Strata

AMI pipeline orchestration — build, scan, gate, and deploy Amazon Machine Images with full compliance traceability.

Strata uses Temporal durable workflows to run a five-stage pipeline that produces auditable evidence at every step. Gate failures pause the workflow for human review rather than failing outright, and all metadata is dual-written to PostgreSQL (operational queries) and S3 Parquet (compliance queries via Trino).

Architecture

flowchart LR
    A[Packer Build] --> B[Syft SBOM]
    B --> C[Grype Scan]
    C --> D{Quality Gate}
    D -- pass --> E[Metadata Write]
    D -- fail --> F[Human Review]
    F -- approve --> E
    F -- reject --> G[Tag & Retain AMI]
    E --> H[Karpenter Deploy]

    style D fill:#f9a825
    style F fill:#ef6c00,color:#fff

Loading

Pipeline activities:

1. build_ami — Packer build with Ansible hardening, Syft SBOM generation
2. scan_sbom — Grype CVE scan against the consolidated SBOM
3. evaluate_gate — Quality gate blocking unfixed HIGH/CRITICAL CVEs (with package-level exceptions)
4. write_metadata — Dual-write to PostgreSQL + S3 Parquet (queryable via Trino)
5. update_karpenter_nodeclass — Patches EKS EC2NodeClass with the approved AMI

Gate failures enter a review loop: the workflow saves a gate report to S3, pauses for a human signal, persists any new exceptions, and re-evaluates.

Components

Component	Location	Description
strata-worker	worker/	Temporal worker — runs the 5-activity AMI pipeline workflow
strata-review	cmd/strata-review/	Interactive CLI for human review of gate failures
strata-sbom	cmd/strata-sbom/	EKS AMI SBOM collection pipeline (discover, launch, scan, terminate)
gowno	gowno/	React dashboard for SBOM and gate report visualization

Prerequisites

• Go 1.24+
• Docker & Docker Compose
• Task (task runner)
• Node.js 20+ (for gowno dashboard)
• AWS credentials (access key, secret key, region)
• CLI tools: packer, ansible, syft, grype

Quick Start

# Copy and configure environment variables
cp .env.example .env
# Edit .env with your AWS credentials and S3 bucket name

# Start infrastructure (Temporal + PostgreSQL + Trino)
task infra:up

# Build all components
task build

# Run the worker
task worker:run

# In another terminal — run strata-review for gate approvals
task review:run

Configuration

All components auto-load a .env file from the project root.

Variable	Description
AWS_ACCESS_KEY_ID	AWS access key
AWS_SECRET_ACCESS_KEY	AWS secret key
AWS_REGION	AWS region (default: us-east-1)
SBOM_BUCKET	S3 bucket for SBOMs and gate reports
TEMPORAL_ADDRESS	Temporal server address (default: localhost:7233)
DATABASE_URL	PostgreSQL connection string (default: postgres://strata:strata@localhost:5432/pipeline)
EKS_CLUSTER_NAME	EKS cluster name (for strata-sbom)

See .env.example for a starter template.

Development

task test          # Run all tests
task go:lint       # Lint Go code
task gowno:dev     # Start React dev server
task clean         # Remove build artifacts

Per-component tasks:

Component	Build	Test	Run
worker	task worker:build	task worker:test	task worker:run
strata-review	task review:build	task review:test	task review:run
strata-sbom	task sbom:build	task sbom:test	task sbom:run
gowno	task gowno:build	task gowno:test	task gowno:dev

Infrastructure: task infra:up, task infra:down, task infra:logs

Project Structure

strata/
├── worker/                  # Temporal worker (workflow, activities, models)
├── cmd/
│   ├── strata-review/       # Human review CLI
│   └── strata-sbom/         # EKS SBOM pipeline CLI
├── gowno/                   # React + Vite + TypeScript dashboard
├── packer/                  # Packer AMI templates (HCL2)
├── ansible/                 # Ansible hardening playbooks
├── scripts/                 # Utility scripts (SBOM generation, etc.)
├── infra/                   # Trino config, DB schemas, Temporal dynamic config
├── docker-compose.yml       # Infrastructure stack (Temporal + PostgreSQL + Trino)
├── Taskfile.yml             # Build system
└── docs/plans/              # Design and implementation plans

Versioning

Each component is versioned independently using git tags:

task version                    # Show all current versions

task worker:bump:patch          # Tag a patch release for worker
task review:bump:minor          # Tag a minor release for strata-review
task gowno:bump:major           # Tag a major release for gowno
task sbom:bump:patch            # Tag a patch release for strata-sbom

Tag format: {component}/v{major}.{minor}.{patch} (e.g., worker/v1.2.3).

Documentation

• ARCHITECTURE.md — Full system architecture (hub-and-spoke account model, data lake, security, compliance traceability)
• docs/plans/ — Design documents and implementation plans
• ami-pipeline-poc-plan.md — Original POC specification