up the blokcing tasks
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
This commit is contained in:
StellaOps Bot
30
docs/modules/scanner/design/entropy-transport.md
Normal file
30
docs/modules/scanner/design/entropy-transport.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Entropy Evidence Transport Contract
|
||||
|
||||
Purpose: unblock SCAN-ENTROPY-186-012 by defining worker → webservice transport for entropy reports.
|
||||
|
||||
## Endpoint
|
||||
- `POST /api/v1/scans/{scanId}/entropy`
|
||||
- Headers: `X-Tenant-Id`, `Content-Type: application/json`
|
||||
- Body: `EntropyReportRequest`
|
||||
|
||||
## EntropyReportRequest (JSON)
|
||||
- `subject_digest` (string, required) — image digest.
|
||||
- `report_path` (string, required) — relative path inside replay bundle (e.g., `artifacts/entropy.report.json`).
|
||||
- `hash` (string, required) — SHA256 hex of the report file.
|
||||
- `penalties` (object) — `{ overall: number, layers: [{ digest, score, high_entropy_regions: [ { offset, length, reason } ] }] }`.
|
||||
- `created_at` (string, ISO-8601 UTC).
|
||||
- `tool`: `{ id, version, rng_seed, max_parallel }`.
|
||||
|
||||
## WebService behavior
|
||||
- Validate tenant, scanId, subject_digest matches scan record.
|
||||
- Validate SHA256 by re-reading report from bundle if available; else accept hash and queue verification job.
|
||||
- Persist entropy metadata with scan record and attach to replay manifest.
|
||||
- Respond `202 Accepted` with `{ status_url }`; return `409` if entropy already recorded for scanId+subject_digest.
|
||||
|
||||
## Error handling
|
||||
- `400` malformed request; `401/403` auth; `404` scan not found; `422` hash mismatch; `500` transient CAS/read errors.
|
||||
|
||||
## Determinism
|
||||
- No clocks added server-side; use provided `created_at`.
|
||||
- No recalculation of entropy; only verification.
|
||||
- Log deterministic reasons for rejection to aid reproducible replay.
|
||||
Reference in New Issue
Block a user