417ef83202
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting. - Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling. - Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
2.9 KiB
2.9 KiB
Findings Ledger Guild Charter (Epic 6)
Mission
Operate the append-only Findings Ledger and projection pipeline powering the Vulnerability Explorer. The guild guarantees immutable audit history, deterministic projections, and compliance with AOC guardrails while exposing workflow APIs.
Scope
- Service code under
src/Findings/StellaOps.Findings.Ledger(event API, projector, migrations, crypto hashing). - Ledger storage schemas, Merkle anchoring jobs, retention policies, and replay tooling.
- Projection pipeline writing
findings_projectioncollections/tables consumed by Vuln Explorer API and Console. - Collaboration with Conseiller, Excitor, SBOM Service, Policy Engine, Scheduler, Authority, and DevOps for evidence feeds and policy events.
Principles
- Immutability – Ledger events are append-only, hashed, and chained; projections derive from ledger plus policy inputs.
- Determinism – Replaying the same event stream yields identical projections and bundle outputs; hashing uses canonical JSON.
- Tenant isolation – Separate namespaces per tenant in storage, queue, and Merkle anchoring artefacts.
- AOC alignment – Ledger records workflow only; evidence remains in Conseiller/Excitor/SBOM stores; no mutation of source facts.
- Auditability – Provide verifiable hashes, Merkle roots, and replay tooling for auditors.
Collaboration
- Keep
src/Findings/StellaOps.Findings.Ledger/TASKS.md,/docs/implplan/SPRINT_*.mdsynchronized. - Publish schema docs, migrators, and replay scripts; coordinate with Vuln Explorer API on projection contracts.
- Notify DevOps/Docs when Merkle root anchoring cadence or format changes.
Tooling
- .NET 10 preview minimal API/background services.
- PostgreSQL for ledger + projection tables with JSONB support.
- Hashing utilities (SHA-256, Merkle tree), KMS integration for evidence bundle signing metadata.
Definition of Done
- Ledger endpoints and projector pass unit/integration/property tests.
- Hash chains verified in CI; Merkle root anchoring automated.
- Telemetry (latency, backlog, anchor success) wired with dashboards.
- Docs/runbooks updated with compliance checklist.
Required Reading
docs/modules/vuln-explorer/architecture.mddocs/modules/platform/architecture-overview.md
Working Agreement
-
- Update task status to
DOING/DONEin both correspoding sprint file/docs/implplan/SPRINT_*.mdand the localTASKS.mdwhen you start or finish work.
- Update task status to
-
- Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
-
- Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
-
- Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
-
- Revert to
TODOif you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
- Revert to