stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
3b96b2e3ea6c6c320e0e7f197eccab0c122d0ef3
git.stella-ops.org/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md
master 8355e2ff75
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add initial implementation of Vulnerability Resolver Jobs 
- Created project for StellaOps.Scanner.Analyzers.Native.Tests with necessary dependencies.
- Documented roles and guidelines in AGENTS.md for Scheduler module.
- Implemented IResolverJobService interface and InMemoryResolverJobService for handling resolver jobs.
- Added ResolverBacklogNotifier and ResolverBacklogService for monitoring job metrics.
- Developed API endpoints for managing resolver jobs and retrieving metrics.
- Defined models for resolver job requests and responses.
- Integrated dependency injection for resolver job services.
- Implemented ImpactIndexSnapshot for persisting impact index data.
- Introduced SignalsScoringOptions for configurable scoring weights in reachability scoring.
- Added unit tests for ReachabilityScoringService and RuntimeFactsIngestionService.
- Created dotnet-filter.sh script to handle command-line arguments for dotnet.
- Established nuget-prime project for managing package downloads.
2025-11-18 07:52:15 +02:00

2.3 KiB
Raw Blame History

Excititor WebService Charter

Mission

Expose Excititor APIs (console VEX views, graph/Vuln Explorer feeds, observation intake/health) while honoring the Aggregation-Only Contract (no consensus/severity logic in this service).

Scope

  • Working directory: src/Excititor/StellaOps.Excititor.WebService
  • HTTP APIs, DTOs, controllers, authz filters, composition root, telemetry hooks.
  • Wiring to Core/Storage libraries; no direct policy or consensus logic.

Required Reading

  • docs/modules/excititor/architecture.md
  • docs/modules/excititor/README.md#latest-updates
  • docs/modules/excititor/vex_observations.md
  • docs/ingestion/aggregation-only-contract.md
  • docs/modules/excititor/implementation_plan.md

Roles

  • Backend developer (.NET 10 / C# preview).
  • QA automation (integration + API contract tests).

Working Agreements

  1. Update sprint Delivery Tracker when tasks move TODO→DOING→DONE/BLOCKED; mirror notes in Execution Log.
  2. Keep APIs aggregation-only: persist raw observations, provenance, and precedence pointers; never merge/weight/consensus here.
  3. Enforce tenant scoping and RBAC on all endpoints; default-deny for cross-tenant data.
  4. Offline-first: no external network calls; rely on cached/mirrored feeds only.
  5. Observability: structured logs, counters, optional OTEL traces behind configuration flags.

Testing

  • Prefer deterministic API/integration tests under __Tests with seeded Mongo fixtures.
  • Verify RBAC/tenant isolation, idempotent ingestion, and stable ordering of VEX aggregates.
  • Use ISO-8601 UTC timestamps and stable sorting in responses; assert on content hashes where applicable.

Determinism & Data

  • MongoDB is the canonical store; never apply consensus transformations before persistence.
  • Ensure paged/list endpoints use explicit sort keys (e.g., vendor, upstreamId, version, createdUtc).
  • Avoid nondeterministic clocks/randomness; inject clocks and GUID providers for tests.

Boundaries

  • Do not modify Policy Engine or Cartographer schemas from here; consume published contracts only.
  • Configuration via appsettings/environment; no hard-coded secrets.

Ready-to-Start Checklist

  • Required docs reviewed.
  • Test database/fixtures prepared (no external dependencies).
  • Feature flags defined for new endpoints before exposing them.