stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint. addition features and their state. check some ofthem

Browse Source
This commit is contained in:
master
2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
docs-archived/implplan/SPRINT_20260209_002_EvidenceLocker_gate_artifact_evidence_score.md Normal file
View File

@@ -0,0 +1,96 @@
# Sprint 20260209_002 - Gate Artifact Evidence Score
## Topic & Scope
- Implement the producer-to-EvidenceLocker gate artifact flow for canonical SBOM + DSSE + Rekor evidence submission.
- Compute and persist deterministic `evidence_score` as the authoritative promotion-gate value.
- Wire Release Orchestrator to consume and enforce score-based gate checks in fail-closed mode.
- Working directory: `src/EvidenceLocker/`.
- Expected evidence: unit/integration tests, API contracts, migration, and docs updates.
- Cross-module edits explicitly allowed for this sprint: `src/ReleaseOrchestrator/**`, `docs/modules/evidence-locker/**`, `docs/modules/release-orchestrator/**`.
## Dependencies & Concurrency
- Depends on existing reproducibility controls in `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Promotion/Gate/Security/`.
- Depends on existing DSSE/Rekor ingestion surfaces in `src/Attestor/` (read-only dependency).
- Safe parallelism: EvidenceLocker API/storage and Release Orchestrator gate integration can be implemented in parallel after contract freeze.
## Documentation Prerequisites
- `docs/modules/evidence-locker/architecture.md`
- `docs/modules/release-orchestrator/architecture.md`
- `docs/modules/attestor/repro-bundle-profile.md`
## Delivery Tracker
### EL-GATE-001 - Add producer bundle ingestion contract and evidence score API
Status: DONE
Dependency: none
Owners: Developer / Implementer
Task description:
- Add EvidenceLocker HTTP contract for producer bundle submission containing canonical SBOM digest, DSSE envelope reference, Rekor references, and attestation refs.
- Add retrieval endpoint for score lookup by `artifact_id`.
- Enforce deterministic computation using canonical concatenation and sorted `attestation_refs`.
Completion criteria:
- [x] `POST` ingestion endpoint accepts producer bundle contract and returns `evidence_id`, `evidence_score`, `stored`.
- [x] `GET` score endpoint returns deterministic score/status by `artifact_id`.
- [x] Invalid/incomplete inputs fail closed with explicit validation errors.
### EL-GATE-002 - Persist gate artifact record with deterministic schema
Status: DONE
Dependency: EL-GATE-001
Owners: Developer / Implementer
Task description:
- Introduce storage model and migration for gate artifact records.
- Persist `canonical_bom_sha256`, `payload_digest`, sorted `attestation_refs`, Rekor fields, and computed `evidence_score`.
Completion criteria:
- [x] Migration added and applied via EvidenceLocker migration runner.
- [x] Repository coverage verifies deterministic score persistence and retrieval.
### EL-GATE-003 - Integrate Release Orchestrator with evidence score gate check
Status: DONE
Dependency: EL-GATE-001
Owners: Developer / Implementer
Task description:
- Add gate integration path that can query EvidenceLocker score and fail closed on mismatch/unavailable status when enabled.
- Preserve existing reproducibility controls while introducing score assertion support.
Completion criteria:
- [x] Security gate config supports score enforcement mode.
- [x] Tests validate pass/fail behavior for match, mismatch, and missing score scenarios.
### EL-GATE-004 - Documentation and sprint traceability sync
Status: DONE
Dependency: EL-GATE-001
Owners: Documentation author / Project Manager
Task description:
- Update module docs for producer contract, score algorithm, and promotion gate behavior.
- Record implementation decisions and risks for auditability.
Completion criteria:
- [x] Docs updated with final API and algorithm details.
- [x] Sprint `Execution Log` and `Decisions & Risks` reference updated docs.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-09 | Sprint created; EL-GATE-001 moved to DOING for implementation kickoff. | Planning |
| 2026-02-09 | Context compacted into implementation checkpoint and scope confirmed (EvidenceLocker owner, cross-module allowed). | Planning |
| 2026-02-09 | Implemented EvidenceLocker gate artifact ingestion, deterministic score persistence, and score lookup endpoint with fail-closed validation. | Developer |
| 2026-02-09 | Added SecurityGate `requireEvidenceScoreMatch` fail-closed integration and score mismatch/missing coverage. | Developer |
| 2026-02-09 | Updated module docs for gate artifact contract and promotion enforcement behavior; validation via EvidenceLocker tests and Promotion security tests. | Developer |
| 2026-02-09 | Final pass: added additional fail-closed edge-case coverage (status not ready, invalid refs, legacy constructor compatibility, API not-found/validation), re-ran test suites, and marked sprint ready for archive. | Developer |
## Decisions & Risks
- Decision: EvidenceLocker is system-of-record for gate artifact `evidence_score`; Release Orchestrator consumes score instead of recomputing ad hoc from disparate stores.
- Decision: Deterministic concatenation format uses stable hex digests and lexicographically sorted refs with an explicit separator to prevent ambiguity.
- Decision: `evidence_score` concatenation uses ASCII Unit Separator (`0x1F`) between inputs (`canonical_bom_sha256`, `payload_digest`, sorted refs) to remove delimiter ambiguity while preserving deterministic replay.
- Risk: Existing verdict-attestation storage model (`verdict_score`) may be confused with new `evidence_score`; mitigation is separate schema/API contract.
- Risk: Release Orchestrator currently relies on scan-derived reproducibility booleans; score integration must remain backward compatible.
- Documentation links:
- `docs/modules/evidence-locker/attestation-contract.md` (Gate Artifact Evidence Score Contract)
- `docs/modules/release-orchestrator/modules/promotion-manager.md` (Security gate evidence score enforcement)
## Next Checkpoints
- Contract + migration draft complete: 2026-02-09
- Release Orchestrator gate integration tests green: 2026-02-09
- Docs + sprint closure review: 2026-02-09