stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
c2c6b58b416bc36020cc9d593f44c75e7401fbb7
git.stella-ops.org/docs/modules/policy/README.md
master c2c6b58b41 feat: Add Promotion-Time Attestations for Stella Ops 
- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations.
- Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof.
- Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration.
- Added verification steps for auditors to validate promotion attestations offline.

feat: Create Symbol Manifest v1 Specification

- Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps.
- Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance.
- Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation.
- Included security considerations and related tasks for implementation.

chore: Add Ruby Analyzer with Git Sources

- Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem.
- Implemented main application logic to utilize the defined gems and output their versions.
- Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities.
- Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations.

test: Add tests for Ruby Analyzer

- Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output.
- Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.
2025-11-11 15:30:22 +02:00

1.7 KiB
Raw Blame History

StellaOps Policy Engine

Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.

Responsibilities

  • Compile stella-dsl@1 packs into executable graphs.
  • Join advisories, VEX evidence, and SBOM inventories to derive effective findings.
  • Expose simulation and diff APIs for UI/CLI workflows.
  • Emit change-stream driven events for Notify/Scheduler integrations.

Key components

  • StellaOps.Policy.Engine service host.
  • Shared libraries under StellaOps.Policy.* for evaluation, storage, DSL tooling.

Integrations & dependencies

  • MongoDB findings collections, RustFS explain bundles.
  • Scheduler for incremental re-evaluation triggers.
  • CLI/UI for policy authoring and runs.

Operational notes

  • DSL grammar and lifecycle docs in ../../policy/.
  • Observability guidance in ../../observability/policy.md.
  • Governance and scope mapping in ../../security/policy-governance.md.
  • Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
  • Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
  • Ruby capability predicates design: ./design/ruby-capability-predicates.md.

Backlog references

  • DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline).
  • DOCS-POLICY-23-007 (upcoming command updates).

Epic alignment

  • Epic 2 Policy Engine & Editor: deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs.
  • Epic 4 Policy Studio: integrate registry workflows, simulation at scale, approvals, and promotion semantics.