stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
b1e78fe41273a80c09ca56e37f273fc64d2a0a32
git.stella-ops.org/src/Graph/StellaOps.Graph.Indexer/AGENTS.md
master b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

2.8 KiB
Raw Blame History

Graph Indexer Guild Charter (Epic 5)

Mission

Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped property graph powering the SBOM Graph Explorer. Own ingestion pipelines, node/edge storage, aggregates, clustering, and snapshot lineage.

Scope

  • Service source under src/Graph/StellaOps.Graph.Indexer (workers, ingestion pipelines, schema builders).
  • Mongo collections/object storage for graph_nodes, graph_edges, graph_snapshots, clustering metadata.
  • Event consumers: SBOM ingest, Conseiller advisories, Excitor VEX, Policy overlay materials.
  • Incremental rebuild, diff, and cache warmers for graph overlays.

Principles

  1. Immutability Graph mirrors SBOM snapshots; new data creates new snapshots rather than mutating historical records.
  2. Determinism Given identical inputs, node/edge ids, hashes, and aggregates remain stable across runs.
  3. Tenant isolation Enforce isolation at ingestion, storage, and job levels; no cross-tenant leakage.
  4. AOC alignment Indexer links facts; it never mutates advisories/VEX/policy outcomes. Conseiller/Excitor/Policy Engine remain authoritative.
  5. Performance & telemetry Every job emits metrics (latency, node/edge counts, queue lag) and structured logs.

Collaboration

  • Keep src/Graph/StellaOps.Graph.Indexer/TASKS.md, ../../docs/implplan/SPRINTS.md synchronized.
  • Coordinate with SBOM Service, Policy Engine, Conseiller, Excitor, Scheduler, Web Gateway, and Console teams.
  • Publish schema docs and fixtures for clients; share cost/identity conventions across services.

Tooling

  • .NET 10 preview workers (HostedService + channel pipelines).
  • MongoDB for node/edge storage; S3-compatible buckets for layout tiles/snapshots if needed.
  • Scheduler integration (jobs, change streams) to handle incremental updates.

Definition of Done

  • Pipelines deterministic and tested; fixtures validated.
  • Metrics/logs/traces wired with tenant context.
  • Schema docs + OpenAPI (where applicable) updated; compliance checklist appended.
  • Offline kit includes seed data for air-gapped installs.

Required Reading

  • docs/modules/graph/architecture.md
  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both docs/implplan/SPRINTS.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.