stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
7600caea632e9e44571bc1661003948a5e1d22fb
git.stella-ops.org/docs/task-packs/authoring-guide.md
root 68da90a11a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

209 lines
7.3 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
# Task Pack Authoring Guide
This guide teaches engineers how to design, validate, and publish Task Packs that align with the Sprint43 specification. Follow these steps to ensure deterministic behaviour, secure approvals, and smooth hand-off to operators.
---
## 1·Prerequisites
- StellaOps CLI `>= 2025.10.0` with pack commands enabled.
- Authority client configured with `Packs.Write` (publish) and `Packs.Run` (local testing) scopes.
- Access to Task Runner staging environment for validation runs.
- Familiarity with the [Task Pack Specification](spec.md) and [Packs Registry](registry.md).
- Optional: connection to DevOps staging registry or Offline Kit mirror for publishing.
---
## 2·Design Checklist
1. **Define objective.** Document the operational need, inputs, expected outputs, and rollback strategy.
2. **Identify approvals.** Determine which scopes/roles must sign off (`Packs.Approve` assignments).
3. **Plan security posture.** Limit secrets usage, set tenant visibility, and note network constraints (sealed mode).
4. **Model observability.** Decide which metrics, logs, and evidence artifacts are critical for post-run audits.
5. **Reuse libraries.** Prefer built-in modules or shared pack fragments to reduce drift.
Capture the above in `docs/summary.md` (optional but recommended) for future maintainers.
---
## 3·Authoring Workflow
### 3.1 Scaffold project
```bash
mkdir my-pack
cd my-pack
stella pack init --name sbom-remediation
```
`stella pack init` creates baseline files:
- `pack.yaml` with metadata placeholders.
- `schemas/inputs.schema.json` (sample).
- `docs/usage.md` (template for human instructions).
- `.packignore` to exclude build artifacts.
### 3.2 Define inputs & schemas
- Use JSON Schema (`draft-2020-12`) for input validation.
- Avoid optional inputs unless there is a deterministic default.
- Store schemas under `schemas/` and reference via relative paths.
### 3.3 Compose steps
- Break workflow into small deterministic steps.
- Name each step with stable `id`.
- Wrap scripts/tools using built-in modules; copy scripts to `assets/` if necessary.
- Use `when` expressions for branch logic; ensure expressions rely solely on inputs or previous outputs.
- For loops, adopt `map` with capped iteration count; avoid data-dependent randomness.
### 3.4 Configure approvals
- Add `spec.approvals` entries for each required review.
- Provide informative `reasonTemplate` with placeholders.
- Set `expiresAfter` to match operational policy (e.g., 4h for security reviews).
- Document fallback contacts in `docs/runbook.md`.
### 3.5 Manage secrets
- Declare secrets under `spec.secrets`.
- Reference secrets via expressions (e.g., `{{ secrets.jiraToken.value }}`) inside modules that support secure injection.
- Never bake secrets or tokens into pack assets.
- If secret optional, set `optional: true` and handle absence in step logic.
### 3.6 Document outputs
- List expected artifacts under `spec.outputs`.
- Include human-friendly docs (Markdown) describing each output and how to access it through CLI or Console.
---
## 4·Validation
### 4.1 Static validation
```bash
stella pack validate
```
Checks performed:
- Schema compliance (YAML, JSON Schema).
- Determinism guard (forbidden functions, clock usage, network allowlist).
- Reference integrity (assets, schemas, documentation).
- Approval/secret scope availability.
### 4.2 Simulation & plan hash
```bash
stella pack plan --inputs samples/inputs.json --output .artifacts/plan.json
stella pack simulate --inputs samples/inputs.json --output .artifacts/sim.json
```
- Review plan graph to ensure step ordering and gating align with expectations.
- Store simulation output with pack metadata for future audits.
### 4.3 Local rehearsal
```bash
stella pack run \
--inputs samples/inputs.json \
--secrets jiraToken=@secrets/jira.txt \
--dry-run
```
- Use `--dry-run` to verify approvals and outputs without side effects.
- Real runs require `Packs.Run` and all approval gates satisfied (e.g., via CLI prompts or Console).
### 4.4 Unit tests (optional but encouraged)
- Create a `tests/` folder with CLI-driven regression scripts (e.g., using `stella pack plan` + `jq` assertions).
- Integrate into CI pipelines; ensure tests run offline using cached assets.
---
## 5·Publishing
### 5.1 Build bundle
```bash
stella pack build \
--output dist/sbom-remediation-1.3.0.stella-pack.tgz \
--manifest pack.yaml
```
### 5.2 Sign bundle
```bash
cosign sign-blob \
--yes \
--output-signature dist/sbom-remediation-1.3.0.sig \
dist/sbom-remediation-1.3.0.stella-pack.tgz
```
Store signature alongside bundle; DSSE optional but recommended (see [security guidance](../security/pack-signing-and-rbac.md)).
### 5.3 Publish to registry
```bash
stella pack push \
registry.stella-ops.org/packs/sbom-remediation:1.3.0 \
--bundle dist/sbom-remediation-1.3.0.stella-pack.tgz \
--signature dist/sbom-remediation-1.3.0.sig
```
Registry verifies signature, stores provenance, and updates index.
### 5.4 Offline distribution
- Export bundle + signature + provenance into Offline Kit using `stella pack bundle export`.
- Update mirror manifest (`manifest/offline-manifest.json`) with new pack entries.
---
## 6·Versioning & Compatibility
- Follow SemVer (increment major when breaking schema/behaviour).
- Document compatibility in `docs/compatibility.md` (recommended).
- Registry retains immutable history; use `metadata.deprecated: true` to indicate retirement.
---
## 7·Best Practices
- **Keep steps idempotent.** Support manual retries without side effects.
- **Surface evidence early.** Export intermediate artifacts (plans, logs) for operators.
- **Localize messages.** Provide `locales/en-US.json` for CLI/Console strings (Sprint43 requirement).
- **Avoid long-running commands.** Split heavy tasks into smaller steps with progress telemetry.
- **Guard network usage.** Use `when: "{{ env.isSealed }}"` to block disallowed network operations or provide offline instructions.
- **Document fallbacks.** Include manual recovery instructions in `docs/runbook.md`.
---
## 8·Hand-off & Review
- Submit PR including pack bundle metadata, docs, and validation evidence.
- Request review from Task Runner + Security + DevOps stakeholders.
- Attach `stella pack plan` output and signature digest to review notes.
- After approval, update change log (`docs/CHANGELOG.md`) and notify Task Runner operations.
---
## 9·Compliance Checklist
- [ ] Metadata, inputs, steps, approvals, secrets, and outputs defined per spec.
- [ ] Schemas provided for all object inputs and outputs.
- [ ] Determinism validation (`stella pack validate`) executed with evidence stored.
- [ ] Plan + simulation artifacts committed in `.artifacts/` or CI evidence store.
- [ ] Bundle signed (cosign/DSSE) and signature recorded.
- [ ] Runbook and troubleshooting notes documented.
- [ ] Offline distribution steps prepared (bundle export + manifest update).
- [ ] Imposed rule reminder retained at top.
---
*Last updated: 2025-10-27 (Sprint43).*
Reference in New Issue View Git Blame Copy Permalink