stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5a480a3c2a4e6edd0cf4a6d8f9f5e8c92715e74b
git.stella-ops.org/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.3 KiB
Raw Blame History

StellaOps.Scanner.Analyzers.Lang.DotNet — Agent Charter

Role

Create the .NET analyzer plug-in that inspects *.deps.json, runtimeconfig.json, assemblies, and RID-specific assets to deliver accurate NuGet components with signing metadata.

Scope

  • Parse dependency graphs from *.deps.json and merge with runtimeconfig.json and bundle manifests.
  • Capture assembly metadata (strong name, file version, Authenticode) and correlate with packages.
  • Handle RID-specific asset selection, self-contained apps, and crossgen/native dependency hints.
  • Package plug-in manifest, determinism fixtures, benchmarks, and Offline Kit documentation.

Out of Scope

  • Policy evaluation or Signer integration (handled elsewhere).
  • Native dependency resolution outside RID mapping.
  • Windows-specific MSI/SxS analyzers (covered by native analyzer roadmap).

Expectations

  • Performance target: multi-target app fixture <1.2s, memory <250MB.
  • Deterministic RID collapsing to reduce component duplication by ≥40% vs naive approach.
  • Offline-first; support air-gapped strong-name/Authenticode validation using cached root store.
  • Rich telemetry (components per RID, strong-name validations) conforming to Scanner metrics.

Dependencies

  • Shared language analyzer infrastructure; Worker dispatcher; optional security key store for signature verification.

Testing & Artifacts

  • Fixtures for framework-dependent and self-contained apps (linux-musl, win-x64).
  • Golden outputs capturing signature metadata and RID grouping.
  • Benchmark comparing analyzer fidelity vs market competitors.

Required Reading

  • docs/modules/scanner/architecture.md
  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.