e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
6.8 KiB
6.8 KiB
Sprint 505 · Ops & Offline — 190.B) Ops DevOps III
Topic & Scope
- Phase III of Ops & Offline stream (IMPL 190.B), following Ops DevOps II.
- Focus on CI/observability/offline hardening across export, graph, OAS, symbols, SLO tooling, and ledger packs.
- Working directory: docs/implplan (coordination); artefacts live under
.gitea/workflows/,deploy/, and relevant module repos per task ownership.
Dependencies & Concurrency
- Upstream dependency: Sprint 190.B (Ops DevOps II) must be DONE.
- Task-level dependencies captured in the tracker; observe serial order for OAS and HELM-style chains.
Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- Existing CI/OAS runbooks referenced by tasks.
Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---|---|---|---|---|
| 1 | DEVOPS-EXPORT-36-001 | DONE (2025-11-24) | Depends on DEVOPS-EXPORT-35-001 | DevOps Guild, Exporter Service Guild | Integrate Trivy compat validation, cosign signature checks, trivy module db import smoke tests, OCI distribution verification, throughput/error dashboards |
| 2 | DEVOPS-EXPORT-37-001 | DONE (2025-11-24) | Depends on DEVOPS-EXPORT-36-001 | DevOps Guild, Exporter Service Guild | Finalize exporter monitoring (failure alerts, metrics verification, retention jobs) and chaos/latency tests pre-GA |
| 3 | DEVOPS-GRAPH-24-001 | DONE (2025-11-24) | None | DevOps Guild, SBOM Service Guild | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards & alert thresholds |
| 4 | DEVOPS-GRAPH-24-002 | DONE (2025-11-24) | Depends on DEVOPS-GRAPH-24-001 | DevOps Guild, UI Guild | Synthetic UI perf runs (Playwright/WebGL) for Graph/Vuln explorers; fail builds on regression |
| 5 | DEVOPS-GRAPH-24-003 | DONE (2025-11-24) | Depends on DEVOPS-GRAPH-24-002 | DevOps Guild | Smoke job for simulation endpoints enforcing SLA (<3s upgrade) with logged results |
| 6 | DEVOPS-LNM-TOOLING-22-000 | BLOCKED | Await upstream storage backfill tool specs & Excititor migration outputs | DevOps, Concelier, Excititor Guilds | Package/tooling for linkset/advisory migrations |
| 7 | DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Blocked on DEVOPS-LNM-TOOLING-22-000 | DevOps Guild, Concelier Guild | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, automate deployment |
| 8 | DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Blocked on DEVOPS-LNM-22-001 and Excititor storage migration | DevOps Guild, Excititor Guild | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events; document ops runbook |
| 9 | DEVOPS-LNM-22-003 | TODO | Depends on DEVOPS-LNM-22-002 | DevOps Guild, Observability Guild | Add CI/monitoring for new metrics (advisory_observations_total, linksets_total, ingest→API SLA alerts) |
| 10 | DEVOPS-OAS-61-001 | DONE (2025-11-24) | None | DevOps Guild, API Contracts Guild | Add CI stages for OpenAPI lint, validation, compat diff; enforce PR gating |
| 11 | DEVOPS-OAS-61-002 | DONE (2025-11-24) | Depends on DEVOPS-OAS-61-001 | DevOps Guild, Contract Testing Guild | Mock server + contract test suite in PR/nightly; publish artifacts |
| 12 | DEVOPS-OPENSSL-11-001 | DONE (2025-11-24) | None | DevOps Guild, Build Infra Guild | Package OpenSSL 1.1 shim into test harness outputs for Mongo2Go suites |
| 13 | DEVOPS-OPENSSL-11-002 | DONE (2025-11-24) | Depends on DEVOPS-OPENSSL-11-001 | DevOps Guild, CI Guild | Ensure CI runners/docker export LD_LIBRARY_PATH (or embed shim) for unattended pipelines |
| 14 | DEVOPS-OBS-51-001 | DONE (2025-11-24) | Depends on DEVOPS-OBS-50-002 | DevOps Guild, Observability Guild | SLO evaluator service, dashboards, alerts, Terraform/Helm automation |
| 15 | DEVOPS-OBS-52-001 | DONE (2025-11-24) | Depends on DEVOPS-OBS-51-001 | DevOps Guild, Timeline Indexer Guild | Streaming pipeline (NATS/Redis/Kafka) with retention/partitioning/backpressure; CI schema + rate-cap validation |
| 16 | DEVOPS-OBS-53-001 | DONE (2025-11-24) | Depends on DEVOPS-OBS-52-001 | DevOps Guild, Evidence Locker Guild | Object storage WORM/immutability, legal hold automation, backup/restore scripts |
| 17 | DEVOPS-OBS-54-001 | DONE (2025-11-24) | Depends on DEVOPS-OBS-53-001 | DevOps Guild, Security Guild | Provenance signing infra (KMS keys, rotation, TSA) + CI verification jobs |
| 18 | DEVOPS-SCAN-90-004 | DONE (2025-11-24) | Depends on SCAN-DETER-186-009/010 | DevOps Guild, Scanner Guild | CI job for scanner determinism harness; uploads determinism.json; gates release |
| 19 | DEVOPS-SYMS-90-005 | DONE (2025-11-24) | Depends on SYMS-SERVER-401-011/013 | DevOps Guild, Symbols Guild | Deploy Symbols.Server; smoke via compose/MinIO/Mongo; alerts; reusable smoke workflow |
| 20 | DEVOPS-LEDGER-OAS-61-001-REL | BLOCKED (2025-11-24) | Waiting on Findings Ledger OpenAPI sources/examples | DevOps Guild, Findings Ledger Guild | Add lint/diff/publish gates once spec exists |
| 21 | DEVOPS-LEDGER-OAS-61-002-REL | BLOCKED (2025-11-24) | .well-known/openapi payload pending |
DevOps Guild, Findings Ledger Guild | Release validation for host metadata |
| 22 | DEVOPS-LEDGER-OAS-62-001-REL | BLOCKED (2025-11-24) | Await finalized Ledger OAS/versioning | DevOps Guild, Findings Ledger Guild | SDK generation/signing for Ledger |
| 23 | DEVOPS-LEDGER-OAS-63-001-REL | BLOCKED (2025-11-24) | Await OAS change log/lifecycle policy | DevOps Guild, Findings Ledger Guild | Deprecation governance artefacts |
| 24 | DEVOPS-LEDGER-PACKS-42-001-REL | BLOCKED (2025-11-24) | Await schema + storage contract | DevOps Guild, Findings Ledger Guild | Snapshot/time-travel export packaging |
| 25 | DEVOPS-LEDGER-PACKS-42-002-REL | TODO | Depends on DEVOPS-LEDGER-PACKS-42-001-REL | DevOps Guild, Findings Ledger Guild | Add pack signing + integrity verification job to release bundles |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-24 | Completed DEVOPS-OAS-61-001/002: added OAS CI workflow .gitea/workflows/oas-ci.yml (compose, lint, examples, compat diff, contract tests, aggregate spec upload). |
Implementer |
| 2025-11-24 | Completed DEVOPS-OPENSSL-11-001: copied OpenSSL 1.1 shim into all test outputs via shared Directory.Build.props; Authority Mongo2Go tests pass. | Implementer |
| 2025-12-02 | Normalized sprint file to standard template; preserved task statuses and dependencies. | StellaOps Agent |
Decisions & Risks
- Many tasks blocked by upstream artefacts (DEVOPS-LNM-TOOLING, Ledger OAS, storage migrations). Resolution requires upstream teams delivering specs/data.
- Offline posture: ensure all deployment/CI assets use pinned digests and avoid live internet pulls for air-gapped kits.
Next Checkpoints
- None scheduled; add dates when guild checkpoints are set.