themesd advisories enhanced
This commit is contained in:
StellaOps Bot
@@ -634,6 +634,28 @@ proof_coverage_reachable = reachable_findings_with_proofs / total_reachable_find
|
||||
- BF < 0.90 overall → page/block release
|
||||
- Regulated BF < 0.95 → page/block release
|
||||
|
||||
## 15. DETERMINISTIC PACKAGING (BUNDLES)
|
||||
|
||||
Determinism applies to *packaging*, not only algorithms.
|
||||
|
||||
Rules for proof bundles and offline kits:
|
||||
- Prefer `tar` with deterministic ordering; avoid formats that inject timestamps by default.
|
||||
- Canonical file order: lexicographic path sort; include an `index.json` listing files and their digests in the same order.
|
||||
- Normalize file metadata: fixed uid/gid, fixed mtime, stable permissions; record the chosen policy in the manifest.
|
||||
- Compression must be reproducible (fixed level/settings; no embedded timestamps).
|
||||
- Bundle hash is computed over the canonical archive bytes and must be DSSE-signed.
|
||||
|
||||
## 16. BENCHMARK HARNESS (MOAT METRICS)
|
||||
|
||||
Use the repo benchmark harness as the single place where moat metrics are measured and enforced:
|
||||
- Harness root: `bench/README.md` (layout, verifiers, comparison tools).
|
||||
- Evidence contracts: `docs/benchmarks/vex-evidence-playbook.md` and `docs/replay/DETERMINISTIC_REPLAY.md`.
|
||||
|
||||
Developer rules:
|
||||
- No feature touching scans/policy/proofs ships without at least one benchmark scenario or an extension of an existing one.
|
||||
- If golden outputs change intentionally, record a short “why” note (which metric improved, which contract changed) and keep artifacts deterministic.
|
||||
- Bench runs must record and validate `graphRevisionId` and per-verdict receipts (see `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`).
|
||||
|
||||
---
|
||||
|
||||
**Document Version**: 1.0
|
||||
|
||||
Reference in New Issue
Block a user