205 lines
7.8 KiB
YAML
205 lines
7.8 KiB
YAML
# Runtime Data Assets Manifest
|
|
# Pinned versions, checksums, and licensing for all runtime data assets.
|
|
# Used by acquire.sh for download verification and by CI for release gating.
|
|
#
|
|
# To update a pinned version:
|
|
# 1. Change the entry below
|
|
# 2. Run: ./devops/runtime-assets/acquire.sh --verify
|
|
# 3. Update NOTICE.md and third-party-licenses/ if license changed
|
|
|
|
version: "1.0.0"
|
|
updated: "2026-02-25"
|
|
|
|
assets:
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# ML Models
|
|
# ---------------------------------------------------------------------------
|
|
onnx-embedding-model:
|
|
name: "all-MiniLM-L6-v2 (ONNX)"
|
|
category: "ml-models"
|
|
required: true
|
|
degraded_without: true # falls back to character-ngram encoder
|
|
source: "https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/onnx/model.onnx"
|
|
license: "Apache-2.0"
|
|
license_file: "third-party-licenses/all-MiniLM-L6-v2-Apache-2.0.txt"
|
|
notice_entry: true # listed in NOTICE.md
|
|
destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/models/all-MiniLM-L6-v2.onnx"
|
|
runtime_path: "models/all-MiniLM-L6-v2.onnx"
|
|
env_override: "KnowledgeSearch__OnnxModelPath"
|
|
size_approx: "80 MB"
|
|
sha256: "6fd5d72fe4589f189f8ebc006442dbb529bb7ce38f8082112682524616046452"
|
|
used_by:
|
|
- "StellaOps.AdvisoryAI (OnnxVectorEncoder)"
|
|
notes: >
|
|
Current file in repo is a 120-byte placeholder.
|
|
Must be replaced with actual weights before production release.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# JDK (for Ghidra)
|
|
# ---------------------------------------------------------------------------
|
|
jdk:
|
|
name: "Eclipse Temurin JRE 17"
|
|
category: "binary-analysis"
|
|
required: false # only if GhidraOptions__Enabled=true
|
|
source: "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.13%2B11/OpenJDK17U-jre_x64_linux_hotspot_17.0.13_11.tar.gz"
|
|
license: "GPL-2.0-with-classpath-exception"
|
|
destination: "/opt/java/openjdk/"
|
|
env_override: "GhidraOptions__JavaHome"
|
|
size_approx: "55 MB"
|
|
sha256: "PENDING" # TODO: pin after first verified download
|
|
used_by:
|
|
- "StellaOps.BinaryIndex.Ghidra (GhidraHeadlessManager)"
|
|
notes: >
|
|
GPLv2+CE allows linking without copyleft obligation.
|
|
Only needed for deployments using Ghidra binary analysis.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Ghidra
|
|
# ---------------------------------------------------------------------------
|
|
ghidra:
|
|
name: "Ghidra 11.2 PUBLIC"
|
|
category: "binary-analysis"
|
|
required: false # only if GhidraOptions__Enabled=true
|
|
source: "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.2_build/ghidra_11.2_PUBLIC_20241105.zip"
|
|
license: "Apache-2.0"
|
|
destination: "/opt/ghidra/"
|
|
env_override: "GhidraOptions__GhidraHome"
|
|
size_approx: "1.5 GB"
|
|
sha256: "PENDING" # TODO: pin after first verified download
|
|
used_by:
|
|
- "StellaOps.BinaryIndex.Ghidra (GhidraService, GhidraHeadlessManager)"
|
|
notes: >
|
|
Full Ghidra installation with analyzers, BSim, and Version Tracking.
|
|
Disable with GhidraOptions__Enabled=false to skip entirely.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Certificates (development defaults — replace for production)
|
|
# ---------------------------------------------------------------------------
|
|
dev-certificates:
|
|
name: "Development TLS certificates"
|
|
category: "certificates"
|
|
required: true
|
|
source: "local" # shipped in etc/authority/keys/
|
|
destination: "etc/authority/keys/"
|
|
runtime_path: "/app/etc/certs/"
|
|
env_override: "Kestrel__Certificates__Default__Path"
|
|
mount: "ro"
|
|
used_by:
|
|
- "All services (Kestrel TLS)"
|
|
notes: >
|
|
Dev-only. Replace with production certificates before deployment.
|
|
See docs/SECURITY_HARDENING_GUIDE.md.
|
|
|
|
trust-bundle:
|
|
name: "CA trust bundle"
|
|
category: "certificates"
|
|
required: true
|
|
source: "local" # shipped in etc/trust-profiles/assets/
|
|
destination: "etc/trust-profiles/assets/"
|
|
runtime_path: "/etc/ssl/certs/ca-certificates.crt"
|
|
mount: "ro"
|
|
used_by:
|
|
- "All services (HTTPS verification, attestation)"
|
|
notes: >
|
|
Combined CA bundle. For regional deployments include additional
|
|
trust anchors (russian_trusted_bundle.pem, etc).
|
|
|
|
rekor-public-key:
|
|
name: "Rekor transparency log public key"
|
|
category: "certificates"
|
|
required: true # for Sigstore verification
|
|
source: "local"
|
|
destination: "etc/trust-profiles/assets/rekor-public.pem"
|
|
used_by:
|
|
- "Attestor (Sigstore receipt verification)"
|
|
- "AirGapTrustStoreIntegration"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Regional crypto configuration
|
|
# ---------------------------------------------------------------------------
|
|
crypto-profiles:
|
|
name: "Regional crypto configuration"
|
|
category: "configuration"
|
|
required: false # only for regional compliance
|
|
source: "local"
|
|
files:
|
|
- "etc/appsettings.crypto.international.yaml"
|
|
- "etc/appsettings.crypto.eu.yaml"
|
|
- "etc/appsettings.crypto.russia.yaml"
|
|
- "etc/appsettings.crypto.china.yaml"
|
|
- "etc/crypto-plugins-manifest.json"
|
|
used_by:
|
|
- "All services (crypto provider selection)"
|
|
notes: >
|
|
Selected via compose overlay (docker-compose.compliance-*.yml).
|
|
See devops/compose/README.md.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Evidence storage
|
|
# ---------------------------------------------------------------------------
|
|
evidence-storage:
|
|
name: "Evidence object store"
|
|
category: "persistent-storage"
|
|
required: true
|
|
type: "volume"
|
|
runtime_path: "/data/evidence"
|
|
env_override: "EvidenceLocker__ObjectStore__FileSystem__RootPath"
|
|
mount: "rw"
|
|
sizing: "~1 GB per 1000 scans"
|
|
used_by:
|
|
- "EvidenceLocker"
|
|
- "Attestor"
|
|
notes: >
|
|
Persistent named volume. Content-addressed, append-only.
|
|
Include in backup strategy.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Search seed snapshots (included in dotnet publish — no acquisition needed)
|
|
# ---------------------------------------------------------------------------
|
|
search-snapshots:
|
|
name: "Unified search seed snapshots"
|
|
category: "search-data"
|
|
required: true
|
|
source: "included" # part of dotnet publish output
|
|
destination: "src/AdvisoryAI/StellaOps.AdvisoryAI/UnifiedSearch/Snapshots/"
|
|
files:
|
|
- "findings.snapshot.json"
|
|
- "vex.snapshot.json"
|
|
- "policy.snapshot.json"
|
|
- "graph.snapshot.json"
|
|
- "scanner.snapshot.json"
|
|
- "opsmemory.snapshot.json"
|
|
- "timeline.snapshot.json"
|
|
used_by:
|
|
- "UnifiedSearchIndexer (bootstrap on first start)"
|
|
notes: >
|
|
Copied to output by .csproj Content items.
|
|
Live data adapters refresh the index every 300s at runtime.
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Translations (included in Angular build — no acquisition needed)
|
|
# ---------------------------------------------------------------------------
|
|
translations:
|
|
name: "UI translation bundles"
|
|
category: "i18n"
|
|
required: true
|
|
source: "included" # part of Angular dist build
|
|
destination: "src/Web/StellaOps.Web/src/i18n/"
|
|
locales:
|
|
- "en-US"
|
|
- "de-DE"
|
|
- "bg-BG"
|
|
- "ru-RU"
|
|
- "es-ES"
|
|
- "fr-FR"
|
|
- "uk-UA"
|
|
- "zh-CN"
|
|
- "zh-TW"
|
|
used_by:
|
|
- "Console (Angular frontend)"
|
|
- "TranslationRegistry (backend override)"
|
|
notes: >
|
|
Baked into Angular dist bundle. Backend can override via
|
|
database-backed ITranslationBundleProvider (priority 100).
|