stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

chore: remove outdated documentation and prep notes

Browse Source 
- Deleted several draft and prep documents related to benchmarks, authority DPoP & mTLS implementation, Java analyzer observation, link-not-merge determinism tests, replay operations, and crypto provider registry.
- Updated the merge semver playbook to reflect current database schema usage.
- Cleaned up the technical development README to remove references to obsolete documents and streamline guidance for contributors.
This commit is contained in:
StellaOps Bot
2025-12-24 12:47:50 +02:00
parent 02772c7a27
commit 40362de568
20 changed files with 6 additions and 758 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/modules/attestor/replay-prep.md
View File

@@ -1,21 +0,0 @@
# Attestor Replay Prep — PREP-ATTEST-REPLAY-187-003 (Draft)
Status: Draft (2025-11-20)
Owners: Attestor Guild
Scope: Capture prerequisites for wiring Attestor/Rekor anchoring to replay manifests once scanner record payloads are available.
## Expected inputs
- Replay record schema v1 (from `docs/modules/evidence-locker/replay-payload-contract.md`).
- Evidence Locker bundle location/pointer for replay artefacts.
## Attestation plan
- DSSE envelope type: `stella.replay.manifest` (draft).
- Payload fields: `{record_id, bundle_sha256, policy_run_id?, timestamp}`; signer: Attestor service key; optional Rekor entry when online.
- Verification endpoint proposal: `POST /attestations/replay/verify` accepting bundle pointer + DSSE; returns chain-of-custody summary.
## Open dependencies
- Final replay record schema and bundle pointer format.
- Authority policy on signer identity and Rekor usage in air-gap.
## Handoff
Use this note to unblock PREP-ATTEST-REPLAY-187-003; update when scanner payloads and Authority decisions land.

30
docs/modules/cli/guides/replay-cli-prep.md
View File

@@ -1,30 +0,0 @@
# CLI Replay Prep — PREP-CLI-REPLAY-187-002 (Draft)
Status: Draft (2025-11-20)
Owners: DevEx/CLI Guild
Scope: Define inputs/outputs and offline behaviour needed for CLI replay commands (`scan --record`, `verify`, `replay`, `diff`).
## Command surface (proposed)
- `stella scan --record <image>` → emits replay record NDJSON to stdout or `--out bundle.ndjson`.
- `stella replay --bundle <bundle.ndjson>` → re-run verification offline; accepts `--policy-bundle` to pin policy version.
- `stella diff --bundle <a> --bundle <b>` → compare findings/signals with deterministic ordering; output NDJSON.
- `stella verify --bundle <bundle.ndjson>` → signature/hash verification of replay bundle.
## Inputs
- Replay record schema v1 from Evidence Locker (see `docs/modules/evidence-locker/replay-payload-contract.md`).
- Policy export bundle contract (see `docs/modules/policy/design/export-console-bundle-contract.md`) for policy pinning.
## Outputs
- Deterministic NDJSON; file names content-addressed (`sha256` of payload).
- Exit codes: 0 success, 2 validation error, 3 signature mismatch.
## Offline/air-gap considerations
- No network fetch; all references resolve to local bundle paths.
- Trust roots loaded from CLI config or `--trust-root` file; DSSE verification optional flag `--no-verify` default false.
## Open decisions
- Exact flag names for trust root and policy bundle; align with CLI UX guidelines.
- Where to persist cache/metadata (if any) in offline mode.
## Handoff
Treat this as the prep artefact for PREP-CLI-REPLAY-187-002. Update once replay record schema is finalized.

16
docs/modules/evidence-locker/crypto-provider-registry-prep.md
View File

@@ -1,16 +0,0 @@
# Evidence Locker Crypto Registry Prep — PREP-EVID-CRYPTO-90-001
Status: **Ready for implementation** (2025-11-20)
Owners: Evidence Locker Guild · Security Guild
Scope: Document ICryptoProviderRegistry expectations for Evidence Locker hashing/signing (manifest digests, DSSE, bundle encryption) including sovereign profiles.
## Requirements
- Registry entries must expose: `ProviderId`, `Algorithms` (signing/hash), `KeyUri`, `IsFips`, `IsPQReady`, `SupportsTimestamping`.
- Evidence Locker must select provider via config `EvidenceLocker:Crypto:ProviderId` with default `stella-default`.
- DSSE signing for bundles uses providers signing key; hashing uses provider hash list in order (sha256 first, optional gost for RU profile).
- JWKS/keys: provider responsible for exporting JWKS; Evidence Locker caches JWKS via configured `KeyUri`; cache TTL configurable.
## Acceptance criteria
- Prep doc published here; sprint task marked DONE.
- Provider selection/config rules recorded; hashing/signing responsibilities clarified.

24
docs/modules/evidence-locker/validate-bundle-prep.md
View File

@@ -1,24 +0,0 @@
# Validate Bundle Prep — PREP-VALIDATE-BUNDLE-187-005 (Draft)
Status: Draft (2025-11-20)
Owners: QA Guild · CLI Guild · Docs Guild
Scope: Define validation steps for replay bundles once schemas freeze.
## Validation checklist (proposed)
- Verify archive hash vs manifest `bundle.manifest.json` (`sha256`).
- Verify DSSE signature (if present) against trusted keys.
- Recompute Merkle root of bundle file tree; compare to manifest.
- Schema validation: replay records conform to `replay.record.v1`; policy export bundle conforms to `policy.export.console.v1` when included.
- Determinism: run `stella replay` twice on same bundle and assert identical outputs (hash comparison).
## Fixtures/tests
- Golden bundles live under `tests/EvidenceLocker/Bundles/Golden/` (sealed, portable, replay) with `expected.json` and DSSE envelopes.
- `StellaOps.EvidenceLocker.Tests` includes fixture tests that validate Merkle subject, redaction, and replay digest; keep them green when regenerating bundles.
- CLI validation test: `stella verify --bundle <fixture>` returns exit code 0 and prints `verified: true`.
## Open dependencies
- Final schemas from Evidence Locker and Policy export contracts.
- Trust root list for DSSE verification (Authority decision).
## Handoff
Use this prep doc for PREP-VALIDATE-BUNDLE-187-005; expand with concrete fixtures once schemas are frozen.

22
docs/modules/mirror/prep-56-001-thin-bundle.md
View File

@@ -1,22 +0,0 @@
# Mirror Thin Bundle Prep — PREP-MIRROR-CRT-56-001 (Draft)
Status: Draft (2025-11-20)
Owners: Mirror Guild (Assembler)
Scope: Capture requirements to start thin bundle v1 when upstream Sprint 110.D artefacts land.
## Dependencies
- Sprint 110.D assembler foundation (missing in repo).
- Trust root list and TUF metadata locations from release pipeline.
## Proposed thin bundle v1 shape
- Container: tar.gz deterministic; root manifest `mirror.thin.manifest.json`.
- Fields: `bundle_id`, `schema_version`=`mirror.thin.v1`, `created_at`, `source_registry`, `artifacts[] {digest, media_type, size}`, `trust_roots[]`, optional `attestations[]`.
- Merkle root over files for audit.
## Open decisions
- Exact artifact set included in “thin” scope (SBOM only vs SBOM+metadata).
- Required signatures (DSSE/Sigstore) and signer identities.
- Retention/GC policy for thin bundles.
## Handoff
Use this as the PREP artefact for PREP-MIRROR-CRT-56-001; update when assembler foundation drops so schema can be finalized and aligned with `docs/modules/mirror/thin-bundle-assembler.md`.

118
docs/modules/scanner/design/analyzer-prep-0132.md
View File

@@ -1,118 +0,0 @@
# Scanner Analyzer Prep · Sprint 0132
This note captures the unblockers promised in PREP tasks for Sprint 0132. Each subsection gives the artifact location, assumption set, and the handoff needed by downstream implementation tasks.
## SCANNER-ANALYZERS-LANG-11-003 (runtime fusion)
- **Objective:** Define the runtime evidence ingest contract to merge AssemblyLoad/Resolving/PInvoke signals with static edges from 11-002.
- **Inputs required:**
- Static edge export format from 11-002 (AssemblyRef/ModuleRef/PInvoke with reason codes).
- Event listener tap points: `AssemblyLoadContext.Resolving`, `AssemblyLoad`, `NativeLibrary.SetDllImportResolver`, `DynamicDependency` attributes, and optional ETW provider `Microsoft-Windows-DotNETRuntime` (keyword 0x8, task AssemblyLoad).
- **Runtime evidence envelope (AOC-aligned):**
```json
{
"runtime_observation_id": "uuid",
"assembly_name": "System.Text.Json",
"kind": "assembly-load|p-invoke|dynamic-dependency",
"source": "Resolving|AssemblyLoad|NativeLibrary|ETW",
"details": {
"requested_name": "System.Text.Json",
"resolved_path": "<normalized absolute path>",
"assembly_version": "8.0.0.0",
"culture": "neutral",
"package_purl": "pkg:nuget/system.text.json@8.0.0",
"confidence": 0.72,
"reason_code": "runtime-resolve"
},
"timestamp_utc": "2025-11-20T00:00:00Z"
}
```
- **Merge rules for downstream 11-003 implementation:**
- De-dup edges by (assembly_name, resolved_path, kind).
- Prefer static edge confidence when present; runtime adds `confidence_bonus = +0.1` but never exceeds 1.0.
- Keep provenance: `edge.provenance = { "static": bool, "runtime": bool }`.
- **Publication:** This doc section is the frozen location for the runtime ingest contract; downstream tasks should reference this path.
## SCANNER-ANALYZERS-LANG-11-004 (observation export → writer/SBOM)
- **Objective:** Define the observation payload emitted to Scanner writer and SBOM entrypoint tagging.
- **Export envelope (AOC-compliant):**
```json
{
"entrypoints": [
{
"label": "app",
"rids": ["win-x64","linux-x64"],
"tfms": ["net8.0","net8.0-windows"],
"command": "dotnet ./bin/app.dll",
"sources": ["src/App/Program.cs"],
"rank": 1
}
],
"dependency_edges": [
{
"from": "app",
"to": "pkg:nuget/system.text.json@8.0.0",
"reason_code": "assembly-ref",
"confidence": 0.86,
"provenance": {"static": true, "runtime": false}
}
],
"environment_profiles": {
"tfm": "net8.0",
"rid": "linux-x64",
"host_policy": "portable",
"features": ["singlefile:false","trimmed:false","nativeaot:false"]
}
}
```
- **Writer handoff:**
- Serialize as deterministic JSON (sorted keys) to the Scanner writer contract `writer/observations/lang/dotnet`.
- Attach `sbom_entrypoint_tags` derived from entrypoint labels to feed SBOM Service tagging.
- **Publication:** Payload shape and field meanings fixed here for Sprint 0132 downstream work.
## SCANNER-ANALYZERS-LANG-11-005 (fixtures & benchmarks)
- **Objective:** Provide fixture plan so QA can start without waiting on further design.
- **Fixture matrix:**
- Framework-dependent: `net8.0`, `net9.0-preview` sample apps (console + web minimal API).
- Self-contained: `linux-x64` trimmed vs non-trimmed.
- Single-file: `win-x64` single-file publish, include native hosting bundle.
- NativeAOT: `linux-x64` HelloWorld + P/Invoke stub.
- Multi-RID: RID graph `linux-x64`, `linux-arm64`, `win-x64` with RID fallback expectations.
- **Locations:** place fixtures under `src/Scanner/__Tests/Fixtures/DotNet/11-005/*`; store expected observation JSON in `__Tests/Fixtures/DotNet/11-005/expected/*.json` with sorted keys.
- **Bench envelopes:**
- Target <150 ms p95 per project scan on dev laptop, <25 MB heap delta; capture via BenchmarkDotNet and report to `__Benchmarks/11-005.md`.
- **Determinism:** lock timestamps to `1970-01-01T00:00:00Z` in serialized outputs; stable ordering by (entrypoint label, dependency to PURL, reason_code).
## SCANNER-ANALYZERS-NATIVE-20-002 (ELF declared-dependency writer contract)
- **Objective:** Unblock writer schema so native analyzer can emit DT_NEEDED/DT_RPATH/DT_RUNPATH data.
- **Edge record (per ELF binary):**
```json
{
"image": "libssl.so.3",
"build_id": "cafef00d",
"rpath": ["$ORIGIN/lib","/usr/lib"],
"runpath": ["$ORIGIN","/opt/openssl"],
"needed": [
{"name": "libcrypto.so.3", "slot": 0, "version": "OPENSSL_3.0", "reason_code": "elf-dtneeded"},
{"name": "libpthread.so.0", "slot": 1, "version": null, "reason_code": "elf-dtneeded"}
],
"interpreter": "/lib64/ld-linux-x86-64.so.2",
"origin": "virtual-fs",
"confidence": 0.82
}
```
- **Writer path:** `writer/observations/native/elf-declared-deps` (append-only NDJSON; sorted by image name then slot).
- **Redaction:** no host absolute paths; resolve `$ORIGIN` using virtual image root only.
- **Publication:** schema above is the agreed baseline for downstream tasks; time-boxed to Sprint 0132.
## SCANNER-ANALYZERS-NODE-22-001 (isolated runner / scoped build graph)
- **Objective:** Provide a deterministic way to run Node analyzer tests without fanning out the whole solution.
- **Approach:**
- Add target solution filter: `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Node.slnf` including only Node projects + shared test utilities.
- Introduce `Directory.Build.props` override for `Lang.Node` tests to disable cross-solution restore (`DisableTransitiveProjectReferences=true`).
- Test command for CI + local: `dotnet test src/Scanner/StellaOps.Scanner.Analyzers.Lang.Node.Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests.csproj /p:DisableTransitiveProjectReferences=true --no-restore --logger:"console;verbosity=minimal"`.
- Cache seeds: copy pnpm/Yarn fixtures into `obj/fixtures-cache` during test init; deterministic zip timestamps set to `1980-01-01`.
- **Publication:** This runbook unblocks execution while broader solution build contention is resolved; downstream tasks should adopt this invocation until Sprint 131 completes.
---
**Owners:** Scanner EPDR Guild (DotNet), SBOM Service Guild, Native Analyzer Guild, Node Analyzer Guild.
**Status:** All PREP artifacts published 2025-11-20.