stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat(zastava): add evidence locker plan and schema examples

Browse Source 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/airgap/runbooks/import-verify.md Normal file
View File

@@ -0,0 +1,30 @@
# AirGap Import & Verify (runbook outline)
Related advisory: `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md` (AG1AG12). Implements AIRGAP-VERIFY-510-014.
## Prerequisites
- `offline-kit/manifest.json` + `manifest.dsse` and `mirror.manifest` present.
- Trust roots: Rekor/TUF roots, Authority signing roots, AV/YARA public keys.
- Tools: `cosign` (or Stella verifier), `sha256sum`, `yara`, `python3`.
## Steps
1) Verify manifest signature
- `cosign verify-blob --key trust-roots/manifest.pub --signature manifest.dsse manifest.json`
- Sample helper: `scripts/airgap/verify-offline-kit.sh <kit-root>`
2) Check staleness and policy/graph hashes
- Compare `feeds[*].snapshot` dates to allowed window; ensure `policyHash`/`graphHash` match target site config; fail closed on mismatch unless override signed.
3) Verify chunks and Merkle root
- For each chunk listed in manifest, `sha256sum -c`; recompute Merkle root per manifest recipe; compare to `rootHash` field.
4) AV/YARA validation
- Run `yara -r rules/offline-kit.yar kit/`; confirm `avReport.sha256` matches signed report in manifest; block on any detection.
5) Replay depth selection
- Modes: `hash-only` (default), `full-recompute`, `policy-freeze`. Select via `--replay-mode`; enforce exit codes 0=pass, 3=stale, 4=hash-drift, 5=av-fail.
6) Ingress/egress receipts
- Generate DSSE receipt `{hash, operator, time, decision}`; store in Proof Graph; verify incoming receipts before import.
## Outputs
- Exit code per replay mode outcome.
- Receipt DSSE stored at `receipts/{tenant}/{timestamp}.dsse`.
- Optional report `verify-report.json` summarizing checks.
> Expand with concrete scripts once tasks 510-010..014 land.