feat(zastava): add evidence locker plan and schema examples

- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps. - Added example JSON schemas for observer events and webhook admissions. - Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control. - Created alert rules for Vuln Explorer to monitor API latency and projection errors. - Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails. - Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization. - Added expected projection SHA256 for vulnerability events. - Created k6 load testing script for Vuln Explorer API. - Added sample projection and replay event data for testing. - Implemented ReplayInputsLock for deterministic replay inputs management. - Developed tests for ReplayInputsLock to ensure stable hash computation. - Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity. - Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality. - Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00
parent 885ce86af4
commit 2d08f52715
74 changed files with 1690 additions and 131 deletions
--- a/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestPublisher.cs
+++ b/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestPublisher.cs
@@ -104,6 +104,16 @@ internal sealed class SurfaceManifestPublisher : ISurfaceManifestPublisher
            artifacts.Add(artifact);
        }

+        var compositionRecipe = artifacts.FirstOrDefault(a => string.Equals(a.Kind, "composition.recipe", StringComparison.Ordinal));
+        var determinismMetadata = string.IsNullOrWhiteSpace(request.DeterminismMerkleRoot) && compositionRecipe is null
+            ? null
+            : new SurfaceDeterminismMetadata
+            {
+                MerkleRoot = request.DeterminismMerkleRoot ?? string.Empty,
+                RecipeDigest = compositionRecipe?.Digest,
+                CompositionRecipeUri = compositionRecipe?.Uri
+            };
+
        var manifestDocument = new SurfaceManifestDocument
        {
            Tenant = tenant,
@@ -119,6 +129,7 @@ internal sealed class SurfaceManifestPublisher : ISurfaceManifestPublisher
            },
            Artifacts = AttachAttestations(artifacts).ToImmutableArray(),
            DeterminismMerkleRoot = request.DeterminismMerkleRoot,
+            Determinism = determinismMetadata,
            ReplayBundle = string.IsNullOrWhiteSpace(request.ReplayBundleUri)
                ? null
                : new ReplayBundleReference