save checkpoint. addition features and their state. check some ofthem
This commit is contained in:
master
@@ -0,0 +1,162 @@
|
||||
# Sprint 20260209_001 - Repro Bundle Gap Closure
|
||||
|
||||
## Topic & Scope
|
||||
- Close the implementation gaps for verifiable, reproducible build evidence bundles using SLSA v1, in-toto, DSSE, and optional Rekor anchoring.
|
||||
- Add fail-closed promotion gates so releases block when reproducibility evidence is missing or non-canonical.
|
||||
- Preserve Stella Ops offline posture by supporting full verification in air-gapped promotions.
|
||||
- Working directory: `docs/implplan`.
|
||||
- Expected evidence: unit/integration/e2e tests, deterministic fixtures, updated module docs, operator runbooks.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream contracts: `docs/modules/attestor/architecture.md`, `docs/modules/evidence-locker/architecture.md`, `docs/modules/release-orchestrator/architecture.md`, `docs/OFFLINE_KIT.md`.
|
||||
- Safe parallelism:
|
||||
- `RB-002` (SLSA strict profile) and `RB-003` (canonicalization pipeline) can run in parallel after `RB-001`.
|
||||
- `RB-004` (offline Rekor hardening) can run in parallel with `RB-003`.
|
||||
- `RB-005` (promotion gate) depends on `RB-002`, `RB-003`, and `RB-004`.
|
||||
- `RB-006` (devops determinism) can run in parallel with `RB-002`/`RB-003`.
|
||||
- `RB-007` (evidence ingestion) depends on `RB-003` and `RB-004`.
|
||||
- `RB-008` (QA matrix) depends on `RB-005`, `RB-006`, and `RB-007`.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `docs/README.md`
|
||||
- `docs/ARCHITECTURE_OVERVIEW.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
- `docs/modules/attestor/repro-bundle-profile.md`
|
||||
- `docs/code-of-conduct/CODE_OF_CONDUCT.md`
|
||||
- `docs/code-of-conduct/TESTING_PRACTICES.md`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### RB-001 - Advisory translation and baseline docs sync
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Project Manager, Documentation author
|
||||
Task description:
|
||||
- Translate the advisory into actionable Stella Ops scope with explicit gaps, owners, and acceptance criteria.
|
||||
- Update one high-level capability page and one module-detailed dossier page so implementation work is anchored in product docs before code starts.
|
||||
|
||||
Completion criteria:
|
||||
- [x] New active sprint created in `docs/implplan/`.
|
||||
- [x] High-level docs updated with Repro Bundle capability and fail-closed expectations.
|
||||
- [x] Module-detailed contract published and linked for implementers.
|
||||
|
||||
### RB-002 - SLSA v1 strict provenance profile and validator hardening
|
||||
Status: DONE
|
||||
Dependency: RB-001
|
||||
Owners: Developer/Implementer, QA/Test Automation
|
||||
Task description:
|
||||
- Extend Attestor provenance validation to enforce required SLSA v1 fields and strict policy checks for builder identity/version, source URI + commit binding, materials digest completeness, build command canonicalization, and toolchain digest pinning.
|
||||
- Ensure validator output is deterministic and policy-driven (reject on violation, no best-effort fallback in release path).
|
||||
|
||||
Completion criteria:
|
||||
- [x] Strict validation mode rejects missing required provenance fields listed in `docs/modules/attestor/repro-bundle-profile.md`.
|
||||
- [x] Toolchain references without `@sha256:` are rejected in strict mode.
|
||||
- [x] Deterministic tests cover pass/fail fixtures and stable error ordering.
|
||||
|
||||
### RB-003 - Canonicalization pipeline for artifact and link metadata
|
||||
Status: TODO
|
||||
Dependency: RB-001
|
||||
Owners: Developer/Implementer, QA/Test Automation
|
||||
Task description:
|
||||
- Implement a canonicalization pipeline that normalizes paths (NFC), line endings, archive metadata/order, JSON key ordering, and deterministic digests for materials and products.
|
||||
- Emit canonical outputs needed for reproducibility evidence: canonical artifact, materials lock, SLSA provenance payload, and in-toto link payload.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Canonicalization rejects non-NFC paths and non-compliant archive metadata unless explicitly policy-allowed.
|
||||
- [ ] PURL/material rules (pinning, sorting, digest presence) are enforced and test-covered.
|
||||
- [ ] Canonical outputs are byte-stable across repeated runs in CI.
|
||||
|
||||
### RB-004 - Offline Rekor verification hardening
|
||||
Status: DONE
|
||||
Dependency: RB-001
|
||||
Owners: Developer/Implementer, QA/Test Automation
|
||||
Task description:
|
||||
- Replace trust-based offline shortcuts with full inclusion proof verification against bundled checkpoint and tile data where available.
|
||||
- Keep an explicit break-glass policy for disconnected environments, but separate it from default promotion gates and surface it in evidence.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Offline verification path performs cryptographic proof verification by default.
|
||||
- [x] Break-glass mode is explicitly configured, auditable, and marked in verification output.
|
||||
- [x] Integration tests cover valid and tampered proof bundles.
|
||||
|
||||
### RB-005 - Release gate enforcement for reproducibility evidence
|
||||
Status: DONE
|
||||
Dependency: RB-002
|
||||
Owners: Developer/Implementer, Product Manager, QA/Test Automation
|
||||
Task description:
|
||||
- Add promotion gate checks requiring DSSE-signed provenance, DSSE-signed in-toto link evidence, canonicalization pass, and pinned toolchain digests before environment promotion.
|
||||
- Ensure gate outputs include deterministic rejection reasons and artifact references for replay and audit.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Promotion blocks when required repro evidence is absent, invalid, or non-canonical.
|
||||
- [x] Gate result payload contains stable policy violation codes and evidence pointers.
|
||||
- [x] Replay path reproduces the same gate verdict from frozen evidence.
|
||||
|
||||
### RB-006 - DevOps determinism and toolchain pinning baseline
|
||||
Status: DONE
|
||||
Dependency: RB-001
|
||||
Owners: Developer/Implementer, QA/Test Automation
|
||||
Task description:
|
||||
- Update release build and packaging scripts to require pinned builder/runtime image digests and deterministic archive settings.
|
||||
- Enforce deterministic environment defaults (`LC_ALL=C`, `TZ=UTC`, fixed source date epoch) in repro bundle paths.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Build/container definitions used for repro bundle flow require digest-pinned images.
|
||||
- [x] Packaging scripts produce deterministic archives and stable checksums.
|
||||
- [x] CI checks fail when toolchain pins or deterministic settings are missing.
|
||||
|
||||
### RB-007 - EvidenceLocker and export contract for repro bundle assets
|
||||
Status: TODO
|
||||
Dependency: RB-003
|
||||
Owners: Developer/Implementer, Documentation author
|
||||
Task description:
|
||||
- Extend evidence contracts to ingest and retain repro bundle components (provenance payloads/signatures, in-toto link payloads/signatures, materials lock, optional Rekor offline bundle/tiles).
|
||||
- Keep export and offline kit formats deterministic and verifiable.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Evidence schemas and export manifests include repro bundle artifacts with digests.
|
||||
- [ ] Offline export includes verification metadata required by air-gapped promotion checks.
|
||||
- [ ] Docs updated with new fields and verification flow.
|
||||
|
||||
### RB-008 - End-to-end deterministic verification matrix
|
||||
Status: TODO
|
||||
Dependency: RB-005
|
||||
Owners: QA/Test Automation
|
||||
Task description:
|
||||
- Deliver a deterministic test matrix for online and offline verification, including positive cases and fail-closed negatives for canonicalization, signatures, and proofs.
|
||||
- Record outcomes and flakiness findings in sprint execution logs.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Unit/integration/e2e coverage validates online and offline repro bundle verification.
|
||||
- [ ] Negative tests assert fail-closed behavior for each acceptance rule in the profile.
|
||||
- [ ] Execution log includes test scope, run date, and summary of results.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-09 | Sprint created from repro-bundle advisory gap assessment; baseline docs and archived advisory record added. | Project Manager |
|
||||
| 2026-02-09 | Started implementation of strict SLSA validation, reproducibility gate checks, and deterministic devops bundle/pinning controls. | Developer/Implementer |
|
||||
| 2026-02-09 | Completed RB-002 strict validation hardening; progressed RB-005 and RB-006 with tests and deterministic build/script enforcement. | Developer/Implementer |
|
||||
| 2026-02-09 | Completed RB-004 (cryptographic offline proof verification + break-glass markers), RB-005 replay determinism assertion, and RB-006 CI policy enforcement wiring. | Developer/Implementer |
|
||||
| 2026-02-09 | Validation run: Attestor Core tests and ReleaseOrchestrator Promotion tests passed; Attestor Offline tests remain blocked by pre-existing `SnapshotExportImportTests` compile errors (`CS9051`). | QA/Test Automation |
|
||||
|
||||
## Decisions & Risks
|
||||
- This sprint is a coordination sprint owned by `docs/implplan`; implementation work is explicitly allowed to span `src/Attestor/`, `src/ReleaseOrchestrator/`, `src/EvidenceLocker/`, `src/Provenance/`, and `devops/`.
|
||||
- Advisory translation docs:
|
||||
- High-level update: `docs/key-features.md`
|
||||
- Module contract: `docs/modules/attestor/repro-bundle-profile.md`
|
||||
- Archived advisory record: `docs-archived/product/advisories/09-Feb-2026 - Repro Bundle SLSA v1 in-toto DSSE offline mode.md`
|
||||
- Verification hardening details:
|
||||
- Offline verifier now requires cryptographically valid Rekor proof material (`leafHash`, path, checkpoint root) unless explicit break-glass is configured.
|
||||
- Core periodic offline verification now recomputes Merkle inclusion roots and emits break-glass usage markers when bypass is enabled.
|
||||
- CI enforcement wiring:
|
||||
- Added `devops/tools/verify-repro-bundle-policy.sh` and `.gitea/workflows/local-ci-verify.yml` job `repro-bundle-policy` to fail on missing digest pinning/deterministic prerequisites.
|
||||
- Risk: stricter validation may break current pipelines that use non-pinned toolchains or non-canonical archives. Mitigation: stage with policy simulation and explicit migration runbook before hard fail in production.
|
||||
- Risk: offline verification performance/cost may increase with full proof validation. Mitigation: bounded tile caches, deterministic fixtures, and benchmark gates before rollout.
|
||||
- Current blocker for full Attestor matrix execution: unrelated pre-existing compile/test failures in Concelier/ProofChain projects prevent full dependency graph test runs; targeted module tests were executed with project-reference isolation.
|
||||
- Additional blocker for full offline test project execution: pre-existing `CS9051` errors in `src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/SnapshotExportImportTests.cs` are unrelated to this sprint changes.
|
||||
|
||||
## Next Checkpoints
|
||||
- 2026-02-12: Architecture and contract sign-off for strict SLSA/canonicalization policy (`RB-002`, `RB-003`).
|
||||
- 2026-02-16: Gate and offline verification implementation review (`RB-004`, `RB-005`).
|
||||
- 2026-02-20: QA matrix sign-off and release readiness review (`RB-006`, `RB-007`, `RB-008`).
|
||||
Reference in New Issue
Block a user