stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

Browse Source 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
This commit is contained in:
StellaOps Bot
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/modules/zastava/schemas/README.md Normal file
View File

@@ -0,0 +1,19 @@
# Zastava schemas (runtime & admission)
## Canonicalisation & hashing
- JSON is stored with sorted keys and two-space indentation; hashes use **JCS-style** encoding: `json.dumps(payload, separators=(',', ':'), sort_keys=True)`.
- `payload_hash` fields in examples and exports are computed from the canonical payload bytes and formatted as `sha256:<hex>`.
- Schema negotiation stays on the `zastava.*@v1.x` line; breaking changes bump the major version.
## DSSE signing
- Payload types:
- `application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1`
- `application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1`
- Ed25519 public key (base64url, no padding): `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`.
- Signatures are emitted as `<file>.dsse` with DSSEv1 pre-auth encoding over the raw file bytes.
- Regenerate signatures with `docs/modules/zastava/kit/verify.sh` prerequisites (Python + cryptography) and the private key held offline.
## Test vectors
- Example payloads: `schemas/examples/*.json`.
- Signed exports: `exports/observer_events.ndjson(.dsse)` and `exports/webhook_admissions.ndjson(.dsse)`.
- Kit verification aggregates all signatures via `kit/verify.sh`.