@evolith/core-domain 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/domain/services/default-workflow-definition.js +1 -1
- package/dist/domain/services/default-workflow-definition.js.map +1 -1
- package/package.json +2 -1
- package/rulesets/README.es.md +170 -0
- package/rulesets/README.md +170 -0
- package/rulesets/acl/README.es.md +41 -0
- package/rulesets/acl/README.md +41 -0
- package/rulesets/acl/anti-corruption-layer.rules.es.json +99 -0
- package/rulesets/acl/anti-corruption-layer.rules.json +99 -0
- package/rulesets/adr/ADR_COVERAGE.es.md +133 -0
- package/rulesets/adr/ADR_COVERAGE.md +133 -0
- package/rulesets/adr/README.es.md +17 -0
- package/rulesets/adr/README.md +17 -0
- package/rulesets/adr/adr-0002-hexagonal-architecture.rules.json +103 -0
- package/rulesets/adr/adr-0005-cicd-quality-gates.rules.json +102 -0
- package/rulesets/adr/adr-0010-multi-tenancy.rules.json +129 -0
- package/rulesets/adr/adr-0018-testing-pyramid.rules.json +115 -0
- package/rulesets/adr/adr-0032-protocol-selection.rules.json +134 -0
- package/rulesets/adr/adr-0040-multi-runtime.rules.json +131 -0
- package/rulesets/adr/adr-0050-gitflow-branching.rules.json +176 -0
- package/rulesets/adr/generated/adr-0001-monorepo-orchestration-principle.rules.json +29 -0
- package/rulesets/adr/generated/adr-0006-microservices-transition-via-sidecar-pattern.rules.json +29 -0
- package/rulesets/adr/generated/adr-0009-strict-dependency-pinning-and-automated-vulnerability-manage.rules.json +29 -0
- package/rulesets/adr/generated/adr-0011-fault-tolerance-and-resiliency-patterns.rules.json +29 -0
- package/rulesets/adr/generated/adr-0013-cloud-infrastructure-topology-and-disaster-recovery-dr.rules.json +28 -0
- package/rulesets/adr/generated/adr-0014-multi-layer-distributed-caching-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0015-event-driven-architecture-eda-for-intra-domain-communication.rules.json +29 -0
- package/rulesets/adr/generated/adr-0016-immutable-business-audit-trail-and-change-tracking.rules.json +29 -0
- package/rulesets/adr/generated/adr-0017-feature-flagging-strategy-for-progressive-delivery.rules.json +28 -0
- package/rulesets/adr/generated/adr-0019-tactical-design-patterns-for-future-proofing.rules.json +29 -0
- package/rulesets/adr/generated/adr-0020-identity-provider-abstraction-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0024-centralized-configuration-feature-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-0025-feature-flag-provider-abstraction-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0028-self-hosted-open-source-hybrid-infrastructure.rules.json +29 -0
- package/rulesets/adr/generated/adr-0030-two-tier-distributed-gateway-model.rules.json +28 -0
- package/rulesets/adr/generated/adr-0031-schema-per-bounded-context-and-domain-event-catalog.rules.json +29 -0
- package/rulesets/adr/generated/adr-0033-transactional-outbox-pattern-for-async-messaging.rules.json +28 -0
- package/rulesets/adr/generated/adr-0034-cqrs-pattern-application-matrix.rules.json +29 -0
- package/rulesets/adr/generated/adr-0035-distributed-saga-pattern-implementation-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0036-message-bus-delivery-flow-control-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0037-enterprise-performance-concurrency-chaos-verification-strate.rules.json +28 -0
- package/rulesets/adr/generated/adr-0039-deployment-topology-abstraction-environment-switcher.rules.json +29 -0
- package/rulesets/adr/generated/adr-0041-dual-engine-policy-evaluation-native-opa.rules.json +28 -0
- package/rulesets/adr/generated/adr-0044-configurable-security-persistence-strategy-agnosticism-vs-na.rules.json +29 -0
- package/rulesets/adr/generated/adr-0045-microservice-extraction-readiness-criteria.rules.json +29 -0
- package/rulesets/adr/generated/adr-0046-unified-traceability-via-w3c-tracecontext.rules.json +29 -0
- package/rulesets/adr/generated/adr-0047-progressive-architecture-evolution-framework-modular-monolit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0048-enterprise-taxonomy-standardization-and-reference-layout.rules.json +28 -0
- package/rulesets/adr/generated/adr-0049-naming-semantics-clean-code-policy-e2e-and-global.rules.json +29 -0
- package/rulesets/adr/generated/adr-0051-enterprise-database-engine-selection-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0052-unit-testing-isolation-strategy-mocks-vs-stubs.rules.json +29 -0
- package/rulesets/adr/generated/adr-0053-integration-and-e2e-testing-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0054-database-design-and-normalization-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0055-microfrontends-architecture-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0056-enterprise-naming-design-conventions-multi-language-multi-pl.rules.json +29 -0
- package/rulesets/adr/generated/adr-0057-architecture-intelligence-catalog.rules.json +27 -0
- package/rulesets/adr/generated/adr-0058-ai-consumable-architecture-knowledge.rules.json +27 -0
- package/rulesets/adr/generated/adr-0067-modular-monolith-persistence-boundaries.rules.json +28 -0
- package/rulesets/adr/generated/adr-0068-documentation-release-gitflow.rules.json +29 -0
- package/rulesets/adr/generated/adr-0069-ai-agent-context-protocol-integration.rules.json +28 -0
- package/rulesets/adr/generated/adr-0070-lean-root-repository-taxonomy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0071-domain-layer-base-class-and-inheritance-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0072-utc-date-storage-browser-timezone-detection-and-language-res.rules.json +29 -0
- package/rulesets/adr/generated/adr-0073-unified-cli-mcp-output-contract-and-gate-evidence-schema.rules.json +29 -0
- package/rulesets/adr/generated/adr-0074-evolith-core-api-native-exposure-layer.rules.json +29 -0
- package/rulesets/adr/generated/adr-0075-core-api-authentication-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0076-domain-oriented-microservice-architecture-doma.rules.json +28 -0
- package/rulesets/adr/generated/adr-0077-masstransit-v9-commercial-pivot-stay-on-v8-monitor-opentrans.rules.json +28 -0
- package/rulesets/adr/generated/adr-0078-domain-financial-separation-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0079-multi-topology-reference-corpus-and-topology-manifest-contra.rules.json +29 -0
- package/rulesets/adr/generated/adr-0080-remote-repository-reference-contract.rules.json +29 -0
- package/rulesets/adr/generated/adr-0081-agentic-ai-sandbox-isolation-boundary.rules.json +29 -0
- package/rulesets/adr/generated/adr-0082-agentic-ai-prompt-context-and-tool-trust-boundary.rules.json +28 -0
- package/rulesets/adr/generated/adr-0083-agentic-ai-action-authorization-and-audit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0084-data-mesh-and-data-as-a-product.rules.json +29 -0
- package/rulesets/adr/generated/adr-0085-agnostic-opa-wasm-distribution-architecture.rules.json +28 -0
- package/rulesets/adr/generated/adr-0086-agentic-ai-telemetry-cost-control-standard.rules.json +27 -0
- package/rulesets/adr/generated/adr-0087-attribute-based-access-control-abac-for-agentic-tool-executi.rules.json +29 -0
- package/rulesets/adr/generated/adr-0088-sovereign-identity-for-agentic-ai.rules.json +29 -0
- package/rulesets/adr/generated/adr-0089-event-driven-agentic-workflow-pattern.rules.json +28 -0
- package/rulesets/adr/generated/adr-0090-rag-knowledge-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0091-workload-identity-token-rotation-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0092-agent-infinite-loop-prevention-and-circuit-breaker-rules.rules.json +29 -0
- package/rulesets/adr/generated/adr-0093-concurrency-control-and-resource-locking-standard-for-mcp-to.rules.json +29 -0
- package/rulesets/adr/generated/adr-0094-multi-agent-handoff-and-task-delegation-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0095-serverless-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0096-edge-computing-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0097-knowledge-lifecycle-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0098-rest-uri-versioning-and-deprecation-policy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0099-opa-bundle-distribution-via-s3-minio.rules.json +27 -0
- package/rulesets/adr/generated/adr-ai-augmented-0001-harness-engineering-for-ai-augmented-development.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0002-mcp-integration-protocol-for-agent-tool-invocation.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0003-model-selection-governance-for-ai-augmented-workflows.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0004-agents-md-as-mandatory-repository-artifact.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0005-human-in-the-loop-policy-for-autonomous-agent-operations.rules.json +29 -0
- package/rulesets/adr/generated/adr-android-0042-canonical-android-native-mobile-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0041-canonical-net-c-backend-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0060-net-multi-tenancy-dual-layer-strategy-ef-core-sql-server.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0061-transactional-event-lifecycle-in-ef-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0062-net-immutable-audit-trail-via-ddl-triggers-delta-capture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0063-b2b-request-idempotency-middleware-in-asp-net-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0064-net-request-scope-observability-context-propagation.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0065-net-pii-safe-structured-logging-pipeline-serilog.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0066-net-lightweight-http-idempotency-via-imemorycache-idistribut.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0069-net-grpc-service-setup-protobuf-contracts.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0070-net-api-endpoint-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0071-net-data-access-strategy-ef-core-as-default-orm-dapper-for-o.rules.json +27 -0
- package/rulesets/adr/generated/adr-dotnet-0072-net-aop-cross-cutting-concern-strategy-dispatchproxy-over-pi.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0003-strict-typescript-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0004-frontend-offline-resilience.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0007-observability-with-opentelemetry-loki-and-jaeger.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0008-progressive-multi-module-evolution-with-api-gateway-and-bff-.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0012-advanced-authorization-rbac-abac-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0021-high-performance-authentication-graph-compilation.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0022-contextual-authentication-and-pluggable-output-projections.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0023-centralized-authorization-core-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0026-adaptive-mfa-and-passwordless-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0027-dual-protocol-api-strategy-rest-grpc.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0029-adoption-of-tactical-ddd-primitives-library.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0038-enterprise-error-handling-result-pattern-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0043-data-access-and-orm-strategy-for-node-js.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0044-frontend-clean-architecture-layer-boundaries-react.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0045-frontend-state-management-zustand-tanstack-query-dual-strate.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0046-prohibition-of-raw-technical-identifiers-in-user-interfaces.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0047-actionable-user-error-contract-and-correlated-diagnostics.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0048-feature-flag-system-scope-and-structured-criteria-model.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0074-monorepo-orchestration-with-nx.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0075-application-gateway-bff-with-nestjs.rules.json +29 -0
- package/rulesets/architecture/README.es.md +21 -0
- package/rulesets/architecture/README.md +21 -0
- package/rulesets/architecture/opa/progressive-axis.rego +50 -0
- package/rulesets/cli/README.es.md +17 -0
- package/rulesets/cli/README.md +17 -0
- package/rulesets/cli/core-parity.rules.json +61 -0
- package/rulesets/cli/release-readiness.rules.json +77 -0
- package/rulesets/compliance-baseline/README.es.md +26 -0
- package/rulesets/compliance-baseline/README.md +26 -0
- package/rulesets/compliance-baseline/compliance-baseline.rules.json +81 -0
- package/rulesets/contracts/README.es.md +19 -0
- package/rulesets/contracts/README.md +19 -0
- package/rulesets/contracts/evolith-machine-contracts.json +29 -0
- package/rulesets/contracts/fixtures/gate-evidence.success.json +10 -0
- package/rulesets/contracts/fixtures/output-envelope.success.json +23 -0
- package/rulesets/cross-cutting/README.es.md +14 -0
- package/rulesets/cross-cutting/README.md +14 -0
- package/rulesets/cross-cutting/compliance-baseline.rules.json +81 -0
- package/rulesets/cross-cutting/definition-of-done.rules.json +135 -0
- package/rulesets/cross-cutting/engineering-manifesto.rules.json +145 -0
- package/rulesets/cross-cutting/repository-taxonomy.rules.json +172 -0
- package/rulesets/definition-of-done/README.es.md +26 -0
- package/rulesets/definition-of-done/README.md +26 -0
- package/rulesets/definition-of-done/definition-of-done.rules.json +135 -0
- package/rulesets/engineering-manifesto/README.es.md +26 -0
- package/rulesets/engineering-manifesto/README.md +26 -0
- package/rulesets/engineering-manifesto/engineering-manifesto.rules.json +145 -0
- package/rulesets/evidence/README.es.md +12 -0
- package/rulesets/evidence/README.md +12 -0
- package/rulesets/evidence/evidence-manifest.rules.json +48 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.es.json +213 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/README.es.md +13 -0
- package/rulesets/governance/README.md +13 -0
- package/rulesets/governance/abac-mcp-access.rules.es.json +41 -0
- package/rulesets/governance/abac-mcp-access.rules.json +41 -0
- package/rulesets/governance/executive-scorecards.rules.es.json +213 -0
- package/rulesets/governance/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/inheritance.rules.json +115 -0
- package/rulesets/governance/knowledge-intake.rules.json +18 -0
- package/rulesets/governance/open-core-boundary.rules.es.json +148 -0
- package/rulesets/governance/open-core-boundary.rules.json +148 -0
- package/rulesets/governance/satellite-contracts.rules.json +183 -0
- package/rulesets/infrastructure/helm-enforcement.rules.json +21 -0
- package/rulesets/infrastructure/opa/helm-enforcement.rego +25 -0
- package/rulesets/infrastructure/opa/helm-enforcement.test.rego +31 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.rego +115 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.test.rego +66 -0
- package/rulesets/infrastructure/opa-sidecar-bundle.rules.json +18 -0
- package/rulesets/mcp/README.es.md +12 -0
- package/rulesets/mcp/README.md +12 -0
- package/rulesets/mcp/protocol-compliance.rules.json +57 -0
- package/rulesets/observability/README.es.md +12 -0
- package/rulesets/observability/README.md +12 -0
- package/rulesets/observability/telemetry-evidence.rules.json +48 -0
- package/rulesets/opa/README.es.md +22 -0
- package/rulesets/opa/README.md +22 -0
- package/rulesets/opa/abac-mcp-tool-access.rego +122 -0
- package/rulesets/opa/abac-mcp-tool-access.test.rego +33 -0
- package/rulesets/opa/anti-corruption-layer.rego +39 -0
- package/rulesets/opa/anti-corruption-layer.test.rego +118 -0
- package/rulesets/opa/ci-cd.rego +41 -0
- package/rulesets/opa/ci-cd.test.rego +23 -0
- package/rulesets/opa/cicd-quality-gates.rego +29 -0
- package/rulesets/opa/cicd-quality-gates.test.rego +54 -0
- package/rulesets/opa/cli-core-parity.rego +17 -0
- package/rulesets/opa/cli-core-parity.test.rego +39 -0
- package/rulesets/opa/cli-readiness.rego +32 -0
- package/rulesets/opa/cli-readiness.test.rego +23 -0
- package/rulesets/opa/cli-release-readiness.rego +21 -0
- package/rulesets/opa/cli-release-readiness.test.rego +46 -0
- package/rulesets/opa/compliance-baseline.rego +95 -0
- package/rulesets/opa/compliance-baseline.test.rego +89 -0
- package/rulesets/opa/dod.rego +42 -0
- package/rulesets/opa/dod.test.rego +250 -0
- package/rulesets/opa/engineering-manifesto.rego +78 -0
- package/rulesets/opa/engineering-manifesto.test.rego +133 -0
- package/rulesets/opa/evidence.rego +64 -0
- package/rulesets/opa/evidence.test.rego +23 -0
- package/rulesets/opa/executive-scorecards.rego +41 -0
- package/rulesets/opa/executive-scorecards.test.rego +60 -0
- package/rulesets/opa/gitflow-branching.rego +41 -0
- package/rulesets/opa/gitflow-branching.test.rego +60 -0
- package/rulesets/opa/governance.rego +39 -0
- package/rulesets/opa/governance.test.rego +23 -0
- package/rulesets/opa/hexagonal-architecture.rego +33 -0
- package/rulesets/opa/hexagonal-architecture.test.rego +57 -0
- package/rulesets/opa/infrastructure/helm-enforcement.rego +33 -0
- package/rulesets/opa/infrastructure/opa-sidecar-bundle.rego +42 -0
- package/rulesets/opa/knowledge-intake.rego +98 -0
- package/rulesets/opa/knowledge-intake.test.rego +50 -0
- package/rulesets/opa/main.rego +147 -0
- package/rulesets/opa/main_test.rego +149 -0
- package/rulesets/opa/mcp.rego +61 -0
- package/rulesets/opa/mcp.test.rego +27 -0
- package/rulesets/opa/multi-runtime.rego +33 -0
- package/rulesets/opa/multi-runtime.test.rego +53 -0
- package/rulesets/opa/multi-tenancy.rego +33 -0
- package/rulesets/opa/multi-tenancy.test.rego +53 -0
- package/rulesets/opa/open-core-boundary.rego +33 -0
- package/rulesets/opa/open-core-boundary.test.rego +60 -0
- package/rulesets/opa/protocol-selection.rego +29 -0
- package/rulesets/opa/protocol-selection.test.rego +46 -0
- package/rulesets/opa/rbac/gate-role-enforcement.rego +112 -0
- package/rulesets/opa/repository-taxonomy.rego +98 -0
- package/rulesets/opa/repository-taxonomy.test.rego +91 -0
- package/rulesets/opa/satellite-contracts.rego +42 -0
- package/rulesets/opa/satellite-contracts.test.rego +70 -0
- package/rulesets/opa/schemas/abac-mcp-tool-access.input.schema.json +21 -0
- package/rulesets/opa/schemas/anti-corruption-layer.input.schema.json +25 -0
- package/rulesets/opa/schemas/ci-cd.input.schema.json +27 -0
- package/rulesets/opa/schemas/cicd-quality-gates.input.schema.json +33 -0
- package/rulesets/opa/schemas/cli-core-parity.input.schema.json +30 -0
- package/rulesets/opa/schemas/cli-readiness.input.schema.json +28 -0
- package/rulesets/opa/schemas/cli-release-readiness.input.schema.json +26 -0
- package/rulesets/opa/schemas/compliance-baseline.input.schema.json +25 -0
- package/rulesets/opa/schemas/dod.input.schema.json +38 -0
- package/rulesets/opa/schemas/engineering-manifesto.input.schema.json +24 -0
- package/rulesets/opa/schemas/evidence.input.schema.json +35 -0
- package/rulesets/opa/schemas/executive-scorecards.input.schema.json +36 -0
- package/rulesets/opa/schemas/gitflow-branching.input.schema.json +36 -0
- package/rulesets/opa/schemas/governance.input.schema.json +19 -0
- package/rulesets/opa/schemas/hexagonal-architecture.input.schema.json +46 -0
- package/rulesets/opa/schemas/knowledge-intake.input.schema.json +57 -0
- package/rulesets/opa/schemas/mcp.input.schema.json +38 -0
- package/rulesets/opa/schemas/multi-runtime.input.schema.json +27 -0
- package/rulesets/opa/schemas/multi-tenancy.input.schema.json +27 -0
- package/rulesets/opa/schemas/open-core-boundary.input.schema.json +36 -0
- package/rulesets/opa/schemas/protocol-selection.input.schema.json +26 -0
- package/rulesets/opa/schemas/repository-taxonomy.input.schema.json +18 -0
- package/rulesets/opa/schemas/satellite-contracts.input.schema.json +38 -0
- package/rulesets/opa/schemas/taxonomy.input.schema.json +27 -0
- package/rulesets/opa/schemas/testing-pyramid.input.schema.json +42 -0
- package/rulesets/opa/schemas/version-pinning.input.schema.json +39 -0
- package/rulesets/opa/sdlc/coverage.rego +49 -0
- package/rulesets/opa/sdlc/coverage.test.rego +29 -0
- package/rulesets/opa/sdlc/pyramid-distribution.rego +31 -0
- package/rulesets/opa/sdlc/pyramid-distribution.test.rego +33 -0
- package/rulesets/opa/taxonomy.rego +51 -0
- package/rulesets/opa/taxonomy.test.rego +28 -0
- package/rulesets/opa/telemetry-evidence.rego +102 -0
- package/rulesets/opa/testing-pyramid.rego +49 -0
- package/rulesets/opa/testing-pyramid.test.rego +81 -0
- package/rulesets/opa/version-pinning.rego +99 -0
- package/rulesets/opa/version-pinning.test.rego +28 -0
- package/rulesets/phase-gates/README.es.md +28 -0
- package/rulesets/phase-gates/README.md +28 -0
- package/rulesets/phase-gates/phase-gates.rules.json +297 -0
- package/rulesets/quality-thresholds/README.es.md +28 -0
- package/rulesets/quality-thresholds/README.md +28 -0
- package/rulesets/quality-thresholds/quality-thresholds.rules.json +96 -0
- package/rulesets/repository-taxonomy/README.es.md +26 -0
- package/rulesets/repository-taxonomy/README.md +26 -0
- package/rulesets/repository-taxonomy/repository-taxonomy.rules.json +172 -0
- package/rulesets/satellite-contracts/README.es.md +27 -0
- package/rulesets/satellite-contracts/README.md +27 -0
- package/rulesets/satellite-contracts/satellite-contracts.rules.json +183 -0
- package/rulesets/schema/README.es.md +39 -0
- package/rulesets/schema/README.md +39 -0
- package/rulesets/schema/adr.schema.json +138 -0
- package/rulesets/schema/agile-backlog.schema.json +91 -0
- package/rulesets/schema/ballpark-estimation.schema.json +109 -0
- package/rulesets/schema/build-vs-compose.schema.json +98 -0
- package/rulesets/schema/cli-impact-analysis.schema.json +114 -0
- package/rulesets/schema/discovery-canvas.schema.json +92 -0
- package/rulesets/schema/evolith-user-story.schema.json +105 -0
- package/rulesets/schema/evolith-yaml.schema.json +191 -0
- package/rulesets/schema/functional-story.schema.json +111 -0
- package/rulesets/schema/gate-evidence.schema.json +85 -0
- package/rulesets/schema/integration-evidence.schema.json +47 -0
- package/rulesets/schema/knowledge-intake.schema.json +67 -0
- package/rulesets/schema/knowledge-projection.schema.json +24 -0
- package/rulesets/schema/maturity-evidence.schema.json +59 -0
- package/rulesets/schema/observability-validation.schema.json +85 -0
- package/rulesets/schema/on-call-handoff.schema.json +91 -0
- package/rulesets/schema/output-envelope.schema.json +102 -0
- package/rulesets/schema/prd.schema.json +117 -0
- package/rulesets/schema/release-notes.schema.json +138 -0
- package/rulesets/schema/rollback-rehearsal.schema.json +73 -0
- package/rulesets/schema/ruleset-sdlc.schema.json +59 -0
- package/rulesets/schema/ruleset-standard.schema.json +73 -0
- package/rulesets/schema/security-scan-report.schema.json +79 -0
- package/rulesets/schema/source-registry.schema.json +51 -0
- package/rulesets/schema/technical-feasibility.schema.json +66 -0
- package/rulesets/schema/technical-story.schema.json +112 -0
- package/rulesets/schema/test-summary-report.schema.json +158 -0
- package/rulesets/schema/topology-composition.schema.json +43 -0
- package/rulesets/schema/topology-manifest.schema.json +421 -0
- package/rulesets/sdlc/README.es.md +12 -0
- package/rulesets/sdlc/README.md +12 -0
- package/rulesets/sdlc/default-workflow.yaml +73 -0
- package/rulesets/sdlc/dependency-pinning.rules.json +183 -0
- package/rulesets/sdlc/phase-gates.rules.json +297 -0
- package/rulesets/sdlc/quality-thresholds.rules.json +96 -0
- package/rulesets/topologies/README.es.md +42 -0
- package/rulesets/topologies/README.md +42 -0
- package/rulesets/topologies/agentic-ai/README.es.md +142 -0
- package/rulesets/topologies/agentic-ai/README.md +142 -0
- package/rulesets/topologies/agentic-ai/adoption.es.md +37 -0
- package/rulesets/topologies/agentic-ai/adoption.md +37 -0
- package/rulesets/topologies/agentic-ai/agent.config.schema.json +100 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rego +46 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rules.json +109 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.test.rego +68 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.wasm +0 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.es.md +35 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.md +45 -0
- package/rulesets/topologies/agentic-ai/evidence.es.md +25 -0
- package/rulesets/topologies/agentic-ai/evidence.md +25 -0
- package/rulesets/topologies/agentic-ai/evolution.es.md +26 -0
- package/rulesets/topologies/agentic-ai/evolution.md +26 -0
- package/rulesets/topologies/agentic-ai/fixtures/invalid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/fixtures/valid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/maturity.es.md +33 -0
- package/rulesets/topologies/agentic-ai/maturity.md +33 -0
- package/rulesets/topologies/agentic-ai/mcp/mcp-manifest.json +100 -0
- package/rulesets/topologies/agentic-ai/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/agentic-ai/operations.es.md +32 -0
- package/rulesets/topologies/agentic-ai/operations.md +32 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/violation.json +22 -0
- package/rulesets/topologies/agentic-ai/patterns.es.md +32 -0
- package/rulesets/topologies/agentic-ai/patterns.md +32 -0
- package/rulesets/topologies/agentic-ai/resilience.es.md +26 -0
- package/rulesets/topologies/agentic-ai/resilience.md +26 -0
- package/rulesets/topologies/agentic-ai/runbooks.es.md +48 -0
- package/rulesets/topologies/agentic-ai/runbooks.md +48 -0
- package/rulesets/topologies/agentic-ai/security.es.md +26 -0
- package/rulesets/topologies/agentic-ai/security.md +26 -0
- package/rulesets/topologies/agentic-ai/topology.manifest.json +127 -0
- package/rulesets/topologies/data-mesh/README.es.md +69 -0
- package/rulesets/topologies/data-mesh/README.md +69 -0
- package/rulesets/topologies/data-mesh/adoption.es.md +95 -0
- package/rulesets/topologies/data-mesh/adoption.md +95 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.md +53 -0
- package/rulesets/topologies/data-mesh/data-mesh.rego +11 -0
- package/rulesets/topologies/data-mesh/data-mesh.rules.json +100 -0
- package/rulesets/topologies/data-mesh/data-mesh.test.rego +107 -0
- package/rulesets/topologies/data-mesh/data-mesh.wasm +0 -0
- package/rulesets/topologies/data-mesh/evidence.es.md +111 -0
- package/rulesets/topologies/data-mesh/evidence.md +111 -0
- package/rulesets/topologies/data-mesh/evolution.es.md +67 -0
- package/rulesets/topologies/data-mesh/evolution.md +67 -0
- package/rulesets/topologies/data-mesh/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/maturity.es.md +36 -0
- package/rulesets/topologies/data-mesh/maturity.md +36 -0
- package/rulesets/topologies/data-mesh/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/data-mesh/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/data-mesh/operations.es.md +63 -0
- package/rulesets/topologies/data-mesh/operations.md +63 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/data-mesh/patterns.es.md +67 -0
- package/rulesets/topologies/data-mesh/patterns.md +67 -0
- package/rulesets/topologies/data-mesh/resilience.es.md +64 -0
- package/rulesets/topologies/data-mesh/resilience.md +64 -0
- package/rulesets/topologies/data-mesh/runbooks.es.md +147 -0
- package/rulesets/topologies/data-mesh/runbooks.md +147 -0
- package/rulesets/topologies/data-mesh/security.es.md +66 -0
- package/rulesets/topologies/data-mesh/security.md +66 -0
- package/rulesets/topologies/data-mesh/topology.config.schema.json +30 -0
- package/rulesets/topologies/data-mesh/topology.manifest.json +107 -0
- package/rulesets/topologies/edge-computing/README.es.md +81 -0
- package/rulesets/topologies/edge-computing/README.md +81 -0
- package/rulesets/topologies/edge-computing/adoption.es.md +268 -0
- package/rulesets/topologies/edge-computing/adoption.md +268 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.md +53 -0
- package/rulesets/topologies/edge-computing/edge-computing.rego +41 -0
- package/rulesets/topologies/edge-computing/edge-computing.rules.json +50 -0
- package/rulesets/topologies/edge-computing/edge-computing.test.rego +33 -0
- package/rulesets/topologies/edge-computing/edge-computing.wasm +0 -0
- package/rulesets/topologies/edge-computing/evidence.es.md +263 -0
- package/rulesets/topologies/edge-computing/evidence.md +263 -0
- package/rulesets/topologies/edge-computing/evolution.es.md +257 -0
- package/rulesets/topologies/edge-computing/evolution.md +257 -0
- package/rulesets/topologies/edge-computing/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/maturity.es.md +36 -0
- package/rulesets/topologies/edge-computing/maturity.md +36 -0
- package/rulesets/topologies/edge-computing/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/edge-computing/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/edge-computing/operations.es.md +148 -0
- package/rulesets/topologies/edge-computing/operations.md +148 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/compliant.json +12 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/violation.json +13 -0
- package/rulesets/topologies/edge-computing/patterns.es.md +291 -0
- package/rulesets/topologies/edge-computing/patterns.md +290 -0
- package/rulesets/topologies/edge-computing/resilience.es.md +232 -0
- package/rulesets/topologies/edge-computing/resilience.md +229 -0
- package/rulesets/topologies/edge-computing/runbooks.es.md +405 -0
- package/rulesets/topologies/edge-computing/runbooks.md +405 -0
- package/rulesets/topologies/edge-computing/security.es.md +218 -0
- package/rulesets/topologies/edge-computing/security.md +218 -0
- package/rulesets/topologies/edge-computing/topology.config.schema.json +13 -0
- package/rulesets/topologies/edge-computing/topology.manifest.json +113 -0
- package/rulesets/topologies/event-driven/README.es.md +71 -0
- package/rulesets/topologies/event-driven/README.md +71 -0
- package/rulesets/topologies/event-driven/adoption.es.md +67 -0
- package/rulesets/topologies/event-driven/adoption.md +67 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.md +53 -0
- package/rulesets/topologies/event-driven/event-driven.rego +11 -0
- package/rulesets/topologies/event-driven/event-driven.rules.json +100 -0
- package/rulesets/topologies/event-driven/event-driven.test.rego +107 -0
- package/rulesets/topologies/event-driven/event-driven.wasm +0 -0
- package/rulesets/topologies/event-driven/evidence.es.md +69 -0
- package/rulesets/topologies/event-driven/evidence.md +69 -0
- package/rulesets/topologies/event-driven/evolution.es.md +59 -0
- package/rulesets/topologies/event-driven/evolution.md +59 -0
- package/rulesets/topologies/event-driven/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/maturity.es.md +36 -0
- package/rulesets/topologies/event-driven/maturity.md +36 -0
- package/rulesets/topologies/event-driven/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/event-driven/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/event-driven/operations.es.md +67 -0
- package/rulesets/topologies/event-driven/operations.md +67 -0
- package/rulesets/topologies/event-driven/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/event-driven/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/event-driven/patterns.es.md +68 -0
- package/rulesets/topologies/event-driven/patterns.md +68 -0
- package/rulesets/topologies/event-driven/resilience.es.md +65 -0
- package/rulesets/topologies/event-driven/resilience.md +65 -0
- package/rulesets/topologies/event-driven/runbooks.es.md +79 -0
- package/rulesets/topologies/event-driven/runbooks.md +79 -0
- package/rulesets/topologies/event-driven/security.es.md +59 -0
- package/rulesets/topologies/event-driven/security.md +59 -0
- package/rulesets/topologies/event-driven/topology.config.schema.json +30 -0
- package/rulesets/topologies/event-driven/topology.manifest.json +109 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.es.json +111 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.json +111 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.es.json +106 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.json +106 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.es.json +148 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.json +148 -0
- package/rulesets/topologies/serverless/README.es.md +74 -0
- package/rulesets/topologies/serverless/README.md +74 -0
- package/rulesets/topologies/serverless/adoption.es.md +50 -0
- package/rulesets/topologies/serverless/adoption.md +50 -0
- package/rulesets/topologies/serverless/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/serverless/cli/cli-flows.md +53 -0
- package/rulesets/topologies/serverless/evidence.es.md +66 -0
- package/rulesets/topologies/serverless/evidence.md +66 -0
- package/rulesets/topologies/serverless/evolution.es.md +36 -0
- package/rulesets/topologies/serverless/evolution.md +36 -0
- package/rulesets/topologies/serverless/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/maturity.es.md +36 -0
- package/rulesets/topologies/serverless/maturity.md +36 -0
- package/rulesets/topologies/serverless/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/serverless/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/serverless/operations.es.md +36 -0
- package/rulesets/topologies/serverless/operations.md +36 -0
- package/rulesets/topologies/serverless/parity-fixtures/compliant.json +13 -0
- package/rulesets/topologies/serverless/parity-fixtures/violation.json +15 -0
- package/rulesets/topologies/serverless/patterns.es.md +36 -0
- package/rulesets/topologies/serverless/patterns.md +36 -0
- package/rulesets/topologies/serverless/resilience.es.md +36 -0
- package/rulesets/topologies/serverless/resilience.md +36 -0
- package/rulesets/topologies/serverless/runbooks.es.md +68 -0
- package/rulesets/topologies/serverless/runbooks.md +68 -0
- package/rulesets/topologies/serverless/security.es.md +36 -0
- package/rulesets/topologies/serverless/security.md +36 -0
- package/rulesets/topologies/serverless/serverless.rego +32 -0
- package/rulesets/topologies/serverless/serverless.rules.json +33 -0
- package/rulesets/topologies/serverless/serverless.test.rego +28 -0
- package/rulesets/topologies/serverless/serverless.wasm +0 -0
- package/rulesets/topologies/serverless/topology.config.schema.json +28 -0
- package/rulesets/topologies/serverless/topology.manifest.json +114 -0
|
@@ -0,0 +1,405 @@
|
|
|
1
|
+
# Edge Computing — Runbooks Guide
|
|
2
|
+
|
|
3
|
+
> **Bilingual Navigation:** [English](./runbooks.md) | [Español](./runbooks.es.md)
|
|
4
|
+
|
|
5
|
+
**Owner:** Platform Engineering
|
|
6
|
+
**Topology:** Edge Computing
|
|
7
|
+
|
|
8
|
+
## Runbook 1: Node Failure
|
|
9
|
+
|
|
10
|
+
Handle edge node failures gracefully to maintain service availability.
|
|
11
|
+
|
|
12
|
+
### Detection
|
|
13
|
+
|
|
14
|
+
```bash
|
|
15
|
+
# Detect node failure
|
|
16
|
+
edge-cli node status --node edge-node-01
|
|
17
|
+
|
|
18
|
+
# Alert triggers:
|
|
19
|
+
# - Node unreachable for > 30s
|
|
20
|
+
# - Health check failure > 3 consecutive
|
|
21
|
+
# - Resource exhaustion (CPU > 95%, Memory > 95%)
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
### Triage
|
|
25
|
+
|
|
26
|
+
1. **Check node status**: Is the node completely down or partially degraded?
|
|
27
|
+
2. **Check network connectivity**: Can we reach the node from the control plane?
|
|
28
|
+
3. **Check node logs**: What errors are being reported?
|
|
29
|
+
4. **Check origin status**: Is the origin healthy?
|
|
30
|
+
|
|
31
|
+
### Remediation
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
# Step 1: Check node health
|
|
35
|
+
edge-cli health check --node edge-node-01 --verbose
|
|
36
|
+
|
|
37
|
+
# Step 2: If node is unreachable, attempt restart
|
|
38
|
+
edge-cli node restart --node edge-node-01 --force
|
|
39
|
+
|
|
40
|
+
# Step 3: If restart fails, drain traffic
|
|
41
|
+
edge-cli traffic drain --node edge-node-01 --duration 30s
|
|
42
|
+
|
|
43
|
+
# Step 4: If node is unrecoverable, replace
|
|
44
|
+
edge-cli node replace \
|
|
45
|
+
--old-node edge-node-01 \
|
|
46
|
+
--new-node edge-node-01-new \
|
|
47
|
+
--migrate-state
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
### Verification
|
|
51
|
+
|
|
52
|
+
```bash
|
|
53
|
+
# Verify node recovery
|
|
54
|
+
edge-cli health check --node edge-node-01-new --wait 60s
|
|
55
|
+
|
|
56
|
+
# Check traffic distribution
|
|
57
|
+
edge-cli traffic status --fleet-wide
|
|
58
|
+
|
|
59
|
+
# Verify sync status
|
|
60
|
+
edge-cli sync status --node edge-node-01-new
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
## Runbook 2: Content Invalidation
|
|
66
|
+
|
|
67
|
+
Invalidate stale or incorrect content across the edge fleet.
|
|
68
|
+
|
|
69
|
+
### When to Use
|
|
70
|
+
|
|
71
|
+
- Content update deployed but not reflected
|
|
72
|
+
- Security vulnerability in cached content
|
|
73
|
+
- Data corruption detected
|
|
74
|
+
- Compliance requirement to remove content
|
|
75
|
+
|
|
76
|
+
### Invalidation Process
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
# Step 1: Identify affected content
|
|
80
|
+
edge-cli cache search --pattern "/api/v1/products/*" --output affected.json
|
|
81
|
+
|
|
82
|
+
# Step 2: Preview invalidation
|
|
83
|
+
edge-cli cache invalidate --file affected.json --dry-run
|
|
84
|
+
|
|
85
|
+
# Step 3: Execute invalidation
|
|
86
|
+
edge-cli cache invalidate --file affected.json --confirm
|
|
87
|
+
|
|
88
|
+
# Step 4: Monitor invalidation progress
|
|
89
|
+
edge-cli cache invalidation status --watch
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
### Partial Invalidation
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
# Invalidate specific content types
|
|
96
|
+
edge-cli cache invalidate \
|
|
97
|
+
--pattern "/static/js/*" \
|
|
98
|
+
--reason "security-patch"
|
|
99
|
+
|
|
100
|
+
# Invalidate by tag
|
|
101
|
+
edge-cli cache invalidate \
|
|
102
|
+
--tag "product-images" \
|
|
103
|
+
--reason "content-update"
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
### Verification
|
|
107
|
+
|
|
108
|
+
```bash
|
|
109
|
+
# Verify invalidation completed
|
|
110
|
+
edge-cli cache stats --fleet-wide --content-type "js"
|
|
111
|
+
|
|
112
|
+
# Check for stale content
|
|
113
|
+
edge-cli cache audit --max-age 0 --pattern "/api/v1/products/*"
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
---
|
|
117
|
+
|
|
118
|
+
## Runbook 3: Sync Conflict Resolution
|
|
119
|
+
|
|
120
|
+
Handle synchronization conflicts between edge nodes and origin.
|
|
121
|
+
|
|
122
|
+
### Detection
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
# Monitor sync conflicts
|
|
126
|
+
edge-cli sync conflicts monitor --alert-threshold 10
|
|
127
|
+
|
|
128
|
+
# Check conflict details
|
|
129
|
+
edge-cli sync conflicts list --node edge-node-01 --output conflicts.json
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
### Analysis
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
# Analyze conflict patterns
|
|
136
|
+
edge-cli sync conflicts analyze --period 1h
|
|
137
|
+
|
|
138
|
+
# Output:
|
|
139
|
+
# TOTAL_CONFLICTS: 23
|
|
140
|
+
# BY_TYPE:
|
|
141
|
+
# - write-write: 15
|
|
142
|
+
# - delete-update: 5
|
|
143
|
+
# - concurrent-create: 3
|
|
144
|
+
# BY_RESOURCE:
|
|
145
|
+
# - user/preferences: 12
|
|
146
|
+
# - cart/items: 8
|
|
147
|
+
# - session/data: 3
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
### Resolution
|
|
151
|
+
|
|
152
|
+
```bash
|
|
153
|
+
# Auto-resolve simple conflicts
|
|
154
|
+
edge-cli sync conflicts resolve \
|
|
155
|
+
--strategy last-write-wins \
|
|
156
|
+
--filter "type:write-write"
|
|
157
|
+
|
|
158
|
+
# Manual resolution for complex conflicts
|
|
159
|
+
edge-cli sync conflicts resolve \
|
|
160
|
+
--conflict-id conflict-123 \
|
|
161
|
+
--resolution manual \
|
|
162
|
+
--keep "origin" \
|
|
163
|
+
--merge-strategy "deep-merge"
|
|
164
|
+
|
|
165
|
+
# Force resolution with audit trail
|
|
166
|
+
edge-cli sync conflicts force-resolve \
|
|
167
|
+
--conflict-id conflict-123 \
|
|
168
|
+
--resolution "user:admin@example.com" \
|
|
169
|
+
--reason "manual-override" \
|
|
170
|
+
--audit
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### Prevention
|
|
174
|
+
|
|
175
|
+
```bash
|
|
176
|
+
# Enable optimistic locking
|
|
177
|
+
edge-cli sync config set --optimistic-locking true
|
|
178
|
+
|
|
179
|
+
# Configure conflict-free CRDTs for critical data
|
|
180
|
+
edge-cli sync config set \
|
|
181
|
+
--resource "user/preferences" \
|
|
182
|
+
--strategy crdt \
|
|
183
|
+
--type lww-register
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Runbook 4: Node Recovery
|
|
189
|
+
|
|
190
|
+
Recover a failed or degraded edge node to full operation.
|
|
191
|
+
|
|
192
|
+
### Assessment
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
# Assess node state
|
|
196
|
+
edge-cli node assess --node edge-node-01
|
|
197
|
+
|
|
198
|
+
# Output:
|
|
199
|
+
# NODE: edge-node-01
|
|
200
|
+
# STATE: degraded
|
|
201
|
+
# ISSUES:
|
|
202
|
+
# - disk_usage: 92% (critical)
|
|
203
|
+
# - sync_lag: 45s (warning)
|
|
204
|
+
# - cert_expiry: 2026-07-15 (ok)
|
|
205
|
+
# RECOMMENDATION: cleanup disk, force sync
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
### Recovery Steps
|
|
209
|
+
|
|
210
|
+
```bash
|
|
211
|
+
# Step 1: Clean up disk space
|
|
212
|
+
edge-cli node cleanup \
|
|
213
|
+
--node edge-node-01 \
|
|
214
|
+
--purge-stale-cache \
|
|
215
|
+
--remove-old-logs \
|
|
216
|
+
--compact-database
|
|
217
|
+
|
|
218
|
+
# Step 2: Force sync with origin
|
|
219
|
+
edge-cli sync force \
|
|
220
|
+
--node edge-node-01 \
|
|
221
|
+
--full \
|
|
222
|
+
--timeout 300s
|
|
223
|
+
|
|
224
|
+
# Step 3: Restart node services
|
|
225
|
+
edge-cli node restart \
|
|
226
|
+
--node edge-node-01 \
|
|
227
|
+
--services all \
|
|
228
|
+
--grace-period 30s
|
|
229
|
+
|
|
230
|
+
# Step 4: Verify recovery
|
|
231
|
+
edge-cli health check --node edge-node-01 --wait 120s
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
### Post-Recovery Validation
|
|
235
|
+
|
|
236
|
+
```bash
|
|
237
|
+
# Run full validation suite
|
|
238
|
+
edge-cli validate node --node edge-node-01 --comprehensive
|
|
239
|
+
|
|
240
|
+
# Check traffic routing
|
|
241
|
+
edge-cli traffic status --node edge-node-01
|
|
242
|
+
|
|
243
|
+
# Monitor for 15 minutes
|
|
244
|
+
edge-cli monitor --node edge-node-01 --duration 900s --alert-on-anomaly
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
---
|
|
248
|
+
|
|
249
|
+
## Runbook 5: Offline Mode Operations
|
|
250
|
+
|
|
251
|
+
Handle extended offline periods when edge nodes cannot reach origin.
|
|
252
|
+
|
|
253
|
+
### Detection
|
|
254
|
+
|
|
255
|
+
```bash
|
|
256
|
+
# Monitor origin connectivity
|
|
257
|
+
edge-cli connectivity status --node edge-node-01
|
|
258
|
+
|
|
259
|
+
# Output:
|
|
260
|
+
# NODE: edge-node-01
|
|
261
|
+
# ORIGIN_STATUS: unreachable
|
|
262
|
+
# LAST_CONTACT: 2026-06-23T10:15:00Z
|
|
263
|
+
# DURATION: 45 minutes
|
|
264
|
+
# MODE: offline
|
|
265
|
+
# CACHED_CONTENT: 98.5% available
|
|
266
|
+
```
|
|
267
|
+
|
|
268
|
+
### Offline Mode Activation
|
|
269
|
+
|
|
270
|
+
```bash
|
|
271
|
+
# Verify offline mode is active
|
|
272
|
+
edge-cli offline status --node edge-node-01
|
|
273
|
+
|
|
274
|
+
# Check cached content availability
|
|
275
|
+
edge-cli cache availability --node edge-node-01
|
|
276
|
+
|
|
277
|
+
# Output:
|
|
278
|
+
# TOTAL_CONTENT: 1,245 items
|
|
279
|
+
# CACHED: 1,226 items (98.5%)
|
|
280
|
+
# MISSING: 19 items (1.5%)
|
|
281
|
+
# STALE: 234 items (18.8%)
|
|
282
|
+
```
|
|
283
|
+
|
|
284
|
+
### Operations During Offline
|
|
285
|
+
|
|
286
|
+
```bash
|
|
287
|
+
# Serve cached content
|
|
288
|
+
edge-cli offline serve --node edge-node-01 --mode degraded
|
|
289
|
+
|
|
290
|
+
# Queue writes for later sync
|
|
291
|
+
edge-cli offline queue-status --node edge-node-01
|
|
292
|
+
|
|
293
|
+
# Output:
|
|
294
|
+
# QUEUED_WRITES: 45
|
|
295
|
+
# QUEUED_SIZE: 128KB
|
|
296
|
+
# ESTIMATED_SYNC_TIME: 30s (when online)
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
### Recovery from Offline
|
|
300
|
+
|
|
301
|
+
```bash
|
|
302
|
+
# Detect origin recovery
|
|
303
|
+
edge-cli connectivity monitor --watch
|
|
304
|
+
|
|
305
|
+
# Sync queued writes
|
|
306
|
+
edge-cli sync process-queue --node edge-node-01
|
|
307
|
+
|
|
308
|
+
# Verify all writes synced
|
|
309
|
+
edge-cli sync queue-status --node edge-node-01
|
|
310
|
+
```
|
|
311
|
+
|
|
312
|
+
---
|
|
313
|
+
|
|
314
|
+
## Runbook 6: Origin Failover
|
|
315
|
+
|
|
316
|
+
Handle origin server failures by routing traffic to fallback origins.
|
|
317
|
+
|
|
318
|
+
### Detection
|
|
319
|
+
|
|
320
|
+
```bash
|
|
321
|
+
# Monitor origin health
|
|
322
|
+
edge-cli origin health --watch
|
|
323
|
+
|
|
324
|
+
# Alert triggers:
|
|
325
|
+
# - Origin response time > 500ms
|
|
326
|
+
# - Origin error rate > 5%
|
|
327
|
+
# - Origin connection failures > 3
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
### Failover Process
|
|
331
|
+
|
|
332
|
+
```bash
|
|
333
|
+
# Step 1: Verify origin failure
|
|
334
|
+
edge-cli origin test --target primary --timeout 10s
|
|
335
|
+
|
|
336
|
+
# Step 2: Activate failover
|
|
337
|
+
edge-cli origin failover activate --reason "primary-origin-down"
|
|
338
|
+
|
|
339
|
+
# Step 3: Verify failover routing
|
|
340
|
+
edge-cli origin status --fleet-wide
|
|
341
|
+
|
|
342
|
+
# Output:
|
|
343
|
+
# PRIMARY: primary-origin.example.com (DOWN)
|
|
344
|
+
# FAILOVER: failover-origin.example.com (ACTIVE)
|
|
345
|
+
# TRAFFIC: 100% to failover
|
|
346
|
+
# STATUS: degraded (reduced capacity)
|
|
347
|
+
```
|
|
348
|
+
|
|
349
|
+
### Monitoring During Failover
|
|
350
|
+
|
|
351
|
+
```bash
|
|
352
|
+
# Monitor failover performance
|
|
353
|
+
edge-cli origin monitor --interval 30s
|
|
354
|
+
|
|
355
|
+
# Check cache hit rates during failover
|
|
356
|
+
edge-cli cache stats --fleet-wide --period 5m
|
|
357
|
+
|
|
358
|
+
# Verify no data loss
|
|
359
|
+
edge-cli sync verify --period 5m
|
|
360
|
+
```
|
|
361
|
+
|
|
362
|
+
### Recovery
|
|
363
|
+
|
|
364
|
+
```bash
|
|
365
|
+
# Verify primary origin recovery
|
|
366
|
+
edge-cli origin test --target primary --continuous --duration 300s
|
|
367
|
+
|
|
368
|
+
# Switch back to primary
|
|
369
|
+
edge-cli origin failover deactivate --confirm
|
|
370
|
+
|
|
371
|
+
# Verify normal routing
|
|
372
|
+
edge-cli origin status --fleet-wide
|
|
373
|
+
```
|
|
374
|
+
|
|
375
|
+
---
|
|
376
|
+
|
|
377
|
+
## Emergency Contacts
|
|
378
|
+
|
|
379
|
+
| Role | Contact | Availability |
|
|
380
|
+
|------|---------|--------------|
|
|
381
|
+
| Edge Platform Lead | platform-lead@example.com | 24/7 |
|
|
382
|
+
| On-Call Engineer | oncall-edge@example.com | 24/7 |
|
|
383
|
+
| Security Team | security@example.com | Business hours |
|
|
384
|
+
| Network Operations | netops@example.com | 24/7 |
|
|
385
|
+
|
|
386
|
+
## Escalation Path
|
|
387
|
+
|
|
388
|
+
```
|
|
389
|
+
P1 (Service Down):
|
|
390
|
+
→ On-Call Engineer (5 min)
|
|
391
|
+
→ Platform Lead (15 min)
|
|
392
|
+
→ VP Engineering (30 min)
|
|
393
|
+
|
|
394
|
+
P2 (Degraded Performance):
|
|
395
|
+
→ On-Call Engineer (15 min)
|
|
396
|
+
→ Platform Lead (1 hour)
|
|
397
|
+
→ VP Engineering (4 hours)
|
|
398
|
+
|
|
399
|
+
P3 (Minor Issue):
|
|
400
|
+
→ On-Call Engineer (1 hour)
|
|
401
|
+
→ Platform Lead (next business day)
|
|
402
|
+
```
|
|
403
|
+
|
|
404
|
+
---
|
|
405
|
+
[Back to Edge Computing Profile](./README.md)
|
|
@@ -0,0 +1,218 @@
|
|
|
1
|
+
# Guía de Seguridad de Computación en el Borde
|
|
2
|
+
|
|
3
|
+
> **Navegación Bilingüe:** [English](./security.md) | [Español](./security.es.md)
|
|
4
|
+
|
|
5
|
+
**Propietario:** Ingeniería de Plataforma
|
|
6
|
+
**Topología:** Computación en el Borde
|
|
7
|
+
|
|
8
|
+
## Autenticación en el Borde
|
|
9
|
+
|
|
10
|
+
Los nodos del borde utilizan un enfoque de autenticación por capas: identidad del nodo, identidad del workload y tokens del cliente.
|
|
11
|
+
|
|
12
|
+
### Identidad del Nodo
|
|
13
|
+
|
|
14
|
+
Cada nodo del borde posee un certificado de identidad respaldado por hardware emitido durante el aprovisionamiento.
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
# Verificar identidad del nodo
|
|
18
|
+
edge-cli auth node-identity verify \
|
|
19
|
+
--node-id edge-node-01 \
|
|
20
|
+
--check-cert-expiry
|
|
21
|
+
|
|
22
|
+
# Salida:
|
|
23
|
+
# NODE: edge-node-01
|
|
24
|
+
# CERT_EXPIRY: 2027-06-23
|
|
25
|
+
# TRUST_CHAIN: root-ca → intermediate-ca → node-cert
|
|
26
|
+
# STATUS: valid
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### Identidad del Workload
|
|
30
|
+
|
|
31
|
+
Los workloads que se ejecutan en nodos del borde utilizan identidades basadas en SPIFFE para la autenticación entre servicios.
|
|
32
|
+
|
|
33
|
+
```yaml
|
|
34
|
+
spiffe:
|
|
35
|
+
trust_domain: "edge.example.com"
|
|
36
|
+
workload:
|
|
37
|
+
path: "/compute/worker"
|
|
38
|
+
selector:
|
|
39
|
+
- "k8s:ns=edge-workloads"
|
|
40
|
+
- "k8s:sa=edge-worker"
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
## Residencia de Datos
|
|
44
|
+
|
|
45
|
+
Los despliegues del borde deben respetar los requisitos de residencia de datos según la ubicación geográfica de los nodos.
|
|
46
|
+
|
|
47
|
+
### Motor de Políticas de Residencia
|
|
48
|
+
|
|
49
|
+
```yaml
|
|
50
|
+
residency:
|
|
51
|
+
rules:
|
|
52
|
+
- region: "eu-west-*"
|
|
53
|
+
restrictions:
|
|
54
|
+
- data_type: "pii"
|
|
55
|
+
allowed_destinations: ["eu-west-1", "eu-central-1"]
|
|
56
|
+
- data_type: "telemetry"
|
|
57
|
+
allowed_destinations: ["eu-west-*"]
|
|
58
|
+
- region: "us-*"
|
|
59
|
+
restrictions:
|
|
60
|
+
- data_type: "pii"
|
|
61
|
+
allowed_destinations: ["us-*"]
|
|
62
|
+
- region: "ap-*"
|
|
63
|
+
restrictions:
|
|
64
|
+
- data_type: "pii"
|
|
65
|
+
allowed_destinations: ["ap-*"]
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
### Cumplimiento
|
|
69
|
+
|
|
70
|
+
```bash
|
|
71
|
+
# Auditar cumplimiento de residencia de datos
|
|
72
|
+
edge-cli residency audit --fleet-wide --output report.json
|
|
73
|
+
|
|
74
|
+
# Las violaciones activan remediación automática:
|
|
75
|
+
# - PII transfronterizo: bloquear y alertar
|
|
76
|
+
# - Fuga de telemetría: redirigir a región permitida
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
## Cifrado en Reposo
|
|
80
|
+
|
|
81
|
+
Todos los datos persistentes en nodos del borde están cifrados usando AES-256-GCM.
|
|
82
|
+
|
|
83
|
+
### Arquitectura de Cifrado
|
|
84
|
+
|
|
85
|
+
| Categoría de Datos | Fuente de Clave | Rotación | Ámbito |
|
|
86
|
+
|--------------------|-----------------|----------|--------|
|
|
87
|
+
| Contenido en caché | KMS local del nodo | 24 horas | Por nodo |
|
|
88
|
+
| Configuración | KMS central | 7 días | Toda la flota |
|
|
89
|
+
| Registros | KMS local del nodo | 24 horas | Por nodo |
|
|
90
|
+
| Secretos | Vault externo | Bajo demanda | Por workload |
|
|
91
|
+
|
|
92
|
+
### Gestión de Claves
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
# Rotar claves de cifrado del borde
|
|
96
|
+
edge-cli crypto rotate \
|
|
97
|
+
--scope node-local \
|
|
98
|
+
--algorithm aes-256-gcm \
|
|
99
|
+
--grace-period 1h
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
## Seguridad de Red (EC-SEC-01)
|
|
103
|
+
|
|
104
|
+
Los nodos del borde aplican políticas de seguridad de red a nivel de nodo.
|
|
105
|
+
|
|
106
|
+
### Segmentación de Red
|
|
107
|
+
|
|
108
|
+
```
|
|
109
|
+
┌─────────────────────────────────────────────┐
|
|
110
|
+
│ Red del Nodo del Borde │
|
|
111
|
+
│ ┌───────────┐ ┌───────────┐ ┌─────────┐ │
|
|
112
|
+
│ │ Segmento │ │ Segmento │ │Segmento │ │
|
|
113
|
+
│ │ Cómputo │ │Almacenam. │ │Control │ │
|
|
114
|
+
│ │ (VLAN 10) │ │ (VLAN 20) │ │(VLAN 30)│ │
|
|
115
|
+
│ └───────────┘ └───────────┘ └─────────┘ │
|
|
116
|
+
│ │ │ │ │
|
|
117
|
+
│ └──────────────┼─────────────┘ │
|
|
118
|
+
│ │ │
|
|
119
|
+
│ ┌────┴────┐ │
|
|
120
|
+
│ │Firewall │ │
|
|
121
|
+
│ └────┬────┘ │
|
|
122
|
+
│ │ │
|
|
123
|
+
└────────────────────────┼─────────────────────┘
|
|
124
|
+
│
|
|
125
|
+
┌────┴────┐
|
|
126
|
+
│ Origen │
|
|
127
|
+
└─────────┘
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
### Reglas de Firewall
|
|
131
|
+
|
|
132
|
+
```yaml
|
|
133
|
+
firewall:
|
|
134
|
+
ingress:
|
|
135
|
+
- port: 443
|
|
136
|
+
source: "client-cidrs"
|
|
137
|
+
action: allow
|
|
138
|
+
- port: 8443
|
|
139
|
+
source: "peer-nodes"
|
|
140
|
+
action: allow
|
|
141
|
+
- port: 9090
|
|
142
|
+
source: "monitoring-subnet"
|
|
143
|
+
action: allow
|
|
144
|
+
egress:
|
|
145
|
+
- port: 443
|
|
146
|
+
destination: "origin-servers"
|
|
147
|
+
action: allow
|
|
148
|
+
- port: 443
|
|
149
|
+
destination: "kms-endpoints"
|
|
150
|
+
action: allow
|
|
151
|
+
- all: deny
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
## TLS Mutuo (EC-SEC-02)
|
|
155
|
+
|
|
156
|
+
Toda la comunicación entre nodos del borde y entre el borde y el origen utiliza mTLS.
|
|
157
|
+
|
|
158
|
+
### Configuración de Certificados
|
|
159
|
+
|
|
160
|
+
```yaml
|
|
161
|
+
mtls:
|
|
162
|
+
enabled: true
|
|
163
|
+
min_version: "1.3"
|
|
164
|
+
cipher_suites:
|
|
165
|
+
- "TLS_AES_256_GCM_SHA384"
|
|
166
|
+
- "TLS_CHACHA20_POLY1305_SHA256"
|
|
167
|
+
client_auth:
|
|
168
|
+
required: true
|
|
169
|
+
ca_bundle: "/etc/edge/ca-bundle.pem"
|
|
170
|
+
cert_rotation:
|
|
171
|
+
interval: 24h
|
|
172
|
+
overlap: 1h
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
### Verificación de mTLS
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
# Probar conectividad mTLS entre nodos
|
|
179
|
+
edge-cli mtls test \
|
|
180
|
+
--source edge-node-01 \
|
|
181
|
+
--target edge-node-02 \
|
|
182
|
+
--verify-peer-cert
|
|
183
|
+
|
|
184
|
+
# Salida:
|
|
185
|
+
# SOURCE: edge-node-01
|
|
186
|
+
# TARGET: edge-node-02
|
|
187
|
+
# TLS_VERSION: 1.3
|
|
188
|
+
# CIPHER: TLS_AES_256_GCM_SHA384
|
|
189
|
+
# PEER_CERT_VALID: true
|
|
190
|
+
# STATUS: passed
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
## Rotación de Secretos
|
|
194
|
+
|
|
195
|
+
Los secretos en nodos del borde se rotan automáticamente para limitar la ventana de exposición.
|
|
196
|
+
|
|
197
|
+
### Programación de Rotación
|
|
198
|
+
|
|
199
|
+
| Tipo de Secreto | Intervalo de Rotación | Período de Gracia | Acción en Fallo |
|
|
200
|
+
|-----------------|----------------------|-------------------|-----------------|
|
|
201
|
+
| Certificado de identidad del nodo | 90 días | 24 horas | Alertar + degradar |
|
|
202
|
+
| Tokens de API | 1 hora | 5 minutos | Actualizar en segundo plano |
|
|
203
|
+
| Claves de cifrado | 24 horas | 1 hora | Encolar nueva clave |
|
|
204
|
+
| Credenciales de base de datos | 7 días | 2 horas | Mantener conexión |
|
|
205
|
+
|
|
206
|
+
### Orquestación de Rotación
|
|
207
|
+
|
|
208
|
+
```bash
|
|
209
|
+
# Activar rotación de secretos en toda la flota
|
|
210
|
+
edge-cli secrets rotate \
|
|
211
|
+
--scope fleet \
|
|
212
|
+
--type all \
|
|
213
|
+
--strategy rolling \
|
|
214
|
+
--batch 10%
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
---
|
|
218
|
+
[Volver al Perfil de Computación en el Borde](./README.es.md)
|