stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
55464f84984ae579eca18456874ba5ccac6ccf29
git.stella-ops.org/docs/aoc/aoc-guardrails.md
root 68da90a11a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

1.3 KiB
Raw Blame History

Aggregation-Only Contract (AOC) Guardrails

The Aggregation-Only Contract keeps ingestion services deterministic and policy-neutral. Use these checkpoints whenever you add or modify backlog items:

  1. Ingestion writes raw facts only. Concelier and Excititor append immutable observations/linksets. No precedence, severity, suppression, or "safe fix" hints may be computed at ingest time.
  2. Derived semantics live elsewhere. Policy Engine overlays, Vuln Explorer composition, and downstream reporting layers attach severity, precedence, policy verdicts, and UI hints.
  3. Provenance is mandatory. Every ingestion write must include original source metadata, digests, and signing/provenance evidence when available. Reject writes lacking provenance.
  4. Deterministic outputs. Given the same inputs, ingestion must produce identical documents, hashes, and event payloads across reruns.
  5. Guardrails everywhere. Roslyn analyzers, schema validators, and CI smoke tests should fail builds that attempt forbidden writes.

For detailed roles and ownership boundaries, see AGENTS.md at the repo root and the module-specific ARCHITECTURE_*.md dossiers.

Need the full contract? Read the Aggregation-Only Contract reference for schemas, error codes, and migration guidance.