save checkpoint. addition features and their state. check some ofthem

2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
--- a/docs-archived/implplan/SPRINT_20260209_002_EvidenceLocker_gate_artifact_evidence_score.md
+++ b/docs-archived/implplan/SPRINT_20260209_002_EvidenceLocker_gate_artifact_evidence_score.md
@@ -0,0 +1,96 @@
+# Sprint 20260209_002 - Gate Artifact Evidence Score
+
+## Topic & Scope
+- Implement the producer-to-EvidenceLocker gate artifact flow for canonical SBOM + DSSE + Rekor evidence submission.
+- Compute and persist deterministic `evidence_score` as the authoritative promotion-gate value.
+- Wire Release Orchestrator to consume and enforce score-based gate checks in fail-closed mode.
+- Working directory: `src/EvidenceLocker/`.
+- Expected evidence: unit/integration tests, API contracts, migration, and docs updates.
+- Cross-module edits explicitly allowed for this sprint: `src/ReleaseOrchestrator/**`, `docs/modules/evidence-locker/**`, `docs/modules/release-orchestrator/**`.
+
+## Dependencies & Concurrency
+- Depends on existing reproducibility controls in `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Promotion/Gate/Security/`.
+- Depends on existing DSSE/Rekor ingestion surfaces in `src/Attestor/` (read-only dependency).
+- Safe parallelism: EvidenceLocker API/storage and Release Orchestrator gate integration can be implemented in parallel after contract freeze.
+
+## Documentation Prerequisites
+- `docs/modules/evidence-locker/architecture.md`
+- `docs/modules/release-orchestrator/architecture.md`
+- `docs/modules/attestor/repro-bundle-profile.md`
+
+## Delivery Tracker
+
+### EL-GATE-001 - Add producer bundle ingestion contract and evidence score API
+Status: DONE
+Dependency: none
+Owners: Developer / Implementer
+Task description:
+- Add EvidenceLocker HTTP contract for producer bundle submission containing canonical SBOM digest, DSSE envelope reference, Rekor references, and attestation refs.
+- Add retrieval endpoint for score lookup by `artifact_id`.
+- Enforce deterministic computation using canonical concatenation and sorted `attestation_refs`.
+
+Completion criteria:
+- [x] `POST` ingestion endpoint accepts producer bundle contract and returns `evidence_id`, `evidence_score`, `stored`.
+- [x] `GET` score endpoint returns deterministic score/status by `artifact_id`.
+- [x] Invalid/incomplete inputs fail closed with explicit validation errors.
+
+### EL-GATE-002 - Persist gate artifact record with deterministic schema
+Status: DONE
+Dependency: EL-GATE-001
+Owners: Developer / Implementer
+Task description:
+- Introduce storage model and migration for gate artifact records.
+- Persist `canonical_bom_sha256`, `payload_digest`, sorted `attestation_refs`, Rekor fields, and computed `evidence_score`.
+
+Completion criteria:
+- [x] Migration added and applied via EvidenceLocker migration runner.
+- [x] Repository coverage verifies deterministic score persistence and retrieval.
+
+### EL-GATE-003 - Integrate Release Orchestrator with evidence score gate check
+Status: DONE
+Dependency: EL-GATE-001
+Owners: Developer / Implementer
+Task description:
+- Add gate integration path that can query EvidenceLocker score and fail closed on mismatch/unavailable status when enabled.
+- Preserve existing reproducibility controls while introducing score assertion support.
+
+Completion criteria:
+- [x] Security gate config supports score enforcement mode.
+- [x] Tests validate pass/fail behavior for match, mismatch, and missing score scenarios.
+
+### EL-GATE-004 - Documentation and sprint traceability sync
+Status: DONE
+Dependency: EL-GATE-001
+Owners: Documentation author / Project Manager
+Task description:
+- Update module docs for producer contract, score algorithm, and promotion gate behavior.
+- Record implementation decisions and risks for auditability.
+
+Completion criteria:
+- [x] Docs updated with final API and algorithm details.
+- [x] Sprint `Execution Log` and `Decisions & Risks` reference updated docs.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-09 | Sprint created; EL-GATE-001 moved to DOING for implementation kickoff. | Planning |
+| 2026-02-09 | Context compacted into implementation checkpoint and scope confirmed (EvidenceLocker owner, cross-module allowed). | Planning |
+| 2026-02-09 | Implemented EvidenceLocker gate artifact ingestion, deterministic score persistence, and score lookup endpoint with fail-closed validation. | Developer |
+| 2026-02-09 | Added SecurityGate `requireEvidenceScoreMatch` fail-closed integration and score mismatch/missing coverage. | Developer |
+| 2026-02-09 | Updated module docs for gate artifact contract and promotion enforcement behavior; validation via EvidenceLocker tests and Promotion security tests. | Developer |
+| 2026-02-09 | Final pass: added additional fail-closed edge-case coverage (status not ready, invalid refs, legacy constructor compatibility, API not-found/validation), re-ran test suites, and marked sprint ready for archive. | Developer |
+
+## Decisions & Risks
+- Decision: EvidenceLocker is system-of-record for gate artifact `evidence_score`; Release Orchestrator consumes score instead of recomputing ad hoc from disparate stores.
+- Decision: Deterministic concatenation format uses stable hex digests and lexicographically sorted refs with an explicit separator to prevent ambiguity.
+- Decision: `evidence_score` concatenation uses ASCII Unit Separator (`0x1F`) between inputs (`canonical_bom_sha256`, `payload_digest`, sorted refs) to remove delimiter ambiguity while preserving deterministic replay.
+- Risk: Existing verdict-attestation storage model (`verdict_score`) may be confused with new `evidence_score`; mitigation is separate schema/API contract.
+- Risk: Release Orchestrator currently relies on scan-derived reproducibility booleans; score integration must remain backward compatible.
+- Documentation links:
+  - `docs/modules/evidence-locker/attestation-contract.md` (Gate Artifact Evidence Score Contract)
+  - `docs/modules/release-orchestrator/modules/promotion-manager.md` (Security gate evidence score enforcement)
+
+## Next Checkpoints
+- Contract + migration draft complete: 2026-02-09
+- Release Orchestrator gate integration tests green: 2026-02-09
+- Docs + sprint closure review: 2026-02-09
--- a/docs-archived/product/advisories/09-Feb-2026
+++ b/docs-archived/product/advisories/09-Feb-2026
@@ -0,0 +1,25 @@
+# 09-Feb-2026 - Repro Bundle SLSA v1 in-toto DSSE offline mode
+
+## Advisory source
+- Source: user-provided product advisory text (planning session, 2026-02-09 UTC).
+- Scope: per-artifact reproducible evidence bundle with SLSA v1 provenance, in-toto link, DSSE signatures, optional Rekor anchoring, and full offline verification mode.
+
+## Outcome
+- Result: gaps confirmed in current implementation.
+- Decision: advisory translated into docs + sprint tasks and archived.
+
+## Confirmed gap themes
+- Strict SLSA policy enforcement is incomplete for required fields and fail-closed validation behavior.
+- Canonicalization policy is not yet enforced as one deterministic pipeline.
+- Promotion gates do not yet fail closed on missing/non-compliant reproducibility evidence.
+- Offline Rekor verification has trust-based shortcuts that need hardening.
+- Toolchain digest pinning and deterministic packaging are not fully enforced across release scripts.
+
+## Translation artifacts
+- Active sprint: `docs/implplan/SPRINT_20260209_001_DOCS_repro_bundle_gap_closure.md`
+- High-level product/docs update: `docs/key-features.md`
+- Module contract: `docs/modules/attestor/repro-bundle-profile.md`
+
+## Notes
+- Supersedes/extends: none recorded.
+- External web fetches: none.