stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
c2c6b58b416bc36020cc9d593f44c75e7401fbb7
git.stella-ops.org/docs/implplan/SPRINT_505_ops_devops_iii.md
master c2c6b58b41 feat: Add Promotion-Time Attestations for Stella Ops 
- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations.
- Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof.
- Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration.
- Added verification steps for auditors to validate promotion attestations offline.

feat: Create Symbol Manifest v1 Specification

- Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps.
- Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance.
- Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation.
- Included security considerations and related tasks for implementation.

chore: Add Ruby Analyzer with Git Sources

- Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem.
- Implemented main application logic to utilize the defined gems and output their versions.
- Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities.
- Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations.

test: Add tests for Ruby Analyzer

- Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output.
- Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
2025-11-11 15:30:22 +02:00

4.7 KiB
Raw Blame History

Sprint 505 - Ops & Offline · 190.B) Ops Devops.III

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

[Ops & Offline] 190.B) Ops Devops.III Depends on: Sprint 190.B - Ops Devops.II Summary: Ops & Offline focus on Ops Devops (phase III).

Task ID State Task description Owners (Source)
DEVOPS-EXPORT-36-001 TODO Integrate Trivy compatibility validation, cosign signature checks, trivy module db import smoke tests, OCI distribution verification, and throughput/error dashboards. Dependencies: DEVOPS-EXPORT-35-001. DevOps Guild, Exporter Service Guild (ops/devops)
DEVOPS-EXPORT-37-001 TODO Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Dependencies: DEVOPS-EXPORT-36-001. DevOps Guild, Exporter Service Guild (ops/devops)
DEVOPS-GRAPH-24-001 TODO Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. DevOps Guild, SBOM Service Guild (ops/devops)
DEVOPS-GRAPH-24-002 TODO Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. Dependencies: DEVOPS-GRAPH-24-001. DevOps Guild, UI Guild (ops/devops)
DEVOPS-GRAPH-24-003 TODO Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Dependencies: DEVOPS-GRAPH-24-002. DevOps Guild (ops/devops)
DEVOPS-LNM-22-001 BLOCKED (2025-10-27) Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. DevOps Guild, Concelier Guild (ops/devops)
DEVOPS-LNM-22-002 BLOCKED (2025-10-27) Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. Dependencies: DEVOPS-LNM-22-001. DevOps Guild, Excititor Guild (ops/devops)
DEVOPS-LNM-22-003 TODO Add CI/monitoring coverage for new metrics (advisory_observations_total, linksets_total, etc.) and alerts on ingest-to-API SLA breaches. Dependencies: DEVOPS-LNM-22-002. DevOps Guild, Observability Guild (ops/devops)
DEVOPS-OAS-61-001 TODO Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. DevOps Guild, API Contracts Guild (ops/devops)
DEVOPS-OAS-61-002 TODO Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. DevOps Guild, Contract Testing Guild (ops/devops)
DEVOPS-OPENSSL-11-001 TODO (2025-11-06) Package the OpenSSL 1.1 shim (tests/native/openssl-1.1/linux-x64) into test harness output so Mongo2Go suites discover it automatically. DevOps Guild, Build Infra Guild (ops/devops)
DEVOPS-OPENSSL-11-002 TODO (2025-11-06) Ensure CI runners and Docker images that execute Mongo2Go tests export LD_LIBRARY_PATH (or embed the shim) to unblock unattended pipelines. Dependencies: DEVOPS-OPENSSL-11-001. DevOps Guild, CI Guild (ops/devops)
DEVOPS-OBS-51-001 TODO Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. DevOps Guild, Observability Guild (ops/devops)
DEVOPS-OBS-52-001 TODO Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. DevOps Guild, Timeline Indexer Guild (ops/devops)
DEVOPS-OBS-53-001 TODO Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. DevOps Guild, Evidence Locker Guild (ops/devops)
DEVOPS-OBS-54-001 TODO Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. Dependencies: DEVOPS-OBS-53-001. DevOps Guild, Security Guild (ops/devops)
DEVOPS-SCAN-90-004 TODO Add a CI job that runs the scanner determinism harness against the release matrix (N runs per image), uploads determinism.json, and fails when score < threshold; publish artifact to release notes. Dependencies: SCAN-DETER-186-009/010. DevOps Guild, Scanner Guild (ops/devops)
DEVOPS-SYMS-90-005 TODO Deploy Symbols.Server (Helm/Terraform), manage MinIO/Mongo storage, configure tenant RBAC/quotas, and wire ingestion CLI into release pipelines with monitoring and backups. Dependencies: SYMS-SERVER-401-011/013. DevOps Guild, Symbols Guild (ops/devops)