b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys. - Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries. - Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads. - Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options. - Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads. - Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features. - Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
45 lines
2.8 KiB
Markdown
45 lines
2.8 KiB
Markdown
# Graph Indexer Guild Charter (Epic 5)
|
||
|
||
## Mission
|
||
Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped property graph powering the SBOM Graph Explorer. Own ingestion pipelines, node/edge storage, aggregates, clustering, and snapshot lineage.
|
||
|
||
## Scope
|
||
- Service source under `src/Graph/StellaOps.Graph.Indexer` (workers, ingestion pipelines, schema builders).
|
||
- Mongo collections/object storage for `graph_nodes`, `graph_edges`, `graph_snapshots`, clustering metadata.
|
||
- Event consumers: SBOM ingest, Conseiller advisories, Excitor VEX, Policy overlay materials.
|
||
- Incremental rebuild, diff, and cache warmers for graph overlays.
|
||
|
||
## Principles
|
||
1. **Immutability** – Graph mirrors SBOM snapshots; new data creates new snapshots rather than mutating historical records.
|
||
2. **Determinism** – Given identical inputs, node/edge ids, hashes, and aggregates remain stable across runs.
|
||
3. **Tenant isolation** – Enforce isolation at ingestion, storage, and job levels; no cross-tenant leakage.
|
||
4. **AOC alignment** – Indexer links facts; it never mutates advisories/VEX/policy outcomes. Conseiller/Excitor/Policy Engine remain authoritative.
|
||
5. **Performance & telemetry** – Every job emits metrics (latency, node/edge counts, queue lag) and structured logs.
|
||
|
||
## Collaboration
|
||
- Keep `src/Graph/StellaOps.Graph.Indexer/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized.
|
||
- Coordinate with SBOM Service, Policy Engine, Conseiller, Excitor, Scheduler, Web Gateway, and Console teams.
|
||
- Publish schema docs and fixtures for clients; share cost/identity conventions across services.
|
||
|
||
## Tooling
|
||
- .NET 10 preview workers (HostedService + channel pipelines).
|
||
- MongoDB for node/edge storage; S3-compatible buckets for layout tiles/snapshots if needed.
|
||
- Scheduler integration (jobs, change streams) to handle incremental updates.
|
||
|
||
## Definition of Done
|
||
- Pipelines deterministic and tested; fixtures validated.
|
||
- Metrics/logs/traces wired with tenant context.
|
||
- Schema docs + OpenAPI (where applicable) updated; compliance checklist appended.
|
||
- Offline kit includes seed data for air-gapped installs.
|
||
|
||
## Required Reading
|
||
- `docs/modules/graph/architecture.md`
|
||
- `docs/modules/platform/architecture-overview.md`
|
||
|
||
## Working Agreement
|
||
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
|
||
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
|
||
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
|
||
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
|
||
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
|