Add determinism tests for verdict artifact generation and update SHA256 sums script
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
@@ -1,3 +0,0 @@
|
||||
# Hash index for CLI guides
|
||||
# <sha256> <relative-path>
|
||||
9967d66765f90a31e16d354e43dd6952566d3a359e3250f4f5f9d4b206ba1686 docs/modules/cli/guides/exceptions.md
|
||||
@@ -418,7 +418,7 @@ Additional notes:
|
||||
|
||||
- [Aggregation-Only Contract reference](../../../ingestion/aggregation-only-contract.md)
|
||||
- [Architecture overview](../../platform/architecture-overview.md)
|
||||
- [Console AOC dashboard](../../../ui/console.md)
|
||||
- [Console operator guide](../../../15_UI_GUIDE.md)
|
||||
- [Authority scopes](../../authority/architecture.md)
|
||||
- [Task Pack CLI profiles](./packs-profiles.md)
|
||||
|
||||
|
||||
@@ -1,11 +1,93 @@
|
||||
# CLI Exceptions Guide (stub)
|
||||
# CLI Exceptions Guide
|
||||
|
||||
> Status: BLOCKED — depends on exception API contract and CLI command shapes (DOCS-EXC-25-006). Outline fixed to reduce future churn.
|
||||
The `stella exceptions` command group manages exception governance objects (list/show/create/promote/revoke/import/export). Exceptions are tenant-scoped and intended to be time-bound and auditable.
|
||||
|
||||
## Outline
|
||||
- Imposed rule banner
|
||||
- Commands: list, get, create, approve, reject (actual names TBD)
|
||||
- Flags/exit codes (to be filled when CLI contract arrives)
|
||||
- Examples with deterministic outputs (hash in `docs/modules/cli/guides/SHA256SUMS` when available)
|
||||
- Offline/air-gap usage notes
|
||||
- Troubleshooting and known errors
|
||||
## Common Options
|
||||
|
||||
- `--tenant`, `-t` — tenant scope for the operation
|
||||
- `--json` — output structured JSON (where supported)
|
||||
- `--verbose` — print additional diagnostic context
|
||||
|
||||
## Commands
|
||||
|
||||
### List
|
||||
|
||||
`stella exceptions list`
|
||||
|
||||
Filters:
|
||||
|
||||
- `--vuln <id>` — CVE or alias
|
||||
- `--scope-type <purl|image|component|tenant>`
|
||||
- `--scope-value <value>` — purl string, image ref, component key, etc.
|
||||
- `--status`, `-s <draft|staged|active|expired|revoked>` (repeatable)
|
||||
- `--owner <string>`
|
||||
- `--effect <suppress|defer|downgrade|requireControl>`
|
||||
- `--expiring-within-days <n>`
|
||||
- `--include-expired`
|
||||
- `--page-size <n>` (default: 50)
|
||||
- `--page-token <token>`
|
||||
- `--csv` — output CSV (implies structured output)
|
||||
|
||||
### Show
|
||||
|
||||
`stella exceptions show <exception-id>`
|
||||
|
||||
### Create
|
||||
|
||||
`stella exceptions create --vuln <id> --scope-type <type> --scope-value <value> --effect <effect> --justification <text> --owner <owner>`
|
||||
|
||||
Options:
|
||||
|
||||
- `--expiration <iso8601|+30d|+90d>` — expiration date/time or relative duration
|
||||
- `--evidence <type:uri>` (repeatable) — evidence references
|
||||
- `--policy <policy-id-or-version>` — bind exception to a policy profile/version
|
||||
- `--stage` — create directly as staged (skip draft)
|
||||
|
||||
### Promote
|
||||
|
||||
`stella exceptions promote <exception-id>`
|
||||
|
||||
Options:
|
||||
|
||||
- `--target <staged|active>` — target status (default: next stage)
|
||||
- `--comment <text>` — audit log comment
|
||||
|
||||
### Revoke
|
||||
|
||||
`stella exceptions revoke <exception-id>`
|
||||
|
||||
Options:
|
||||
|
||||
- `--reason <text>` — audit log reason
|
||||
|
||||
### Import
|
||||
|
||||
`stella exceptions import <file>`
|
||||
|
||||
Imports exceptions from an NDJSON file.
|
||||
|
||||
Options:
|
||||
|
||||
- `--stage` (default: `true`) — import as staged
|
||||
- `--source <label>` — source label stored with imported records
|
||||
|
||||
### Export
|
||||
|
||||
`stella exceptions export --output <path>`
|
||||
|
||||
Options:
|
||||
|
||||
- `--status`, `-s <...>` (repeatable) — filter by status
|
||||
- `--format <ndjson|json>` (default: `ndjson`)
|
||||
- `--signed` — request a signed export (DSSE) when Attestor is enabled
|
||||
|
||||
## Offline / Air-Gap Usage
|
||||
|
||||
- `import` and `export` are the primary offline workflows for moving exception sets between environments.
|
||||
- Prefer NDJSON for deterministic diffs and review workflows.
|
||||
- Keep exception data tenant-scoped; cross-tenant bundles should be treated as an explicit, audited workflow.
|
||||
|
||||
## Related Docs
|
||||
|
||||
- Exceptions API entry point: `docs/api/exceptions.md`
|
||||
- Exception governance migration guide: `docs/migration/exception-governance.md`
|
||||
|
||||
Reference in New Issue
Block a user