stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
8b1fe49f3599bd0cd232a9b46a3e033f33f10252
git.stella-ops.org/docs/modules/tools/architecture.md

9.5 KiB
Raw Blame History

Developer Tools Architecture

Standalone CLI utilities for development, testing, and CI support workflows.

Overview

The Tools directory contains a set of independent CLI applications, each with its own Program.cs entry point. These tools are not deployed as services -- they are invoked locally by developers or executed in CI pipelines. Each tool is narrowly scoped to a single responsibility, from fixture management to workflow generation.

Components

src/Tools/
  FixtureUpdater/           # Golden fixture refresh from live APIs
    Program.cs
  GoldenPairs/              # SBOM/advisory corpus management
    Program.cs
  PolicyDslValidator/       # Policy DSL file validation
    Program.cs
  PolicySchemaExporter/     # JSON schema export for IDE support
    Program.cs
  PolicySimulationSmoke/    # Policy simulation smoke tests
    Program.cs
  LanguageAnalyzerSmoke/    # Language detection accuracy tests
    Program.cs
  RustFsMigrator/           # RustFS data migration between schema versions
    Program.cs
  WorkflowGenerator/        # CI workflow generation (F# DSL)
    Program.fs
  StellaOps.Bench/          # Performance benchmarks (absorbed from src/Bench/)
    LinkNotMerge/            #   Link-not-merge linkset benchmarks
    LinkNotMerge.Vex/        #   VEX-enriched linkset benchmarks
    Notify/                  #   Notification pipeline benchmarks
    PolicyEngine/            #   Policy engine evaluation benchmarks
    Scanner.Analyzers/       #   Language analyzer benchmarks
    Determinism/             #   Determinism fixture inputs/configs
    Graph/                   #   Graph benchmark scenarios and results
  StellaOps.Verifier/       # Standalone offline bundle verifier (absorbed from src/Verifier/)
    __Tests/
  StellaOps.Sdk.Generator/  # Multi-language SDK code generation (absorbed from src/Sdk/)
    go/  java/  python/  ts/
    postprocess/
  StellaOps.Sdk.Release/    # SDK release automation (absorbed from src/Sdk/)
  StellaOps.DevPortal.Site/  # Developer portal static site (absorbed from src/DevPortal/)
    src/  public/  scripts/
tests/supply-chain/         # Deterministic supply-chain hardening lanes
  01-jcs-property/
  02-schema-fuzz/
  03-rekor-neg/
  04-big-dsse-referrers/
  05-corpus/

Tool Descriptions

FixtureUpdater

Pulls latest test data from running Stella Ops services and updates frozen golden fixtures deterministically. Ensures test suites use realistic, version-controlled data without manual fixture authoring.

GoldenPairs

Manages SBOM/advisory pairs used for testing. Provides version tracking and diff tools for the test corpus, ensuring changes to upstream advisory formats are detected and accommodated.

PolicyDslValidator

Validates policy DSL files against the current schema. Used in CI gates to catch policy syntax errors before merge.

PolicySchemaExporter

Exports the Policy DSL schema to JSON format for documentation and IDE autocomplete support. Enables policy authors to get inline validation and completion in their editors.

PolicySimulationSmoke

Runs end-to-end policy simulation smoke tests against a configured Policy Engine instance. Validates that policy evaluation produces expected verdicts for a known set of inputs.

LanguageAnalyzerSmoke

Tests the language analyzer's detection accuracy against a curated set of source files. Reports precision and recall metrics for supported languages.

RustFsMigrator

Migrates data stored in RustFS (S3-compatible object storage) between schema versions. Handles object key transformations and metadata updates required during platform upgrades.

WorkflowGenerator

Generates GitHub Actions and .NET test workflow definitions from an F# DSL. Ensures CI workflow files are consistent, auditable, and derived from a single source of truth rather than hand-edited YAML.

StellaOps.Bench (Performance Benchmarks)

Collected from the former src/Bench/ directory. Contains performance benchmarks for multiple subsystems:

  • LinkNotMerge -- Benchmarks for linkset aggregation and link-not-merge scenario execution, with baseline tracking and Prometheus-compatible metrics export.
  • LinkNotMerge.Vex -- VEX-enriched variant of link-not-merge benchmarks.
  • Notify -- Benchmarks for the notification pipeline against StellaOps.Notify.Models.
  • PolicyEngine -- Benchmarks for policy engine evaluation against StellaOps.Policy.
  • Scanner.Analyzers -- Benchmarks for language analyzers (Node, Go, Java, Python, .NET, Bun) against StellaOps.Scanner.Analyzers.Lang.*.
  • Determinism -- Frozen fixture inputs and configurations for deterministic benchmark reproducibility.

Each benchmark subproject can be published as an independent dotnet tool.

StellaOps.Verifier (Standalone Bundle Verifier)

Absorbed from the former src/Verifier/ directory. A standalone CLI tool for offline verification of Stella Ops evidence bundles in air-gapped environments. Publishes as a single-file, self-contained executable (stella-verifier) targeting multiple RIDs: win-x64, linux-x64, linux-musl-x64, osx-x64, osx-arm64. Has no framework dependencies -- designed for minimal footprint in restricted environments.

StellaOps.Sdk.Generator (SDK Code Generation)

Absorbed from the former src/Sdk/StellaOps.Sdk.Generator/ directory. Generates typed SDK clients for Go, Java, Python, and TypeScript from the Stella Ops OpenAPI specification. Includes per-language config.yaml, generation scripts, postprocessing templates, and deterministic toolchain lockfile (toolchain.lock.yaml).

StellaOps.Sdk.Release (SDK Release Automation)

Absorbed from the former src/Sdk/StellaOps.Sdk.Release/ directory. Automates the release pipeline for generated SDK packages.

StellaOps.DevPortal.Site (Developer Portal)

Absorbed from the former src/DevPortal/ directory. An Astro-based static site providing interactive API documentation, SDK quickstarts, code examples, and a "Try It" console backed by RapiDoc. Includes offline build support (build-offline.mjs), link checking, accessibility audits, and performance checks. Not a .NET project -- uses Node.js/npm.

Supply-Chain Hardening Suite

Deterministic multi-lane harness validating canonicalization invariants, mutation-fuzz crash resistance, Rekor negative-path diagnostics, and oversized DSSE/referrer reject behavior.

Data Flow

Tools are consumers and producers of artifacts:

  1. FixtureUpdater and GoldenPairs pull data from live services or local corpora and write deterministic fixture files to the repository.
  2. PolicyDslValidator and PolicySchemaExporter read policy definitions and produce validation results or schema files.
  3. PolicySimulationSmoke and LanguageAnalyzerSmoke execute tests against upstream services/libraries and produce pass/fail reports.
  4. RustFsMigrator reads from and writes to S3-compatible storage.
  5. WorkflowGenerator reads F# DSL definitions and writes CI workflow YAML files.
  6. Supply-chain hardening suite reads frozen corpus fixtures, executes deterministic lanes, and emits replay-ready artifacts for CI and local triage.
  7. StellaOps.Bench reads frozen inputs (SBOMs, VEX, graphs) and produces benchmark reports with latency/throughput metrics.
  8. StellaOps.Verifier reads evidence bundles from disk and produces pass/fail verification results for offline audit.
  9. StellaOps.Sdk.Generator reads the OpenAPI spec and produces typed SDK source code for Go, Java, Python, and TypeScript.
  10. StellaOps.DevPortal.Site reads the OpenAPI spec and SDK documentation, producing a static developer portal site.

Database Schema

Not applicable. Tools are CLI utilities with no persistent database.

Endpoints

Not applicable. Tools are client-side CLI applications with no HTTP endpoints.

Dependencies

Library/Tool Purpose
Policy Engine libs Policy DSL parsing, schema definitions
Scanner libs Language analyzer, SBOM processing
F# compiler WorkflowGenerator DSL compilation
DotNet.Glob File pattern matching in fixture tools
AWS SDK (S3) RustFsMigrator object storage access
StellaOps.Policy Bench.PolicyEngine benchmark target
StellaOps.Scanner.Analyzers.Lang.* Bench.ScannerAnalyzers benchmark targets
StellaOps.Notify.Models Bench.Notify benchmark target
StellaOps.TestKit Shared test infrastructure for benchmark tests
System.CommandLine Verifier CLI argument parsing
Astro + Starlight DevPortal static site generation
openapi-generator-cli Sdk.Generator multi-language code generation

Security Considerations

  • No network listeners: Tools do not expose HTTP endpoints or accept inbound connections.
  • Credential handling: Tools that connect to live services (FixtureUpdater, PolicySimulationSmoke) use the same Authority-issued tokens as other Stella Ops services. Credentials are never embedded in tool binaries or fixture files.
  • Deterministic output: FixtureUpdater and GoldenPairs produce deterministic output to ensure reproducible test runs and prevent fixture drift.
  • CI isolation: Tools run in isolated CI containers with scoped permissions; they do not have access to production secrets.