product advisories, stella router improval, tests streghthening

2025-12-24 14:20:26 +02:00
parent 5540ce9430
commit 2c2bbf1005
171 changed files with 58943 additions and 135 deletions
--- a/docs/implplan/SPRINT_8200_REPRODUCIBILITY_EPIC_SUMMARY.md
+++ b/docs/implplan/SPRINT_8200_REPRODUCIBILITY_EPIC_SUMMARY.md
@@ -0,0 +1,222 @@
+# Epic 8200 · SBOM/VEX Pipeline Reproducibility
+
+## Overview
+
+This epic implements the reproducibility, verifiability, and audit-readiness requirements identified in the product advisory analysis of December 2024.
+
+**Goal:** Ensure StellaOps produces byte-for-byte identical outputs given identical inputs, with full attestation and offline verification capabilities.
+
+## Epic Timeline
+
+| Phase | Sprints | Duration | Focus |
+|-------|---------|----------|-------|
+| **Phase 1: Foundation** | 8200.0001.0001 | Week 1 | VerdictId content-addressing (critical fix) |
+| **Phase 2: Validation** | 8200.0001.0002, 8200.0001.0003 | Week 1-2 | DSSE round-trips, schema validation |
+| **Phase 3: E2E** | 8200.0001.0004 | Week 2-3 | Full pipeline reproducibility test |
+| **Phase 4: Packaging** | 8200.0001.0005, 8200.0001.0006 | Week 3 | Sigstore bundles, budget attestation |
+
+## Sprint Summary
+
+### P0: SPRINT_8200_0001_0001 — Verdict ID Content-Addressing
+**Status:** TODO | **Effort:** 2 days | **Blocks:** All other sprints
+
+**Problem:** `DeltaVerdict.VerdictId` uses random GUID instead of content hash.
+**Solution:** Implement `VerdictIdGenerator` using SHA-256 of canonical JSON.
+
+| Task Count | Files Modified | Tests Added |
+|------------|----------------|-------------|
+| 12 tasks | 5 files | 4 tests |
+
+**Key Deliverables:**
+- [ ] `VerdictIdGenerator` helper class
+- [ ] Content-addressed VerdictId in all verdict creation sites
+- [ ] Regression tests for determinism
+
+---
+
+### P1: SPRINT_8200_0001_0002 — DSSE Round-Trip Testing
+**Status:** TODO | **Effort:** 3 days | **Depends on:** P0
+
+**Problem:** No tests validate sign → verify → re-bundle → re-verify cycle.
+**Solution:** Comprehensive round-trip test suite with cosign compatibility.
+
+| Task Count | Files Created | Tests Added |
+|------------|---------------|-------------|
+| 20 tasks | 4 files | 15 tests |
+
+**Key Deliverables:**
+- [ ] `DsseRoundtripTestFixture` with key management
+- [ ] Round-trip serialization tests
+- [ ] Cosign compatibility verification
+- [ ] Multi-signature envelope handling
+
+---
+
+### P2: SPRINT_8200_0001_0003 — SBOM Schema Validation CI
+**Status:** TODO | **Effort:** 1 day | **Depends on:** None
+
+**Problem:** No external validator confirms schema compliance.
+**Solution:** Integrate sbom-utility for CycloneDX 1.6 and SPDX 3.0.1 validation.
+
+| Task Count | Files Created | CI Jobs Added |
+|------------|---------------|---------------|
+| 17 tasks | 7 files | 4 jobs |
+
+**Key Deliverables:**
+- [ ] Schema files committed to repo
+- [ ] `schema-validation.yml` workflow
+- [ ] Validation scripts for all SBOM formats
+- [ ] Required PR check
+
+---
+
+### P3: SPRINT_8200_0001_0004 — Full E2E Reproducibility Test
+**Status:** TODO | **Effort:** 5 days | **Depends on:** P0, P1
+
+**Problem:** No test covers full pipeline: ingest → normalize → diff → decide → attest → bundle.
+**Solution:** Create `StellaOps.Integration.E2E` project with cross-platform verification.
+
+| Task Count | Files Created | CI Jobs Added |
+|------------|---------------|---------------|
+| 26 tasks | 8 files | 4 jobs |
+
+**Key Deliverables:**
+- [ ] Full pipeline test fixture
+- [ ] Cross-platform hash comparison (Linux, Windows, macOS)
+- [ ] Golden baseline fixtures
+- [ ] Nightly reproducibility gate
+
+---
+
+### P4: SPRINT_8200_0001_0005 — Sigstore Bundle Implementation
+**Status:** TODO | **Effort:** 3 days | **Depends on:** P1
+
+**Problem:** Sigstore bundle type defined but not implemented.
+**Solution:** Implement v0.3 bundle marshalling/unmarshalling with offline verification.
+
+| Task Count | Files Created | Tests Added |
+|------------|---------------|-------------|
+| 24 tasks | 9 files | 4 tests |
+
+**Key Deliverables:**
+- [ ] `StellaOps.Attestor.Bundle` library
+- [ ] `SigstoreBundleBuilder` and `SigstoreBundleVerifier`
+- [ ] cosign bundle compatibility
+- [ ] CLI command `stella attest bundle`
+
+---
+
+### P6: SPRINT_8200_0001_0006 — Budget Threshold Attestation
+**Status:** TODO | **Effort:** 2 days | **Depends on:** P0
+
+**Problem:** Unknown budget thresholds not attested in DSSE bundles.
+**Solution:** Create `BudgetCheckPredicate` and include in verdict attestations.
+
+| Task Count | Files Created/Modified | Tests Added |
+|------------|------------------------|-------------|
+| 18 tasks | 7 files | 4 tests |
+
+**Key Deliverables:**
+- [ ] `BudgetCheckPredicate` model
+- [ ] Budget config hash for determinism
+- [ ] Integration with `VerdictPredicateBuilder`
+- [ ] Verification rule for config drift
+
+---
+
+## Dependency Graph
+
+```
+                    ┌─────────────────┐
+                    │   P0: Verdict   │
+                    │  Content-Hash   │
+                    └────────┬────────┘
+                             │
+              ┌──────────────┼──────────────┐
+              │              │              │
+              ▼              ▼              ▼
+    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
+    │  P1: DSSE       │ │  P2: Schema     │ │  P6: Budget     │
+    │  Round-Trip     │ │  Validation     │ │  Attestation    │
+    └────────┬────────┘ └─────────────────┘ └─────────────────┘
+             │
+    ┌────────┴────────┐
+    │                 │
+    ▼                 ▼
+┌─────────────────┐ ┌─────────────────┐
+│  P3: E2E Test   │ │  P4: Sigstore   │
+│                 │ │  Bundle         │
+└─────────────────┘ └─────────────────┘
+```
+
+## Total Effort Summary
+
+| Sprint | Priority | Effort | Tasks | Status |
+|--------|----------|--------|-------|--------|
+| 8200.0001.0001 | P0 | 2 days | 12 | TODO |
+| 8200.0001.0002 | P1 | 3 days | 20 | TODO |
+| 8200.0001.0003 | P2 | 1 day | 17 | TODO |
+| 8200.0001.0004 | P3 | 5 days | 26 | TODO |
+| 8200.0001.0005 | P4 | 3 days | 24 | TODO |
+| 8200.0001.0006 | P6 | 2 days | 18 | TODO |
+| **Total** | — | **16 days** | **117 tasks** | — |
+
+## Success Criteria
+
+### Must Have (Phase 1-2)
+- [ ] VerdictId is content-addressed (SHA-256)
+- [ ] DSSE round-trip tests pass
+- [ ] Schema validation in CI
+- [ ] All existing tests pass (no regressions)
+
+### Should Have (Phase 3)
+- [ ] Full E2E pipeline test
+- [ ] Cross-platform reproducibility verified
+- [ ] Golden baseline established
+
+### Nice to Have (Phase 4)
+- [ ] Sigstore bundle support
+- [ ] Budget attestation in verdicts
+- [ ] cosign interoperability
+
+## Documentation Deliverables
+
+| Document | Sprint | Status |
+|----------|--------|--------|
+| `docs/reproducibility.md` | Pre-req | DONE |
+| `docs/testing/schema-validation.md` | P2 | TODO |
+| `docs/testing/e2e-reproducibility.md` | P3 | TODO |
+| `docs/modules/attestor/bundle-format.md` | P4 | TODO |
+| `docs/modules/policy/budget-attestation.md` | P6 | TODO |
+
+## Risk Register
+
+| Risk | Impact | Probability | Mitigation | Owner |
+|------|--------|-------------|------------|-------|
+| Breaking change for stored verdicts | High | Medium | Migration logic for old GUID format | Policy Guild |
+| Cross-platform determinism failures | High | Medium | Canonical serialization; path normalization | Platform Guild |
+| Sigstore spec changes | Medium | Low | Pin to v0.3; monitor upstream | Attestor Guild |
+| CI performance impact | Medium | Medium | Parallelize validation jobs | Platform Guild |
+
+## Execution Checkpoints
+
+| Checkpoint | Date | Criteria |
+|------------|------|----------|
+| Phase 1 Complete | Week 1 end | VerdictId fix merged; tests green |
+| Phase 2 Complete | Week 2 end | DSSE round-trips pass; schema validation active |
+| Phase 3 Complete | Week 3 end | E2E test running nightly; baselines established |
+| Phase 4 Complete | Week 3 end | Sigstore bundles working; budget attestation active |
+| Epic Complete | Week 3 end | All success criteria met; docs complete |
+
+## Related Documents
+
+- [Product Advisory Analysis](../product-advisories/) — Original gap analysis
+- [Reproducibility Specification](../reproducibility.md) — Verdict ID formula and replay procedure
+- [Determinism Verification](../testing/determinism-verification.md) — Existing determinism infrastructure
+- [Attestor Module](../modules/attestor/README.md) — DSSE and attestation architecture
+
+## Changelog
+
+| Date | Version | Changes |
+|------|---------|---------|
+| 2025-12-24 | 1.0 | Initial epic creation based on product advisory gap analysis |