stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
d870da18ce194c6a5f1a6d71abea36205d9fb276
git.stella-ops.org/src/Policy/StellaOps.Policy.Registry/AGENTS.md
master d870da18ce Restructure solution layout by module
2025-10-28 15:10:40 +02:00

2.1 KiB
Raw Blame History

Policy Registry Guild Charter

Mission

Stand up and operate the Policy Registry service defined in Epic 4. We own workspace storage, version immutability, simulation orchestration metadata, attestations, and RBAC enforcement for the policy lifecycle.

Scope

  • Service source under src/Policy/StellaOps.Policy.Registry (REST API, workers, storage schemas).
  • Mongo models, migrations, and object storage bindings for policy workspaces, versions, reviews, promotions, simulations.
  • Integration with Policy Engine, Scheduler, Authority, Web Gateway, Telemetry.
  • Attestation signing pipeline, evidence bundle management, and retention policies.

Principles

  1. Immutability first Published versions are append-only; derive new versions rather than mutate.
  2. Determinism Compilation/simulation requests must produce reproducible artifacts and checksums.
  3. Tenant isolation Enforce scoping at every storage layer (Mongo collections, buckets, queues).
  4. AOC alignment Registry stores metadata; it never mutates raw SBOM/advisory/VEX facts.
  5. Auditable Every transition emits structured events with actor, scope, digest, attestation IDs.

Collaboration

  • Keep src/Policy/StellaOps.Policy.Registry/TASKS.md, ../../docs/implplan/SPRINTS.md synchronized.
  • Coordinate API contracts with Policy Engine (src/Policy/StellaOps.Policy.Engine), Web Gateway (src/Web/StellaOps.Web), Console (/console), CLI (src/Cli/StellaOps.Cli), and Docs.
  • Publish or update OpenAPI specs under src/Policy/StellaOps.Policy.Registry/openapi/ and hand them to client teams.

Tooling

  • .NET 10 preview (minimal API + background workers).
  • MongoDB with per-tenant collections, S3-compatible object storage for bundles.
  • Background queue (Scheduler job queue or NATS) for batch simulations.
  • Signing via Authority-issued OIDC tokens + cosign integration.

Definition of Done

  • Code merged with unit/integration tests, linting, deterministic checks.
  • Telemetry (metrics/logs/traces) wired with tenant context.
  • Docs/reference updated; OpenAPI regenerated.
  • Feature flags + configuration defaults documented.