stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
efd6850c38b0f11fd2c4eabf28e6bd552391142e
git.stella-ops.org/docs/modules/sbomservice/runbooks/airgap-parity-review.md
StellaOps Bot 48702191be
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat(graph-api): Add schema review notes for upcoming Graph API changes 
feat(sbomservice): Add placeholder for SHA256SUMS in LNM v1 fixtures

docs(devportal): Create README for SDK archives in public directory

build(devportal): Implement offline bundle build script

test(devportal): Add link checker script for validating links in documentation

test(devportal): Create performance check script for dist folder size

test(devportal): Implement accessibility check script using Playwright and Axe

docs(devportal): Add SDK quickstart guide with examples for Node.js, Python, and cURL

feat(excititor): Implement MongoDB storage for airgap import records

test(findings): Add unit tests for export filters hash determinism

feat(findings): Define attestation contracts for ledger web service

feat(graph): Add MongoDB options and service collection extensions for graph indexing

test(graph): Implement integration tests for MongoDB provider and service collection extensions

feat(zastava): Define configuration options for Zastava surface secrets

build(tests): Create script to run Concelier linkset tests with TRX output
2025-11-22 19:22:30 +02:00

2.4 KiB
Raw Blame History

AirGap Parity Review — SBOM Service runtime/signals (Sprint 0140/0142)

Status: Template published (2025-11-22) Owners: Observability Guild · SBOM Service Guild · Cartographer Guild · Runtime & Signals coordination (0140) · Concelier Core (schema fidelity)

Purpose

Document a repeatable AirGap parity review for /sbom/paths, /sbom/versions, and SBOM event streams so SBOM-SERVICE-21-001..004 can move from BLOCKED to DOING once fixtures land.

Prerequisites

  • Link-Not-Merge v1 fixtures available under docs/modules/sbomservice/fixtures/lnm-v1/ with SHA256SUMS.
  • Projection schema frozen (record SHA/commit).
  • Mock surface bundle hash and real scanner cache ETA published in sprint 0140 tracker.
  • CAS/provenance appendices (signals) frozen: docs/signals/cas-promotion-24-002.md, docs/signals/provenance-24-003.md.
  • Test environment with offline toggle enabled; mirrored packages only.

Checklist

  • Verify fixture integrity: run sha256sum -c SHA256SUMS in fixtures/lnm-v1.
  • Replay fixtures in offline mode; capture latency/p95/p99 for /sbom/paths and /sbom/versions with deterministic seeds.
  • Confirm tenant scoping and add-only evolution (no in-place updates) using two-tenant replay script.
  • Validate event envelopes (sbom.version.created) against CAS/provenance requirements; ensure DSSE fields present or skip_reason: offline.
  • Check orchestrator backpressure behavior with AirGap throttling; record SLO thresholds.
  • Capture logs/traces snapshots (if enabled) and redact secrets before attaching.

Outputs

  • Minutes + decisions appended to this file (Execution Notes section) with timestamps and owners.
  • Metrics table with p50/p95/p99 latency, error rate, and cache hit ratio.
  • Actions list with owners and due dates; blockers mirrored to sprint 0140/0142 Decisions & Risks.
  • Fixture hash list appended (from SHA256SUMS) with date and signer.

Data capture templates

Metrics

Metric p50 p95 p99 Error rate Notes
/sbom/paths latency (ms)
/sbom/versions latency (ms)
Event ingest → emit (ms)
Cache hit ratio

Decisions & follow-ups

Decision / Action Owner Due Status Notes

Execution Notes

  • 2025-11-22: Template published; awaiting fixtures and review scheduling.