stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
10212d67c0dfa0dd849fd798c24502b773664749
git.stella-ops.org/docs/advisory-ai/packaging.md
master 10212d67c0
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
Refactor code structure for improved readability and maintainability; removed redundant code blocks and optimized function calls.
2025-11-20 07:50:52 +02:00

66 lines
3.4 KiB
Markdown
Raw Blame History

# Advisory AI Packaging & SBOM Bundle (AIAI-PACKAGING-31-002)
_Updated: 2025-11-18 · Owner: Advisory AI Release · Status: Draft_
Defines the artefacts and provenance required to ship Advisory AI in Sprint 0111, covering offline kits and on-prem deployments.
## 1) Bundle contents
| Artefact | Purpose | Provenance |
| --- | --- | --- |
| `advisory-ai-web` image | API surface + plan cache | SBOM: `SBOM-AIAI-31-001:web`; DSSE attestation signed by Release key |
| `advisory-ai-worker` image | Queue + inference executor | SBOM: `SBOM-AIAI-31-001:worker`; DSSE attestation |
| Prompt + guardrail pack | Deterministic prompts, redaction lists, validation rules | DSSE sealed; hash recorded in `prompts.manifest` |
| Profile catalog | `default`, `fips-local`, `gost-local`, `cloud-openai` (disabled) | Versioned JSON, hashed; tenant consent flags captured |
| Policy bundle | `policyVersion` digest for baseline evaluation; Authority importable | DSSE + provenance to Policy Engine digests |
| LNM evidence export (optional) | Concelier `advisory_linksets` + `advisory_observations` for air-gap replay | Hash list aligned to `provenanceHash` in RAG bundles |
| SBOM context client config | Example `AddSbomContextHttpClient` settings (`BaseAddress`, `Endpoint`, `ApiKey`) | Signed `sbom-context.example.json` |
## 2) Directory layout (Offline Kit)
```
/offline-kit/advisory-ai/
images/
advisory-ai-web.tar.zst
advisory-ai-worker.tar.zst
sboms/
SBOM-AIAI-31-001-web.json
SBOM-AIAI-31-001-worker.json
provenance/
advisory-ai-web.intoto.jsonl
advisory-ai-worker.intoto.jsonl
prompts.manifest.dsse
profiles.catalog.json
policy-bundle.intoto.jsonl
config/
advisoryai.appsettings.example.json
sbom-context.example.json
evidence/
lnm-linksets.ndjson # optional; aligns to linkset hashes in RAG bundles
lnm-observations.ndjson # optional; immutable raw docs
```
- All files hashed into `SHA256SUMS` with DSSE signature (`SHA256SUMS.dsse`).
- Profiles catalog and prompt pack hashes must be propagated into `AdvisoryAI:Provenance` settings for runtime verification.
## 3) SBOM & provenance rules
- SBOMs must follow SPDX 3.0.1; embed image digest (`sha256:<...>`) and build args.
- Attestations use DSSE + SPDX predicate; signer key matches Release guild key referenced in `DEVOPS-AIAI-31-001`.
- For air-gapped installs, operators verify: `slsa-verifier verify-attestation --source=stellaops/advisory-ai-web --bundle advisory-ai-web.intoto.jsonl --digest <image-digest>`.
## 4) Deployment checklist
- [ ] Import `advisory-ai-web` and `advisory-ai-worker` images to registry.
- [ ] Apply `profiles.catalog.json`; ensure remote profiles disabled unless Authority consent granted.
- [ ] Load prompt pack and set `AdvisoryAI:Prompts:ManifestHash` to `prompts.manifest`.
- [ ] Configure SBOM client (or keep `NullSbomContextClient` default).
- [ ] If shipping LNM evidence, seed `advisory_linksets` and `advisory_observations` collections before enabling inference.
- [ ] Record hashes in deployment log; surface in Authority audit via `advisory_ai.output.generated` events.
## 5) Update obligations
- Any change to prompts, guardrails, or profiles → bump manifest hash and regenerate DSSE.
- SBOM updates follow the same `SBOM-AIAI-31-001` idempotent contract; replace files, update `SHA256SUMS`, resign.
- Link all changes into the sprint Execution Log and Decisions & Risks sections.
Reference in New Issue View Git Blame Copy Permalink