stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

Browse Source 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
This commit is contained in:
StellaOps Bot
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
docs/modules/zastava/evidence/README.md
View File

@@ -1,29 +1,53 @@
# Zastava Evidence Locker Plan (schemas/kit)
# Zastava Evidence Locker (schemas/kit)
Artifacts to sign (target 2025-12-06):
- `schemas/observer_event.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `schemas/webhook_admission.schema.json` — predicate `stella.ops/zastavaSchema@v1`
- `thresholds.yaml` — predicate `stella.ops/zastavaThresholds@v1`
- `zastava-kit.tzst` + `SHA256SUMS` — predicate `stella.ops/zastavaKit@v1`
Signed 2025-12-02 with Ed25519 key (pub base64url: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`). Private key stored offline; all signatures use DSSEv1 pre-auth encoding.
Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
Planned Evidence Locker paths (fill after signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst`
- `evidence-locker/zastava/2025-12-06/SHA256SUMS`
## Artefacts
- `schemas/observer_event.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1`)
- `schemas/webhook_admission.schema.json.dsse` (payloadType `application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1`)
- `thresholds.yaml.dsse` (payloadType `application/vnd.stellaops.zastava.thresholds+yaml;version=1`)
- `exports/observer_events.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.observer-events+ndjson;version=1`)
- `exports/webhook_admissions.ndjson.dsse` (payloadType `application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1`)
- `kit/zastava-kit.tzst.dsse` (payloadType `application/vnd.stellaops.zastava.kit+tzst;version=1`)
Signing template (replace KEY and file):
## Evidence Locker targets
- `evidence-locker/zastava/2025-12-02/observer_event.schema.json.dsse`
- `evidence-locker/zastava/2025-12-02/webhook_admission.schema.json.dsse`
- `evidence-locker/zastava/2025-12-02/thresholds.yaml.dsse`
- `evidence-locker/zastava/2025-12-02/observer_events.ndjson.dsse`
- `evidence-locker/zastava/2025-12-02/webhook_admissions.ndjson.dsse`
- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst`
- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsse`
- `evidence-locker/zastava/2025-12-02/SHA256SUMS`
## Signing template (Python, ed25519)
```bash
cosign sign-blob \
--key cosign.key \
--predicate-type stella.ops/zastavaSchema@v1 \
--output-signature schemas/observer_event.schema.dsse \
schemas/observer_event.schema.json
python - <<'PY'
from pathlib import Path
from base64 import urlsafe_b64encode
import json
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization
priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
pt = '<payload-type>'
payload = Path('<file-to-sign>').read_bytes()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
sig = priv.sign(pae)
env = {
'payloadType': pt,
'payload': urlsafe_b64encode(payload).decode().rstrip('='),
'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
}
Path('<file-to-sign>.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
print('signed', '<file-to-sign>', 'with keyid', keyid)
PY
```
Post-sign steps:
1) Verify DSSEs with `cosign verify-blob` using `cosign.pub`.
2) Upload DSSEs + SHA256SUMS to Evidence Locker paths above.
3) Update `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md` Decisions & Risks and Next Checkpoints with final URIs.
4) Mark tasks ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 to DONE in both sprint and TASKS tables.
## Post-sign checklist
1) Run `kit/verify.sh` to validate hashes + DSSE.
2) Upload artefacts + DSSEs + SHA256SUMS to the Evidence Locker paths above.
3) Record URIs in sprint 0144 Decisions & Risks and mark ZASTAVA-SCHEMAS-0001 / ZASTAVA-THRESHOLDS-0001 / ZASTAVA-KIT-0001 as DONE.