stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

feat: add PolicyPackSelectorComponent with tests and integration

Browse Source 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/modules/signals/evidence/README.md
View File

@@ -1,6 +1,6 @@
# Signals DSSE Evidence Staging (runtime/signals gaps)
Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:
Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:
| Artifact | Path | Predicate |
|----------|------|-----------|
@@ -53,21 +53,49 @@ For production signing without CI:
```bash
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
```
## Evidence Locker Paths
Post-signing, artifacts go to:
- `evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-01/SHA256SUMS`
- `evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-05/SHA256SUMS`
Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:
```
evidence-locker/signals/2025-12-05/signals-evidence.tar sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d
```
Verification helper:
```
./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]
```
Local locker upload (once creds are available):
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh
```
CI upload path:
- Workflow: `.gitea/workflows/signals-evidence-locker.yml`
- Secrets required: `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`
- Artifact name: `signals-evidence-2025-12-05`
- Retention input (optional): `retention_target` (default 180 days)
## Post-Signing Checklist