stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/docs2/architecture/workflows.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

1.6 KiB
Raw Blame History

Architecture workflows

Advisory and VEX ingestion (AOC)

  1. Concelier and Excititor fetch upstream documents.
  2. AOC guards validate provenance and append-only rules.
  3. Raw facts are stored in PostgreSQL without derived severity.
  4. Deterministic exports are produced for downstream policy evaluation.

Scan and report

  1. CLI or API submits an image digest or SBOM.
  2. Scanner Worker analyzes layers and produces SBOM fragments.
  3. Scanner Web composes inventory and usage SBOMs and runs diffs.
  4. Policy Engine evaluates findings against advisories and VEX evidence.
  5. Signer produces DSSE bundles; Attestor logs to Rekor when enabled.

Reachability and unknowns

  1. Scanner produces static call graphs.
  2. Zastava produces runtime facts when enabled.
  3. Signals computes reachability scores and unknowns pressure.
  4. Policy Engine incorporates reachability evidence into VEX decisions.

Scheduler re-evaluation

  1. Concelier and Excititor emit delta events.
  2. Scheduler identifies impacted images using BOM index metadata.
  3. Scanner Web runs analysis-only reports against existing SBOMs.
  4. Notify emits delta notifications to operators.

Notifications

  1. Scanner and Scheduler publish events to Valkey streams.
  2. Notify Web applies routing rules and templates.
  3. Notify Worker delivers to Slack, Teams, email, or webhooks.

Export and offline bundles

  1. Export Center creates deterministic export bundles (JSON, Trivy DB, mirror layouts).
  2. Offline kits package feeds, images, analyzers, and manifests for air-gapped sites.
  3. CLI verifies signatures and imports bundles atomically.