stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
00d2c99af94dfd42dd599b66285e3926b38a4d4f
git.stella-ops.org/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.3 KiB
Raw Blame History

StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter

Role

Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views.

Scope

  • Parse *.dist-info and *.data directories, validating METADATA, RECORD, and entry_points.txt.
  • Detect editable installs and pip caches, reconciling metadata with actual files.
  • Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes.
  • Package plug-in manifest and ensure deterministic fixtures + benchmarks.

Out of Scope

  • Language analyzers for other ecosystems.
  • Policy evaluation, vulnerability correlation, or packaging into UI flows.
  • Building Python interpreters or executing scripts (analysis is static only).

Expectations

  • Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged.
  • Performance target: ≥75MB/s RECORD verification, end-to-end fixture <2.0s.
  • Offline-first: no PyPI calls; relies on local metadata only.
  • Rich telemetry (components counted, hash mismatches) following Scanner metrics schema.
  • Keep TASKS.md and SPRINTS_LANG_IMPLEMENTATION_PLAN.md in sync.

Dependencies

  • Shared language analyzer infrastructure.
  • EntryTrace usage hints (for script activation).
  • Worker dispatcher for plug-in loading.

Testing & Artifacts

  • Golden fixtures for venv, virtualenv, pipx, and editable installs.
  • Benchmark results comparing hash-check throughput against competitor tools.
  • Offline Kit guidance for bundling standard library metadata if required.

Required Reading

  • docs/modules/scanner/architecture.md
  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.