c2c6b58b41
- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations. - Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof. - Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration. - Added verification steps for auditors to validate promotion attestations offline. feat: Create Symbol Manifest v1 Specification - Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps. - Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance. - Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation. - Included security considerations and related tasks for implementation. chore: Add Ruby Analyzer with Git Sources - Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem. - Implemented main application logic to utilize the defined gems and output their versions. - Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities. - Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations. test: Add tests for Ruby Analyzer - Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output. - Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
35 lines
1.7 KiB
Markdown
35 lines
1.7 KiB
Markdown
# StellaOps Policy Engine
|
||
|
||
Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.
|
||
|
||
## Responsibilities
|
||
- Compile `stella-dsl@1` packs into executable graphs.
|
||
- Join advisories, VEX evidence, and SBOM inventories to derive effective findings.
|
||
- Expose simulation and diff APIs for UI/CLI workflows.
|
||
- Emit change-stream driven events for Notify/Scheduler integrations.
|
||
|
||
## Key components
|
||
- `StellaOps.Policy.Engine` service host.
|
||
- Shared libraries under `StellaOps.Policy.*` for evaluation, storage, DSL tooling.
|
||
|
||
## Integrations & dependencies
|
||
- MongoDB findings collections, RustFS explain bundles.
|
||
- Scheduler for incremental re-evaluation triggers.
|
||
- CLI/UI for policy authoring and runs.
|
||
|
||
## Operational notes
|
||
- DSL grammar and lifecycle docs in ../../policy/.
|
||
- Observability guidance in ../../observability/policy.md.
|
||
- Governance and scope mapping in ../../security/policy-governance.md.
|
||
- Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
|
||
- Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
|
||
- Ruby capability predicates design: ./design/ruby-capability-predicates.md.
|
||
|
||
## Backlog references
|
||
- DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline).
|
||
- DOCS-POLICY-23-007 (upcoming command updates).
|
||
|
||
## Epic alignment
|
||
- **Epic 2 – Policy Engine & Editor:** deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs.
|
||
- **Epic 4 – Policy Studio:** integrate registry workflows, simulation at scale, approvals, and promotion semantics.
|