feat: add PolicyPackSelectorComponent with tests and integration
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
41
docs/ops/evidence-locker-handoff.md
Normal file
41
docs/ops/evidence-locker-handoff.md
Normal file
@@ -0,0 +1,41 @@
|
||||
# Evidence Locker Handoff (Signals & Zastava)
|
||||
|
||||
## Inputs required (from Ops)
|
||||
- `EVIDENCE_LOCKER_URL` (base URL, no trailing slash)
|
||||
- `CI_EVIDENCE_LOCKER_TOKEN` (Bearer token with write to `zastava/*` and `signals/*`)
|
||||
- **Signals production signing key** for final re-sign (one of):
|
||||
- `COSIGN_PRIVATE_KEY_B64` (base64 of private key) + optional `COSIGN_PASSWORD`, or
|
||||
- key file at `tools/cosign/cosign.key` + password.
|
||||
|
||||
## What’s ready (deterministic artefacts)
|
||||
- Zastava tar: `evidence-locker/zastava/2025-12-02/zastava-evidence.tar`
|
||||
- sha256: `e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9ac019cf0f1c9`
|
||||
- Signals tar (dev key): `evidence-locker/signals/2025-12-05/signals-evidence.tar`
|
||||
- sha256: `a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d`
|
||||
|
||||
## Publish both bundles (once URL/token are available)
|
||||
```bash
|
||||
export EVIDENCE_LOCKER_URL="<locker-base-url>"
|
||||
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
|
||||
./tools/upload-all-evidence.sh
|
||||
```
|
||||
|
||||
## Verify locally (hash + inner SHA lists)
|
||||
- Zastava: `./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]`
|
||||
- Signals: `./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]`
|
||||
|
||||
## Re-sign Signals for production trust (optional but recommended)
|
||||
```bash
|
||||
export COSIGN_PRIVATE_KEY_B64="<prod-key-b64>"
|
||||
export COSIGN_PASSWORD="<pwd-if-any>"
|
||||
OUT_DIR=evidence-locker/signals/2025-12-05 \
|
||||
tools/cosign/sign-signals.sh
|
||||
|
||||
# Rebuild + upload tar
|
||||
./tools/signals-upload-evidence.sh
|
||||
```
|
||||
|
||||
## Notes
|
||||
- All packaging is deterministic (`tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner`).
|
||||
- Tlog upload is disabled for offline parity; Evidence Locker trust comes from the provided keys.
|
||||
- Upload scripts exit non-zero on hash mismatch to prevent pushing corrupted artefacts.
|
||||
Reference in New Issue
Block a user