feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
--- a/docs/modules/zastava/kit/README.md
+++ b/docs/modules/zastava/kit/README.md
@@ -1,17 +1,83 @@
-# Zastava Kit (offline bundle) – Draft
+# Zastava Kit (offline bundle)

-Contents to include when built:
- Observations and admissions exports (NDJSON) signed via DSSE.
- Schemas: `schemas/observer_event.schema.json`, `schemas/webhook_admission.schema.json`.
- Thresholds: `thresholds.yaml` (DSSE-signed).
- Hash manifest: `SHA256SUMS` (covering all kit files).
- Verify script: `verify.sh` (hash + DSSE verification; fail closed on mismatch).
+## Contents
+- Schemas + DSSE: `schemas/observer_event.schema.json(.dsse)`, `schemas/webhook_admission.schema.json(.dsse)`.
+- Examples: `schemas/examples/*.json` (canonicalised, hashed).
+- Thresholds + DSSE: `thresholds.yaml(.dsse)`.
+- Exports + DSSE: `exports/observer_events.ndjson(.dsse)`, `exports/webhook_admissions.ndjson(.dsse)`.
+- Verification assets: `SHA256SUMS`, `kit/verify.sh`, `kit/ed25519.pub`, `schemas/README.md`, `evidence/README.md`.

-Deterministic packaging: `tar --mtime @0 --owner 0 --group 0 --numeric-owner -cf - kit | zstd -19 --long=27 --no-progress > zastava-kit.tzst`.
+## Build (deterministic)
+From `docs/modules/zastava`:

-Pending: fill with signed artefacts and Evidence Locker URIs after DSSE signing.
-Planned Evidence Locker paths (post-signing):
- `evidence-locker/zastava/2025-12-06/observer_event.schema.dsse`
- `evidence-locker/zastava/2025-12-06/webhook_admission.schema.dsse`
- `evidence-locker/zastava/2025-12-06/thresholds.dsse`
- `evidence-locker/zastava/2025-12-06/zastava-kit.tzst` + `SHA256SUMS`
+```bash
+tar --mtime @0 --owner 0 --group 0 --numeric-owner --sort=name \
+  -cf - \
+  SHA256SUMS schemas exports thresholds.yaml thresholds.yaml.dsse \
+  schemas/examples schemas/README.md \
+  schemas/observer_event.schema.json schemas/observer_event.schema.json.dsse \
+  schemas/webhook_admission.schema.json schemas/webhook_admission.schema.json.dsse \
+  exports/observer_events.ndjson exports/observer_events.ndjson.dsse \
+  exports/webhook_admissions.ndjson exports/webhook_admissions.ndjson.dsse \
+  evidence/README.md kit/README.md kit/verify.sh kit/ed25519.pub \
+| zstd -19 --long=27 --no-progress > kit/zastava-kit.tzst
+```
+
+Sign the kit itself with the same Ed25519 key (base64url pub: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`):
+
+```bash
+python - <<'PY'
+from pathlib import Path
+from base64 import urlsafe_b64encode
+import json
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives import serialization
+
+priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
+pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
+keyid = urlsafe_b64encode(pub).decode().rstrip('=')
+pt = 'application/vnd.stellaops.zastava.kit+tzst;version=1'
+payload = Path('kit/zastava-kit.tzst').read_bytes()
+pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
+sig = priv.sign(pae)
+env = {
+    'payloadType': pt,
+    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
+    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
+}
+Path('kit/zastava-kit.tzst.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
+print('wrote kit/zastava-kit.tzst.dsse with keyid', keyid)
+PY
+```
+
+## Verify
+1) Verify the kit DSSE before unpacking (optional but recommended) using the public key shipped alongside the kit (run from `docs/modules/zastava`):
+```bash
+cd docs/modules/zastava
+python - <<'PY'
+import base64, json, sys
+from pathlib import Path
+from cryptography.hazmat.primitives.asymmetric import ed25519
+
+root = Path('.')
+pub = base64.urlsafe_b64decode((root / 'kit' / 'ed25519.pub').read_text().strip() + '==')
+env = json.loads((root / 'kit' / 'zastava-kit.tzst.dsse').read_text())
+payload = (root / 'kit' / 'zastava-kit.tzst').read_bytes()
+pt = env['payloadType'].encode()
+pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt, str(len(payload)).encode(), payload])
+sig = base64.urlsafe_b64decode(env['signatures'][0]['sig'] + '==')
+ed25519.Ed25519PublicKey.from_public_bytes(pub).verify(sig, pae)
+decoded_payload = base64.urlsafe_b64decode(env['payload'] + '==')
+assert decoded_payload == payload
+print('OK: kit DSSE verified')
+PY
+```
+2) Extract and run offline validation of the inner artefacts:
+```bash
+zstd -d kit/zastava-kit.tzst -c | tar -xf -
+./kit/verify.sh
+```
+
+## Notes
+- Private signing key is held offline; only the public key is shipped.
+- All files are deterministic (mtime=0, numeric owners) to keep hashes stable for Evidence Locker ingestion.