stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

compose and authority fixes. finish sprints.

Browse Source
This commit is contained in:
master
2026-02-17 21:59:47 +02:00
parent fb46a927ad
commit 49cdebe2f1
187 changed files with 23189 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
docs/contracts/witness-v1.md
View File

@@ -317,6 +317,69 @@ Example:
---
## Runtime Symbolization Tuple
Runtime witnesses (those with `observation_type` = `runtime|confirmed` or non-empty `observations`) must include a deterministic symbolization tuple:
```json
{
"symbolization": {
"build_id": "gnu-build-id:...",
"debug_artifact_uri": "cas://symbols/by-build-id/.../artifact.debug",
"symbol_table_uri": "cas://symbols/by-build-id/.../symtab.json",
"symbolizer": {
"name": "llvm-symbolizer",
"version": "18.1.7",
"digest": "sha256:..."
},
"libc_variant": "glibc",
"sysroot_digest": "sha256:..."
}
}
```
Validation rules:
1. `build_id`, `symbolizer.name`, `symbolizer.version`, `symbolizer.digest`, `libc_variant`, and `sysroot_digest` are required.
2. At least one of `debug_artifact_uri` or `symbol_table_uri` must be present.
3. Missing runtime symbolization inputs must fail witness signing/verification validation.
4. Runtime observation arrays must be canonicalized before witness hashing/signing (stable sort by timestamp and deterministic tiebreakers) so equivalent inputs produce byte-identical DSSE payloads.
## Runtime Witness Artifact Triplet (MWD-004)
Runtime witnesses exported through Evidence Locker use a deterministic three-file profile:
1. `trace.json` - canonical witness payload
2. `trace.dsse.json` - DSSE envelope over `trace.json`
3. `trace.sigstore.json` - Sigstore bundle containing verification material for offline replay
Manifest/index records must link each artifact to:
- `witness_id`
- `witness_role` (`trace`, `dsse`, `sigstore_bundle`)
- deterministic replay lookup keys:
- `build_id`
- `kernel_release`
- `probe_id`
- `policy_run_id`
Offline verification must use only bundle-contained artifacts; no network lookups are required for triplet integrity checks.
## Cross-Distro Replay Matrix Verification (MWD-005)
Deterministic replay verification must include a minimum matrix of:
1. Three kernel releases.
2. Both `glibc` and `musl` libc variants.
3. Fixed witness artifacts replayed across matrix rows with byte-identical replay-frame output.
QA evidence for `MWD-005` is captured at:
- `docs/qa/feature-checks/runs/signals/ebpf-micro-witness-determinism/run-001/tier2-replay-matrix-tests.log`
- `docs/qa/feature-checks/runs/signals/ebpf-micro-witness-determinism/run-001/tier2-replay-matrix-summary.json`
---
## DSSE Signing
Witnesses are signed using [DSSE (Dead Simple Signing Envelope)](https://github.com/secure-systems-lab/dsse):