stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint. addition features and their state. check some ofthem

Browse Source
This commit is contained in:
master
2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/modules/attestor/README.md
View File

@@ -2,7 +2,8 @@
Attestor converts signed DSSE evidence from the Signer into transparency-log proofs and verifiable reports for every downstream surface (Policy Engine, Export Center, CLI, Console, Scheduler). It is the trust backbone that proves SBOM, scan, VEX, and policy artefacts were signed, witnessed, and preserved without tampering.
## Latest updates (2025-11-30)
## Latest updates (2026-02-09)
- Repro Bundle profile contract added: `docs/modules/attestor/repro-bundle-profile.md` (SLSA v1 + in-toto + DSSE + optional Rekor, with offline parity and fail-closed policy gates).
- Sprint tracker `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md` and module `TASKS.md` added to mirror status.
- Observability runbook stub + dashboard placeholder added under `operations/` (offline import) pending next demo outputs.
- Platform Events samples (2025-10-18/19) remain the current canonical `attestor.logged@1`; keep verification workflows aligned.

69
docs/modules/attestor/repro-bundle-profile.md Normal file
View File

@@ -0,0 +1,69 @@
# Repro Bundle Profile (SLSA v1 + in-toto + DSSE)
## Status
- Planned contract (gap-closure track).
- Implementation sprint: `docs/implplan/SPRINT_20260209_001_DOCS_repro_bundle_gap_closure.md`.
## Purpose
- Define the minimum reproducibility evidence required for release promotion.
- Standardize canonicalization rules so rebuild and verification outcomes are deterministic.
- Preserve online and offline parity for transparency verification workflows.
## Required bundle contents (per artifact)
1. `build_provenance.json` with SLSA v1 predicate fields:
- `builder.id` and `builder.version`
- source binding (`invocation` and commit)
- `materials[]` with pinned digests
- canonicalized build command representation
- pinned toolchain digest (`@sha256:...`)
2. `in_toto.link` mapping materials to products with deterministic digests.
3. DSSE signatures/envelopes for provenance and link payloads.
4. Transparency evidence:
- Online mode: Rekor entry metadata.
- Offline mode: local checkpoint/tile bundle and verification metadata, including Rekor leaf hash (`leafHash`), path hashes, and checkpoint root.
## Canonicalization policy (fail-closed)
- Paths and filenames must be Unicode NFC.
- JSON payloads must be canonicalized with sorted keys and deterministic encoding.
- PURLs/material references must be pinned, digest-backed, and deterministically ordered.
- Archive outputs must use deterministic metadata/order:
- fixed timestamps (policy default: zero epoch)
- stable uid/gid and owner names
- fixed mode policy
- Line endings must be normalized (policy default: LF).
- Build environments must pin deterministic settings:
- `LC_ALL=C`
- `TZ=UTC`
- stable source date epoch
- Toolchains must be digest-pinned; mutable tags are non-compliant in strict mode.
## Verification modes
### Online mode
- Verify DSSE signatures.
- Verify SLSA/in-toto policy compliance.
- Verify Rekor inclusion against trusted log/checkpoint state.
### Offline mode
- Verify DSSE signatures with bundled trust roots/keys.
- Verify bundled inclusion proof data cryptographically (leaf hash + Merkle path + checkpoint root) without network.
- Missing/invalid proof material is fail-closed by default.
- If break-glass verification is allowed, it must be explicitly configured and recorded in evidence with machine-readable marker(s).
## Promotion gate contract
- Promotion must block when any required repro evidence is missing or invalid.
- Promotion must block when canonicalization policy fails.
- Promotion must block when toolchain digest pinning is absent.
- Gate output must include stable rejection codes and references to failed evidence files for replay.
## Component ownership map
- `Attestor`: strict predicate validation, DSSE handling, Rekor verification (online/offline).
- `ReleaseOrchestrator`: fail-closed promotion gate enforcement and policy simulation.
- `EvidenceLocker`: storage/export contracts for repro-bundle artifacts and offline verification packs.
- `Provenance`: provenance model extensions and deterministic serialization support.
- `devops`: deterministic build/container/pipeline defaults and toolchain pinning.
## Test expectations
- Deterministic fixtures for valid and invalid bundles.
- Unit + integration coverage for canonicalization policy and strict validation.
- End-to-end coverage for online and offline promotion checks.
- Negative tests for each fail-closed rule.

3
docs/modules/evidence-locker/architecture.md
View File

@@ -152,7 +152,8 @@ GET /bundles?tenant={id}&from={date}&to={date} → { bundles: BundleSummary[]
POST /export { bundleIds: string[], format: "zip"|"tar" } → { exportId }
GET /export/{id} → binary archive
GET /export/{id}/status → { status, progress }
POST /evidence { producer_bundle, raw_bom_path?, vex_refs[]? } → { evidence_id, evidence_score, stored }
GET /evidence/score?artifact_id={id} → { evidence_score, status }
GET /healthz | /readyz | /metrics
```

49
docs/modules/evidence-locker/attestation-contract.md
View File

@@ -43,4 +43,53 @@ Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier,
- Primary: Evidence Locker Guild.
- Reviewers: Concelier Core Guild, Excititor Guild, Export Center Guild, Policy Guild.
## Gate Artifact Evidence Score Contract (v1, 2026-02-09)
Evidence Locker accepts a producer bundle and emits a single deterministic gate value (`evidence_score`) used by Release Orchestrator promotion gates.
### Producer submission
`POST /evidence`
Request body:
- `producer_bundle.artifact_id` (required)
- `producer_bundle.canonical_bom_sha256` (required, 64 hex)
- `producer_bundle.dsse_envelope_path` (required)
- `producer_bundle.payload_digest` (required, 64 hex)
- `producer_bundle.rekor.index` (required, integer >= 0)
- `producer_bundle.rekor.tile_id` (required)
- `producer_bundle.rekor.inclusion_proof_path` (required)
- `producer_bundle.attestation_refs[]` (optional list of stable refs)
- `raw_bom_path` (optional)
- `vex_refs[]` (optional list of refs)
Response body:
- `evidence_id`
- `evidence_score`
- `stored`
### Score lookup
`GET /evidence/score?artifact_id=<artifact-id>`
Response body:
- `evidence_score`
- `status` (`ready`)
### Deterministic scoring algorithm
Inputs:
- `canonical_bom_sha256`
- `payload_digest`
- `sorted(attestation_refs)` using ordinal lexical sort
Computation:
- join inputs with ASCII Unit Separator (`0x1F`)
- `evidence_score = SHA256(joined_bytes)` (lowercase hex)
Validation is fail-closed:
- reject non-hex or non-64-byte digests
- reject missing required producer fields
- reject invalid Rekor index values
This contract is authoritative for Sprint 110 and blocks CONCELIER-ATTEST-73-001/002 and EXCITITOR-ATTEST-01-003/73-001/73-002.

15
docs/modules/release-orchestrator/modules/promotion-manager.md
View File

@@ -392,6 +392,7 @@ interface SecurityGateConfig {
scanFreshnessHours: number; // How recent scan must be
allowExceptions: boolean; // Allow VEX exceptions
requireVexJustification: boolean; // Require VEX for exceptions
requireEvidenceScoreMatch: boolean; // Require Evidence Locker score match
}
interface SecurityGateResult {
@@ -423,6 +424,20 @@ interface SecurityGateResult {
}
```
When `requireEvidenceScoreMatch=true`, the security gate enforces fail-closed Evidence Locker checks per component:
1. recompute expected `evidence_score` from reproducibility inputs (`canonical_bom_sha256`, `payload_digest`, sorted `attestation_refs`)
2. query Evidence Locker by `artifact_id`
3. require `status=ready`
4. require exact score equality
Violation codes emitted for this flow:
- `SEC_REPRO_EVIDENCE_ARTIFACT_MISSING`
- `SEC_REPRO_EVIDENCE_SCORE_INPUT_INVALID`
- `SEC_REPRO_EVIDENCE_SCORE_REFS_INVALID`
- `SEC_REPRO_EVIDENCE_SCORE_MISSING`
- `SEC_REPRO_EVIDENCE_SCORE_NOT_READY`
- `SEC_REPRO_EVIDENCE_SCORE_MISMATCH`
---
## References