new advisories work and features gaps work

2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
--- a/docs-archived/implplan/SPRINT_20260112_001_DOCS_audit_evidence_pack_gaps.md
+++ b/docs-archived/implplan/SPRINT_20260112_001_DOCS_audit_evidence_pack_gaps.md
@@ -0,0 +1,44 @@
+# Sprint 20260112-001-DOCS - Audit Evidence Pack Gap Closure
+
+## Topic & Scope
+- Publish missing evidence pack and audit bundle schemas to close broken references and unblock implementation work.
+- Align evidence-pack documentation, export-center docs, and high-level positioning with the audit-ready evidence pack advisory.
+- Evidence to produce: new schema JSON files and updated docs under `docs/modules/evidence-locker/`, `docs/modules/export-center/`, `docs/key-features.md`, and `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
+- **Working directory:** `docs/`.
+
+## Dependencies & Concurrency
+- No upstream sprints required; this sprint defines schemas used by SPRINT_20260112_002_EVIDENCE and SPRINT_20260112_003_EXPORT.
+- Concurrency: safe to run in parallel with code sprints, but schema changes should land first.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/evidence-locker/architecture.md`
+- `docs/modules/evidence-locker/evidence-bundle-v1.md`
+- `docs/modules/evidence-locker/export-format.md`
+- `docs/modules/export-center/architecture.md`
+- `docs/product/advisories/`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-CEPACK-001 | DONE | Schema requirements review with EvidenceLocker + Export Center | Docs Guild / EvidenceLocker Guild | Create `docs/modules/evidence-locker/schemas/stellaops-evidence-pack.v1.schema.json` and `docs/modules/evidence-locker/schemas/audit-bundle-index.schema.json` with deterministic fields for manifest inventory, transparency references, and timestamp metadata. |
+| 2 | DOCS-CEPACK-002 | DONE | After DOCS-CEPACK-001 | Docs Guild | Update `docs/modules/evidence-locker/guides/evidence-pack-schema.md` to reference the new schemas, add ASCII-only examples, and record ordering rules. |
+| 3 | DOCS-CEPACK-003 | DONE | After DOCS-CEPACK-001 | Docs Guild / Export Center Guild | Update `docs/modules/export-center/architecture.md` and `docs/modules/export-center/overview.md` to reference the audit bundle index schema and evidence pack outputs. |
+| 4 | DOCS-CEPACK-004 | DONE | After DOCS-CEPACK-002 | Docs Guild | Update `docs/key-features.md` and `docs/07_HIGH_LEVEL_ARCHITECTURE.md` with audit-ready evidence pack positioning and links to EvidenceLocker docs. |
+| 5 | DOCS-CEPACK-005 | DONE | After DOCS-CEPACK-004 | Docs Guild | Archive the 14-Jan-2026 advisory by moving it from `docs/product/advisories/` to `docs-archived/product/advisories/` and add a short archive note in the destination. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; scope covers evidence pack schema and documentation alignment. | Planning |
+| 2026-01-14 | Published evidence pack schemas, updated docs, and archived the advisory. | Docs Guild |
+
+## Decisions & Risks
+- Schema field naming for transparency and timestamp metadata must align with EvidenceLocker and Export Center implementations to avoid contract drift.
+- High-level positioning updates must stay consistent with existing audit and offline evidence messaging.
+- Updated schema references: `docs/modules/evidence-locker/schemas/stellaops-evidence-pack.v1.schema.json` and `docs/modules/evidence-locker/schemas/audit-bundle-index.schema.json`.
+
+## Next Checkpoints
+- 2026-01-18: Schema review with EvidenceLocker and Export Center guilds.
--- a/docs-archived/implplan/SPRINT_20260112_002_EVIDENCE_evidence_locker_audit_pack_hardening.md
+++ b/docs-archived/implplan/SPRINT_20260112_002_EVIDENCE_evidence_locker_audit_pack_hardening.md
@@ -0,0 +1,49 @@
+# Sprint 20260112-002-EVIDENCE - EvidenceLocker Audit Pack Hardening
+
+## Topic & Scope
+- Extend EvidenceLocker bundle metadata and manifests with transparency and RFC3161 timestamp references aligned to the new evidence pack schemas.
+- Add explicit object-lock configuration and enforcement in S3 storage to support WORM retention and legal hold behavior.
+- Evidence to produce: code and tests under `src/EvidenceLocker/StellaOps.EvidenceLocker` plus updated EvidenceLocker AGENTS entries.
+- **Working directory:** `src/EvidenceLocker/StellaOps.EvidenceLocker`.
+
+## Dependencies & Concurrency
+- Depends on SPRINT_20260112_001_DOCS for schema definitions and documentation alignment.
+- Concurrency: implementation can proceed in parallel after schema field names are finalized.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/evidence-locker/architecture.md`
+- `docs/modules/evidence-locker/export-format.md`
+- `docs/modules/evidence-locker/bundle-packaging.md`
+- `docs/modules/evidence-locker/attestation-contract.md`
+- `docs/modules/attestor/transparency.md`
+- `src/EvidenceLocker/AGENTS.md`
+- `src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | EVID-CEPACK-001 | DONE | After DOCS-CEPACK-001 schema fields are final | EvidenceLocker Guild | Update EvidenceLocker manifest models and builders to record transparency and timestamp references in bundle metadata (align with `docs/modules/evidence-locker/schemas/bundle.manifest.schema.json` and the new evidence pack schema). Touch: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs` and related domain models. |
+| 2 | EVID-CEPACK-002 | DONE | After EVID-CEPACK-001 | EvidenceLocker Guild | Propagate RFC3161 timestamp metadata from signing to bundle packaging and verification flows; add unit tests under `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests`. |
+| 3 | EVID-CEPACK-003 | DONE | After DOCS-CEPACK-001 schema fields are final | EvidenceLocker Guild | Add Object Lock configuration to `EvidenceLockerOptions` and enforce retention/legal hold headers in `S3EvidenceObjectStore`; validate config at startup and add tests. |
+| 4 | EVID-CEPACK-004 | DONE | After EVID-CEPACK-001 | EvidenceLocker Guild / QA | Add determinism and schema evolution tests covering new manifest fields and checksum ordering (use existing EvidenceLocker test suites). |
+| 5 | EVID-CEPACK-005 | DONE | After EVID-CEPACK-003 | EvidenceLocker Guild | Update `src/EvidenceLocker/AGENTS.md` and `src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md` to include object-lock and transparency/timestamp requirements. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; focuses on EvidenceLocker metadata, object-lock enforcement, and tests. | Planning |
+| 2026-01-14 | EVID-CEPACK-001: Added TransparencyReference and TimestampReference records to EvidenceBundleBuildModels.cs; Updated EvidenceSignatureService to serialize new fields in manifest payload. | Agent |
+| 2026-01-14 | EVID-CEPACK-002: Existing RFC3161 client already propagates timestamps; added 3 new unit tests for transparency/timestamp reference serialization. | Agent |
+| 2026-01-14 | EVID-CEPACK-003: Added ObjectLockOptions to AmazonS3StoreOptions with Mode, DefaultRetentionDays, DefaultLegalHold; Updated S3EvidenceObjectStore with ApplyObjectLockSettings and ApplyLegalHoldAsync methods; Added startup validation. | Agent |
+| 2026-01-14 | EVID-CEPACK-004: Added tests for transparency serialization, timestamp serialization, and empty array omission in EvidenceSignatureServiceTests. | Agent |
+| 2026-01-14 | EVID-CEPACK-005: Updated src/EvidenceLocker/AGENTS.md with object-lock and transparency/timestamp requirements. | Agent |
+
+## Decisions & Risks
+- Object Lock semantics (governance vs compliance) require a single default and may need explicit approval from platform governance.
+- Doc updates to EvidenceLocker packaging and verification guides must be coordinated with the docs sprint to avoid cross-module drift.
+
+## Next Checkpoints
+- 2026-01-20: EvidenceLocker schema and Object Lock design review.
--- a/docs-archived/implplan/SPRINT_20260112_004_ATTESTOR_vex_override_predicate.md
+++ b/docs-archived/implplan/SPRINT_20260112_004_ATTESTOR_vex_override_predicate.md
@@ -0,0 +1,44 @@
+# Sprint 20260112.004.ATTESTOR · VEX Override Attestation Predicate
+
+## Topic & Scope
+- Define and implement a DSSE/in-toto predicate for VEX override attestations (operator decisions such as not_affected or compensating controls).
+- Support optional Rekor anchoring and offline verification paths without changing existing attestation workflows.
+- Working directory: `src/Attestor`. Evidence: predicate schema, builder, verification tests, and sample payloads.
+
+## Dependencies & Concurrency
+- Downstream: `SPRINT_20260112_004_VULN_vex_override_workflow.md` consumes the predicate to mint attestations.
+- Parallel-safe with Scanner and Findings sprints.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/ARCHITECTURE_OVERVIEW.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/VEX_CONSENSUS_GUIDE.md`
+- `docs/architecture/EVIDENCE_PIPELINE_ARCHITECTURE.md`
+- `src/__Libraries/StellaOps.Canonical.Json/README.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | ATT-VEX-001 | DONE | Predicate spec | Attestor Guild | Add VEX override predicate schema and typed model (decision, evidence refs, tool versions, rule digests, artifact digest, trace hash). |
+| 2 | ATT-VEX-002 | DONE | Builder + verify | Attestor Guild | Implement predicate builder and DSSE envelope creation/verification; canonicalize predicate payloads with `StellaOps.Canonical.Json` before hashing; add unit and integration tests. |
+| 3 | ATT-VEX-003 | DONE | Cross-module docs | Attestor Guild | Document predicate and include a sample payload in `docs/modules/attestor/` and referenced schemas. |
+| 4 | ATT-VEX-004 | DONE | Canonicalization contract | Attestor Guild | Document canonicalization rules and required serializer options (no CamelCase, default encoder) for the VEX override predicate. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
+| 2026-01-14 | ATT-VEX-001: Created VexOverridePredicate.cs with VexOverrideDecision enum, EvidenceReference, ToolInfo records in src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/. | Agent |
+| 2026-01-14 | ATT-VEX-002: Created VexOverridePredicateParser.cs (IPredicateParser impl), VexOverridePredicateBuilder.cs with RFC 8785 canonicalization. Added 23 unit tests in VexOverride directory. | Agent |
+| 2026-01-14 | Fixed pre-existing bug in BinaryDiffTestData.cs (renamed FixedTimeProvider field to TestTimeProvider to avoid name shadowing with nested class). | Agent |
+| 2026-01-14 | ATT-VEX-003/004: Created docs/modules/attestor/vex-override-predicate.md with schema spec, sample payload, and RFC 8785 canonicalization rules. | Agent |
+
+## Decisions & Risks
+- Predicate must use RFC 8785 canonicalization via `StellaOps.Canonical.Json` with explicit serializer options (no CamelCase, default encoder) and DSSE PAE helper; no custom encoding.
+- Rekor anchoring is optional; offline verification must still succeed with embedded proofs.
+
+## Next Checkpoints
+- TBD: confirm predicate field set with Policy and VEX Lens consumers.
--- a/docs-archived/implplan/SPRINT_20260112_004_DOC_cicd_gate_verification.md
+++ b/docs-archived/implplan/SPRINT_20260112_004_DOC_cicd_gate_verification.md
@@ -0,0 +1,37 @@
+# Sprint 20260112.004.DOC · CI/CD Gate Verification Step
+
+## Topic & Scope
+- Document a required verification step in CI/CD gates that checks DSSE witness signatures and Rekor inclusion (or offline ledger).
+- Provide example commands for online and offline flows using `stella proof verify` and cosign equivalents.
+- Working directory: `docs`. Evidence: updated CI/CD flow and proof verification runbooks.
+
+## Dependencies & Concurrency
+- Parallel-safe with code sprints; no upstream dependencies required.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/ARCHITECTURE_OVERVIEW.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/flows/10-cicd-gate-flow.md`
+- `docs/operations/score-proofs-runbook.md`
+- `docs/operations/proof-verification-runbook.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOC-CICD-001 | DONE | Flow edits | Docs Guild | Update `docs/flows/10-cicd-gate-flow.md` to include DSSE witness verification and Rekor inclusion checks with offline fallback. |
+| 2 | DOC-CICD-002 | DONE | Runbook links | Docs Guild | Add concise command snippets to `docs/operations/score-proofs-runbook.md` and link to `docs/operations/proof-verification-runbook.md`. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
+| 2026-01-14 | DOC-CICD-001: Added section 5a "DSSE Witness Verification (Required)" to cicd-gate-flow.md with online/offline commands, cosign equivalents, and GitHub/GitLab integration examples. | Agent |
+| 2026-01-14 | DOC-CICD-002: Added section 3.2a "CI/CD Gate Verification Quick Reference" to score-proofs-runbook.md with concise commands and cross-links. | Agent |
+
+## Decisions & Risks
+- Verification examples must be offline-friendly and avoid external URLs not already present.
+- CI gate examples must remain deterministic and avoid non-ASCII characters in commands.
+
+## Next Checkpoints
+- TBD: confirm with Release Engineering that flow matches current CLI behavior.
--- a/docs-archived/implplan/SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md
+++ b/docs-archived/implplan/SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md
@@ -0,0 +1,40 @@
+# Sprint 20260112.004.LB · Doctor Evidence Integrity Checks
+
+## Topic & Scope
+- Add Doctor checks that validate DSSE signatures, Rekor inclusion (or offline ledger), and evidence hash consistency.
+- Surface results in Doctor UI exports and keep outputs deterministic and offline-friendly.
+- Working directory: `src/__Libraries`. Evidence: new doctor checks, tests, and doc updates.
+
+## Dependencies & Concurrency
+- Parallel-safe with other sprints; can proceed independently once proof verification utilities are available.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/ARCHITECTURE_OVERVIEW.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/doctor/doctor-capabilities.md`
+- `docs/operations/score-proofs-runbook.md`
+- `src/__Libraries/StellaOps.Canonical.Json/README.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCHECK-001 | DONE | Check spec | Doctor Guild | Implement a security Doctor check that verifies DSSE signature validity and Rekor inclusion (or offline ledger) for a provided proof bundle or attestation; recompute hashes using `StellaOps.Canonical.Json`. |
+| 2 | DOCHECK-002 | DONE | Tests | Doctor Guild | Add unit/integration tests for deterministic check output, including offline mode. |
+| 3 | DOCHECK-003 | DONE | Cross-module docs | Doctor Guild | Update `docs/doctor/doctor-capabilities.md` to describe the new evidence integrity check. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
+| 2026-01-14 | DOCHECK-001: Created EvidenceIntegrityCheck.cs in Security plugin with DSSE/Rekor/hash verification. | Agent |
+| 2026-01-14 | DOCHECK-001: Registered check in SecurityPlugin.cs GetChecks() method. | Agent |
+| 2026-01-14 | DOCHECK-002: Created EvidenceIntegrityCheckTests.cs with 15 tests covering all verification paths. All tests pass. | Agent |
+| 2026-01-14 | DOCHECK-003: Added check.security.evidence.integrity documentation to doctor-capabilities.md section 9.4. | Agent |
+
+## Decisions & Risks
+- Doctor checks must not call external networks; use local proof bundles or offline ledgers.
+- Ensure any evidence hash validation uses `StellaOps.Canonical.Json` with explicit serializer options and stable ordering.
+
+## Next Checkpoints
+- TBD: confirm proof bundle inputs and UX in Doctor dashboard.
--- a/docs-archived/implplan/SPRINT_20260112_004_LB_evidence_card_core.md
+++ b/docs-archived/implplan/SPRINT_20260112_004_LB_evidence_card_core.md
@@ -0,0 +1,45 @@
+# Sprint 20260112-004-LB-evidence-card-core - Evidence Card Core
+
+## Topic & Scope
+- Build a single-file evidence card export that packages SBOM excerpt, DSSE envelope, and Rekor receipt for a finding evidence pack; output is deterministic and offline-friendly.
+- Current state evidence: Evidence packs only export json/signedjson/markdown/html/pdf and do not carry Rekor receipts (`src/__Libraries/StellaOps.Evidence.Pack/Models/SignedEvidencePack.cs`, `src/__Libraries/StellaOps.Evidence.Pack/EvidencePackService.cs`).
+- Evidence to produce: EvidenceCard model, evidence-card export format, receipt wiring in signed packs, and determinism tests.
+- **Working directory:** `src/__Libraries/StellaOps.Evidence.Pack`.
+
+## Dependencies & Concurrency
+- Depends on Attestor receipt types already present in `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorReceipt.cs`.
+- Parallel safe with remediation PR and UI sprints; no shared DB migrations or schema changes.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/product/VISION.md`
+- `docs/modules/cli/guides/commands/evidence-bundle-format.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | EVPCARD-LB-001 | DONE | None | Evidence Guild | Add EvidenceCard model and receipt metadata for single-file export. |
+| 2 | EVPCARD-LB-002 | DONE | EVPCARD-LB-001 | Evidence Guild | Implement evidence-card export format in EvidencePackService (SBOM excerpt + DSSE + receipt). |
+| 3 | EVPCARD-LB-003 | DONE | EVPCARD-LB-001 | Evidence Guild | Wire Rekor receipt capture into signed evidence packs using Attestor receipt types. |
+| 4 | EVPCARD-LB-004 | DONE | EVPCARD-LB-002 | Evidence Guild | Add determinism and export tests for evidence-card output. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
+| 2026-01-14 | EVPCARD-LB-001: Created EvidenceCard.cs with models for EvidenceCard, SbomExcerpt, RekorReceiptMetadata, CheckpointSignature. | Agent |
+| 2026-01-14 | EVPCARD-LB-002: Created EvidenceCardService.cs with CreateCardAsync, ExportCardAsync (Json/CompactJson/CanonicalJson), VerifyCardAsync. | Agent |
+| 2026-01-14 | EVPCARD-LB-003: Created IEvidenceCardService.cs with RekorReceiptMetadata integration for offline verification. | Agent |
+| 2026-01-14 | EVPCARD-LB-004: Created EvidenceCardServiceTests.cs with 11 determinism and export tests. All 42 evidence pack tests pass. | Agent |
+| 2026-01-14 | Added StellaOps.Determinism.Abstractions project reference for IGuidProvider. | Agent |
+
+## Decisions & Risks
+- Decide evidence-card schema fields and SBOM excerpt selection rules (size limits, deterministic ordering).
+- Rekor receipt availability in air-gap must be optional; define fallback behavior when receipts are missing.
+- Cross-module docs and API wiring occur in dependent sprints; note in commits when touching `docs/**`.
+
+## Next Checkpoints
+- TBD (set once staffed).