"image": "ghcr.io/stellaops/concelier",
"tag": "2025.10.0",
"digest": "sha256:conc123def456789012345678901234567890123456789012345678901234conc",
"version": "2025.10.0",
"dependencies": ["mongodb", "redis"]
}
],
"infrastructure": {
"kubernetes_version": ">=1.27",
"docker_version": ">=24.0",
"databases": [
{
"type": "mongodb",
"min_version": "7.0",
"recommended_version": "7.0.4",
"storage_estimate": "50Gi"
},
{
"type": "postgres",
"min_version": "16",
"recommended_version": "16.1",
"storage_estimate": "100Gi"
},
{
"type": "redis",
"min_version": "7",
"recommended_version": "7.2"
}
],
"external_services": [
{
"service": "S3-compatible storage",
"required": true,
"description": "For evidence and artifact storage"
},
{
"service": "OIDC provider",
"required": false,
"description": "For SSO authentication"
}
]
},
"migrations": [
{
"migration_id": "mig-2025.10-001",
"type": "database",
"description": "Add risk_score column to findings table",
"from_version": "2025.09.0",
"to_version": "2025.10.0",
"reversible": true,
"script_path": "migrations/2025.10/001_add_risk_score.sql",
"estimated_duration": "5m",
"requires_downtime": false
}
],
"breaking_changes": [
{
"change_id": "bc-2025.10-001",
"service": "policy-engine",
"description": "Policy API v1 deprecated, use v2",
"impact": "api",
"migration_guide": "See docs/migration/policy-api-v2.md",
"affected_versions": "<2025.10.0"
}
],
"manifest_digest": "sha256:manifest123def456789012345678901234567890123456789012345678901234"
},
"profiles": [
{
"profile_id": "development",
"name": "Development",
"description": "Single-replica development deployment",
"service_overrides": {
"orchestrator": {
"replicas": 1,
"resources": {
"cpu_limit": "500m",
"memory_limit": "512Mi"
}
}
},
"feature_flags": {
"debug_mode": true,
"airgap_mode": false
}
},
{
"profile_id": "production",
"name": "Production",
"description": "High-availability production deployment",
"service_overrides": {
"orchestrator": {
"replicas": 3
},
"policy-engine": {
"replicas": 3
}
},
"feature_flags": {
"debug_mode": false,
"airgap_mode": false
}
},
{
"profile_id": "airgap",
"name": "Air-Gap",
"description": "Offline deployment without external connectivity",
"feature_flags": {
"debug_mode": false,
"airgap_mode": true
}
}
],
"channels": [
{
"channel_id": "stable",
"name": "Stable",
"description": "Production-ready releases",
"current_version": "2025.10.0",
"manifest_url": "https://releases.stella-ops.org/stable/manifest.json",
"update_frequency": "Monthly"
},
{
"channel_id": "beta",
"name": "Beta",
"description": "Pre-release testing",
"current_version": "2025.11.0-beta.1",
"manifest_url": "https://releases.stella-ops.org/beta/manifest.json",
"update_frequency": "Weekly"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink