stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

Browse Source 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
This commit is contained in:
StellaOps Bot
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/modules/concelier/schemas/README.md Normal file
View File

@@ -0,0 +1,32 @@
# Concelier schema bundle (CI1CI10 remediation)
This folder publishes the signed JSON Schemas for Link-Not-Merge ingestion artifacts and the offline bundle manifest used by Offline Kit builds.
- `advisory-observation.schema.json` — canonical observation shape (provenance + content hash enforced).
- `advisory-linkset.schema.json` — linkset materialization with conflict reasons and deterministic IDs.
- `offline-advisory-bundle.schema.json` — manifest for air-gapped advisory bundles, including staleness and signature metadata.
- `schema.manifest.json` — digest manifest over all schemas.
- `schema.manifest.sig` — detached ECDSA (P-256) signature over the manifest (public key: `schema-signing-pub.pem`).
- `schema.manifest.sig.b64` — base64 view of the signature for air-gapped copy/paste.
- `samples/` — deterministic sample payloads for CI fixtures (see `tests` notes below).
## Verify locally (deterministic, offline)
```bash
# 1) Validate schemas are unchanged
sha256sum -c schema.manifest.json
# 2) Verify detached signature with the published public key
openssl dgst -sha256 -verify schema-signing-pub.pem \
-signature schema.manifest.sig \
schema.manifest.json
```
## Test coverage
The fixtures in `samples/` are consumed by `StellaOps.Concelier.Core.Tests` to assert:
- deterministic idempotency keys and conflict ordering (`Linksets/AdvisoryLinksetIdempotencyTests`),
- tenant normalization and signature requirements for observations (`Aoc/AdvisoryObservationWriteGuardTests`),
- offline bundle manifest validation (`Schemas/OfflineBundleSchemaTests`).
Keep the manifest and signature updated whenever schema files change. Keys are dev/test-only; production signing happens in the release pipeline.