38 lines
1.2 KiB
Markdown
38 lines
1.2 KiB
Markdown
# AOC (Append-Only Contracts)
|
|
|
|
**Status:** Implemented
|
|
**Source:** `src/Aoc/`
|
|
**Owner:** Platform Team
|
|
|
|
## Purpose
|
|
|
|
AOC provides compile-time enforcement of append-only contract rules during data ingestion. Uses Roslyn analyzers to prevent connectors from writing to fields that should only be computed by downstream merge/decisioning pipelines.
|
|
|
|
## Components
|
|
|
|
**Analyzers:**
|
|
- `StellaOps.Aoc.Analyzers` - Roslyn DiagnosticAnalyzers (AOC0001, AOC0002, AOC0003)
|
|
|
|
**Libraries:**
|
|
- `StellaOps.Aoc` - Core abstractions (IAocGuard)
|
|
- `StellaOps.Aoc.AspNetCore` - ASP.NET Core integration
|
|
|
|
**CLI:**
|
|
- `StellaOps.Aoc.Cli` - Manual validation tool
|
|
|
|
## Key Concepts
|
|
|
|
**Forbidden Fields** (ingestion-time writes forbidden):
|
|
- `severity`, `cvss`, `cvss_vector` - Computed from CVSS + context
|
|
- `effective_status`, `effective_range` - VEX consensus outcomes
|
|
- `risk_score`, `reachability`, `asset_criticality` - Runtime analysis
|
|
|
|
**Derived Fields:**
|
|
- Any field prefixed with `effective_*` is treated as derived and forbidden
|
|
|
|
## Related Documentation
|
|
|
|
- Architecture: `./architecture.md`
|
|
- Concelier: `../concelier/` (uses AOC for connectors)
|
|
- Excititor: `../excititor/` (uses AOC for VEX ingestion)
|