feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
--- a/docs/modules/zastava/schemas/examples/observer_event.example.json
+++ b/docs/modules/zastava/schemas/examples/observer_event.example.json
@@ -1,19 +1,19 @@
 {
-  "tenant_id": "tenant-a",
-  "project_id": "proj-123",
-  "sensor_id": "observer-01",
+  "event_type": "runtime_fact",
  "firmware_version": "1.2.3",
-  "policy_hash": "sha256:deadbeef",
  "graph_revision_id": "graph-r1",
  "ledger_id": "ledger-789",
-  "replay_manifest": "manifest-r1",
-  "event_type": "runtime_fact",
-  "observed_at": "2025-12-02T00:00:00Z",
  "monotonic_nanos": 123456789,
+  "observed_at": "2025-12-02T00:00:00Z",
  "payload": {
-    "process": "nginx",
-    "pid": 4242
+    "pid": 4242,
+    "process": "nginx"
  },
-  "payload_hash": "sha256:payloadhash",
-  "signature": "dsse://observer-event"
+  "payload_hash": "sha256:7476a5068a3f0780c552f81c90d061d9e39c37f425a243ecff961b08676546fd",
+  "policy_hash": "sha256:deadbeef",
+  "project_id": "proj-123",
+  "replay_manifest": "manifest-r1",
+  "sensor_id": "observer-01",
+  "signature": "dsse://observer-events/2025-12-02/observer_events.ndjson.dsse#line1",
+  "tenant_id": "tenant-a"
 }
--- a/docs/modules/zastava/schemas/examples/webhook_admission.example.json
+++ b/docs/modules/zastava/schemas/examples/webhook_admission.example.json
@@ -1,21 +1,34 @@
 {
-  "tenant_id": "tenant-a",
-  "project_id": "proj-123",
-  "request_uid": "abcd-1234",
-  "resource_kind": "Deployment",
-  "namespace": "prod",
-  "workload_name": "api",
-  "policy_hash": "sha256:deadbeef",
+  "bypass_waiver_id": null,
+  "decision": "allow",
+  "decision_at": "2025-12-02T00:00:00Z",
+  "decision_reason": "surface cache fresh",
  "graph_revision_id": "graph-r1",
  "ledger_id": "ledger-789",
-  "replay_manifest": "manifest-r1",
  "manifest_pointer": "surfacefs://cache/sha256:abc",
-  "decision": "allow",
-  "decision_reason": "surface cache fresh",
-  "decision_at": "2025-12-02T00:00:00Z",
  "monotonic_nanos": 2233445566,
+  "namespace": "prod",
+  "payload": {
+    "images": [
+      {
+        "digest": "sha256:abcd",
+        "name": "ghcr.io/acme/api:1.2.3",
+        "sbom_referrer": true,
+        "signed": true
+      }
+    ],
+    "manifest_pointer": "surfacefs://cache/sha256:abc",
+    "policy_hash": "sha256:deadbeef",
+    "verdict": "allow"
+  },
+  "payload_hash": "sha256:36bfb2bc81b7050bbb508e12cafe7ad5a51336aad397ef3a23b0e258aed73dc6",
+  "policy_hash": "sha256:deadbeef",
+  "project_id": "proj-123",
+  "replay_manifest": "manifest-r1",
+  "request_uid": "abcd-1234",
+  "resource_kind": "Deployment",
  "side_effect": "none",
-  "bypass_waiver_id": null,
-  "payload_hash": "sha256:payloadhash",
-  "signature": "dsse://webhook-admission"
+  "signature": "dsse://webhook-admissions/2025-12-02/webhook_admissions.ndjson.dsse#line1",
+  "tenant_id": "tenant-a",
+  "workload_name": "api"
 }