Add new features and tests for AirGap and Time modules
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced `SbomService` tasks documentation. - Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`. - Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace. - Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories. - Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests. - Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace. - Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
This commit is contained in:
master
43
docs/modules/evidence-locker/attestation-contract.md
Normal file
43
docs/modules/evidence-locker/attestation-contract.md
Normal file
@@ -0,0 +1,43 @@
|
||||
# Evidence Locker Attestation Contract (v1 · frozen 2025-11-20)
|
||||
|
||||
Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier, Excititor, Export Center, CLI, and Policy Engine.
|
||||
|
||||
## Predicates & subjects
|
||||
- **Subject**: OCI manifest digest (`sha256:<digest>`) of the bundle, plus optional replay pack digest.
|
||||
- **Predicates (DSSE/In-Toto)**
|
||||
- `stellaops.evidence.bundle.v1`: declares bundle layout (manifests, CAS paths, replay log offsets).
|
||||
- `stellaops.evidence.transparency.v1`: optional Rekor log inclusion proof (UUID, log index, root hash at inclusion).
|
||||
- `stellaops.evidence.integrity.v1`: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by logical path.
|
||||
|
||||
## Required claim set
|
||||
- `bundle_id` (UUID v4)
|
||||
- `produced_at` (UTC ISO-8601)
|
||||
- `producer` (`evidence-locker:<region>`)
|
||||
- `subject_digest` (OCI digest string)
|
||||
- `hashes` (map: logical path → sha256)
|
||||
- `sbom` (array of SPDX/CycloneDX digests and mediaTypes)
|
||||
- `vex` (array of VEX doc digests and schema versions)
|
||||
- `replay_manifest` (optional; digest + sequence number)
|
||||
- `transparency` (optional; Rekor UUID, logIndex, rootHash)
|
||||
- `signing_profile` (`sovereign-default` | `fips` | `gost` | `pq-experimental`)
|
||||
|
||||
## Bundling & signing rules
|
||||
- DSSE envelope using the module’s configured crypto provider; keys must be short-lived (<24h) and recorded in provider registry.
|
||||
- Hash list and subject digest MUST match the on-disk CAS objects; deterministic sort by logical path.
|
||||
- Rekor entry is optional; when absent, set `transparency=null` and add `transparency_reason="offline"` to provenance note.
|
||||
|
||||
## Verification plan
|
||||
- Verify DSSE signature against provider registry (per profile) and check key expiry.
|
||||
- Recompute sha256 for every CAS object; fail if any mismatch.
|
||||
- If `transparency` present, verify inclusion proof against bundled Rekor root; fail closed on mismatch.
|
||||
- Emit verification report JSON and store beside bundle as `verify.json` (deterministic key order).
|
||||
|
||||
## Fixtures
|
||||
- Sample bundle + report: `docs/samples/evidence-locker/bundle-v1-sample.tar.gz` (sha256 TBD at publish time).
|
||||
- Sample attestation envelope: `docs/samples/evidence-locker/attestation-v1-sample.json`.
|
||||
|
||||
## Ownership
|
||||
- Primary: Evidence Locker Guild.
|
||||
- Reviewers: Concelier Core Guild, Excititor Guild, Export Center Guild, Policy Guild.
|
||||
|
||||
This contract is authoritative for Sprint 110 and blocks CONCELIER-ATTEST-73-001/002 and EXCITITOR-ATTEST-01-003/73-001/73-002.
|
||||
Reference in New Issue
Block a user