stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
ca91f400512fb871ef935772c66ac38b2bed8e7e
git.stella-ops.org/docs/implplan/SPRINT_502_ops_deployment_ii.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

3.2 KiB
Raw Blame History

Sprint 502 · Ops Deployment II (Ops & Offline)

Topic & Scope

  • Phase II of ops deployment/offline readiness stream (IMPL 190.A follow-on).
  • Produce deployment overlays, Helm scaffolding, and rollout/runbook assets for policy, VEX Lens, Findings Ledger, and downloads pipeline.
  • Working directory: docs/implplan (coordination); delivery artefacts expected in deploy/ and docs/runbooks/ as referenced per task.

Dependencies & Concurrency

  • Upstream: Sprint 190.A Ops Deployment I (prereq for this batch).
  • Tasks with explicit deps noted in Delivery Tracker (e.g., HELM-45-002 depends on HELM-45-001).

Documentation Prerequisites

  • docs/README.md
  • docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • docs/modules/platform/architecture-overview.md
  • Any module-specific runbooks referenced by tasks (policy, VEX Lens, Findings Ledger).

Delivery Tracker

# Task ID Status Key dependency / next step Owners Task Definition
1 DEPLOY-POLICY-27-002 TODO Depends on DEPLOY-POLICY-27-001 Deployment Guild, Policy Guild Document rollout/rollback playbooks for policy publish/promote (canary, emergency freeze, evidence retrieval) under docs/runbooks/policy-incident.md
2 DEPLOY-VEX-30-001 TODO None Deployment Guild, VEX Lens Guild Provide Helm/Compose overlays, scaling defaults, offline kit instructions for VEX Lens service
3 DEPLOY-VEX-30-002 TODO Depends on DEPLOY-VEX-30-001 Deployment Guild, Issuer Directory Guild Package Issuer Directory deployment manifests, backups, security hardening guidance
4 DEPLOY-VULN-29-001 TODO None Deployment Guild, Findings Ledger Guild Helm/Compose overlays for Findings Ledger + projector incl. DB migrations, Merkle anchor jobs, scaling guidance
5 DEPLOY-VULN-29-002 TODO Depends on DEPLOY-VULN-29-001 Deployment Guild, Vuln Explorer API Guild Package stella-vuln-explorer-api manifests, health checks, autoscaling policies, offline kit with signed images
6 DOWNLOADS-CONSOLE-23-001 TODO None Deployment Guild, DevOps Guild Maintain signed downloads manifest pipeline; publish JSON at deploy/downloads/manifest.json; doc sync cadence for Console/docs
7 HELM-45-001 TODO None Deployment Guild Scaffold deploy/helm/stella chart with values, toggles, pinned digests, migration Job templates
8 HELM-45-002 TODO Depends on HELM-45-001 Deployment Guild, Security Guild Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), document security posture
9 HELM-45-003 TODO Depends on HELM-45-002 Deployment Guild, Observability Guild Implement HPA, PDB, readiness gates, Prometheus scrape annotations, OTel hooks, upgrade hooks

Execution Log

Date (UTC) Update Owner
2025-12-02 Normalized sprint file to standard template; no task status changes StellaOps Agent

Decisions & Risks

  • Dependencies between HELM-45 tasks enforce serial order; note in task sequencing.
  • Risk: Offline kit instructions must avoid external image pulls; ensure pinned digests and air-gap copy steps.

Next Checkpoints

  • None scheduled; add dates when guild checkpoints are set.