compose and authority fixes. finish sprints.
This commit is contained in:
master
@@ -2,8 +2,8 @@
|
||||
|
||||
## Status
|
||||
- Advisory translated: 2026-02-16 (UTC)
|
||||
- Current implementation status: gaps confirmed
|
||||
- Implementation sprint: `docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
|
||||
- Current implementation status: implementation complete (`MWD-001` through `MWD-005` complete)
|
||||
- Implementation sprint: `docs-archived/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
|
||||
|
||||
## Purpose
|
||||
- Define what "replayable and deterministic micro-witnesses" means for Stella Ops runtime evidence.
|
||||
@@ -17,19 +17,26 @@
|
||||
4. Witness evidence must be portable as DSSE plus a Sigstore bundle that can be verified offline.
|
||||
|
||||
## Verified current state (2026-02-16)
|
||||
- eBPF support check currently hard-requires `/sys/kernel/btf/vmlinux` with no split-BTF fallback path selection metadata in collector output.
|
||||
- eBPF runtime collector now uses deterministic BTF selection order (`/sys/kernel/btf/vmlinux` -> configured external vmlinux -> split-BTF) and emits source metadata (`source_kind`, `source_path`, `source_digest`, `selection_reason`) into runtime summaries/results.
|
||||
- `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs`
|
||||
- `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeBtfSourceSelector.cs`
|
||||
- Probe loader path is simulated for runtime attachment lifecycle and does not implement deterministic BTF source recording.
|
||||
- `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs`
|
||||
- Runtime witness model includes `build_id` but does not include symbol bundle pointers or symbolizer/libc/sysroot tuple required for cross-distro deterministic symbolization.
|
||||
- Runtime witness model now includes deterministic symbolization tuple (`build_id`, debug/symbol pointers, symbolizer identity, libc variant, sysroot digest) and runtime witness signing/verification validation enforces required symbolization inputs.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs`
|
||||
- Runtime witness generator is interface-defined but has no production implementation in Scanner.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs`
|
||||
- DSSE envelope support exists; end-to-end per-witness Sigstore bundle contract (`trace.sigstore.json`) is not standardized in witness storage/indexing.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/013_witness_storage.sql`
|
||||
- Runtime witness generation pipeline is implemented with deterministic observation canonicalization, DSSE signing, and storage integration hook, and is wired into runtime collector flow through optional witness emission settings.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessGenerator.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/EbpfRuntimeReachabilityCollector.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/IRuntimeReachabilityCollector.cs`
|
||||
- Evidence Locker export manifest/index now supports runtime witness triplets (`trace.json`, `trace.dsse.json`, `trace.sigstore.json`) with witness identity linkage and deterministic lookup keys (`build_id`, `kernel_release`, `probe_id`, `policy_run_id`), and offline verifier checks can run using bundle-contained artifacts only.
|
||||
- `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`
|
||||
- `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`
|
||||
- `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/RuntimeWitnessOfflineVerifier.cs`
|
||||
- Cross-distro deterministic replay matrix is validated in targeted tests (3 kernels: `5.15`, `6.1`, `6.6`; libc variants: `glibc`, `musl`) with byte-identical replay-frame projection from fixed witness artifacts, and QA evidence includes artifact hashes and replay logs.
|
||||
- `src/EvidenceLocker/__Tests/StellaOps.EvidenceLocker.Export.Tests/RuntimeWitnessOfflineVerifierTests.cs`
|
||||
- `docs/qa/feature-checks/runs/signals/ebpf-micro-witness-determinism/run-001/tier2-replay-matrix-summary.json`
|
||||
|
||||
## Decision
|
||||
- Advisory is accepted as implementation-required.
|
||||
|
||||
Reference in New Issue
Block a user