stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat(zastava): add evidence locker plan and schema examples

Browse Source 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/modules/scanner/design/surface-fs.md
View File

@@ -45,6 +45,14 @@ Manifests describe the artefact metadata and storage pointers. They are stored i
"format": "json",
"sizeBytes": 524288,
"view": "runtime",
"attestations": [
{
"kind": "dsse",
"mediaType": "application/vnd.dsse+json",
"digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"uri": "cas://surface-cache/attestations/entrytrace.graph.dsse/e3b0c442....json"
}
],
"storage": {
"bucket": "surface-cache",
"objectKey": "payloads/acme/entrytrace/sha256/ab/cd/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789.ndjson.zst",
@@ -64,10 +72,16 @@ Manifest URIs follow the deterministic pattern:
```
cas://{bucket}/{prefix}/{tenant}/{digest[0..1]}/{digest[2..3]}/{digest}.json
```
```
The hex portion of the manifest digest is split into two directory levels to avoid hot directories. The same layout is mirrored on disk by the default `FileSurfaceManifestStore`, which keeps offline bundle sync trivial (copy the `manifests/` tree verbatim).
Deterministic composition adds:
- Artifact kind `composition.recipe` (media type `application/vnd.stellaops.composition.recipe+json`) describing the merge recipe and Merkle root.
- `attestations[]` per artefact (currently DSSE envelopes) so offline kits can verify payloads without re-signing.
- `determinismRoot` and `determinism` metadata on the manifest that capture the Merkle root plus the composition recipe digest/URI.
### 2.3 Payload Storage
Large payloads (SBOM fragments, entry traces, runtime events) live in the same object store as manifests (RustFS/S3). Manifests record relative paths so offline bundles can copy both manifest and payload without modification.
@@ -151,6 +165,7 @@ Scanner.Worker serialises EntryTrace graphs into Surface.FS using `SurfaceCacheK
## 9. Testing Strategy
- Unit tests for path builder, manifest serializer, and local cache eviction.
- Determinism verifier tests assert that `composition.recipe` + DSSE payloads match the Merkle root and surface artefact digests.
- Integration tests using embedded RustFS or MinIO container to validate API interactions.
- Offline kit tests verifying export/import cycle round-trips manifests and payloads.