stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(zastava): add evidence locker plan and schema examples

Browse Source 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/modules/export-center/determinism.md Normal file
View File

@@ -0,0 +1,34 @@
# Export Center Determinism & Rerun Hash Guide
Advisory: `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md` (EC1EC10).
## Adapter settings (runnable example)
- JSON adapters: `--compression zstd --compression-level 19 --deterministic-order`
- Mirror adapter: sort descriptors by digest, emit annotations in lexicographic order, disable mtime in tar (`--mtime 0`).
- Delta adapter: include `baseManifestHash` and sorted `added`/`removed` lists; tombstones must be explicit.
## Rerun-hash check
```bash
set -euo pipefail
run_id=$(uuidgen)
stella export run --profile demo --run-id "$run_id" --out /tmp/export1
sha256sum /tmp/export1/manifest.json > /tmp/export1/manifest.sha256
# second run
run_id2=$(uuidgen)
stella export run --profile demo --run-id "$run_id2" --out /tmp/export2
sha256sum /tmp/export2/manifest.json > /tmp/export2/manifest.sha256
diff -u /tmp/export1/manifest.sha256 /tmp/export2/manifest.sha256
```
## Integrity headers (HTTP example)
- `Digest: sha-256=<base64>`
- `X-Stella-Signature: dsse-b64=<payload>`
- `X-Stella-Immutability: true`
## Offline kit packaging
- Tar flags: `tar --sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner`
- Include `export-kit/manifest.json` + `manifest.dsse`; add `verify-export-kit.sh` to check hashes and signatures.
## Where to place fixtures
- `src/ExportCenter/__fixtures/` for deterministic manifests/outputs used by tests.
- Add rerun-hash CI to compare fixture hash against regenerated outputs.