Add determinism tests for verdict artifact generation and update SHA256 sums script
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
@@ -1,21 +1,35 @@
|
||||
# Tenancy Overview — Draft Skeleton (2025-12-05 UTC)
|
||||
# Tenancy Overview
|
||||
|
||||
Status: draft placeholder. Inputs pending: DVDO0110 tenancy ADR.
|
||||
StellaOps is designed for strict multi-tenancy. Tenancy is an explicit input to requests, storage, and exported evidence so decisions remain auditable and replayable (including in air-gapped deployments).
|
||||
|
||||
## Goals
|
||||
- Clarify tenant model, isolation guarantees, and scope grammar.
|
||||
## Tenant Identity
|
||||
|
||||
## Tenant Model
|
||||
- Concepts: tenant, org, workspace, project (to confirm with ADR).
|
||||
- Identity anchors and trust roots.
|
||||
- A **tenant** is the primary isolation boundary for data, policies, issuers/trust settings, and workflow objects (exceptions, approvals, exports).
|
||||
- Requests are tenant-scoped via `X-StellaOps-Tenant: <tenantId>` and/or tenant claims in tokens (depending on deployment).
|
||||
|
||||
Optional sub-scoping (environment/project/workspace) is supported via ABAC claims and module-specific selectors, but does not replace the tenant boundary.
|
||||
|
||||
## Isolation Guarantees
|
||||
- Data, control plane, audit/log boundaries.
|
||||
- Reachability to shared services (DB, cache) with RLS.
|
||||
|
||||
StellaOps aims for defense-in-depth isolation:
|
||||
|
||||
- **Database isolation:** each service owns its schema; tenant scoping is enforced on every query, typically via `tenant_id` columns and Row-Level Security where appropriate.
|
||||
- **Cache isolation:** cache keys and stream partitions are tenant-aware (and may use per-tenant databases in Redis/Valkey-compatible stores when configured).
|
||||
- **Object storage isolation:** stored artifacts and evidence bundles are content-addressed and namespaced so tenant boundaries are preserved even when sharing infrastructure.
|
||||
- **Audit boundaries:** audit trails are tenant-scoped and exported with tenant identifiers so offline reviewers can verify context.
|
||||
|
||||
## Enforcement Stack
|
||||
- Authority, CLI, API, Console touchpoints.
|
||||
|
||||
## Open TODOs
|
||||
- Insert canonical definitions and diagrams from DVDO0110.
|
||||
- Add references to scopes-and-roles once finalized.
|
||||
- **Authority** issues tokens containing scopes and optional ABAC claims.
|
||||
- **Gateway** (when deployed) routes and enforces tenant + scope checks consistently across modules.
|
||||
- **Services** validate tenant context and enforce tenant constraints at the storage layer.
|
||||
|
||||
## Offline / Air-Gap Considerations
|
||||
|
||||
- Offline Kit snapshots and exported evidence bundles include tenant identifiers and deterministic manifests so verification does not rely on online services.
|
||||
- Cross-tenant exports are not supported by default; when an operator needs cross-tenant reporting, it should be implemented as an explicit, audited workflow.
|
||||
|
||||
## References
|
||||
|
||||
- Scope taxonomy: `docs/security/scopes-and-roles.md`
|
||||
- Gateway tenant auth contract: `docs/api/gateway/tenant-auth.md`
|
||||
|
||||
Reference in New Issue
Block a user