Add new features and tests for AirGap and Time modules
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced `SbomService` tasks documentation. - Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`. - Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace. - Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories. - Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests. - Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace. - Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
This commit is contained in:
master
42
docs/modules/evidence-locker/replay-payload-contract.md
Normal file
42
docs/modules/evidence-locker/replay-payload-contract.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# Replay Payload Contract (Draft) — PREP-EVID-REPLAY-187-001
|
||||
|
||||
Status: Draft (2025-11-20)
|
||||
Owners: Evidence Locker Guild · Scanner Guild · CLI Guild
|
||||
Scope: Capture expected scanner record payloads needed by Evidence Locker replay APIs.
|
||||
|
||||
## 1) Payload envelope
|
||||
- Content type: `application/vnd.stella.replay.record+json;version=1`.
|
||||
- Fields:
|
||||
- `record_id` (ULID, assigned by Scanner).
|
||||
- `tenant_id` (string).
|
||||
- `source` (enum): `scanner`, `attestor`, `cli`.
|
||||
- `digest` (hex): SHA-256 of canonical payload bytes.
|
||||
- `created_at` (RFC3339 UTC).
|
||||
- `schema_version`: `replay.record.v1`.
|
||||
|
||||
## 2) Scanner record body (expected from Sprint 0186)
|
||||
- `image_digest` (string, required).
|
||||
- `sbom_digest` (string, optional) with SBOM pointer.
|
||||
- `observations` (array) of `{type, component_purl?, location, evidence, confidence}`.
|
||||
- `signals` (array) for runtime/static signals with `{name, value, units?, confidence}`.
|
||||
- `attestations` (array) of DSSE statement references `{type, uri, sha256}`.
|
||||
- `provenance` (object): `{scanner_version, policy_profile, worker_id}`.
|
||||
|
||||
## 3) Evidence Locker ingestion contract
|
||||
- API: `POST /replay/records` (internal) accepting NDJSON stream (`record_envelope + body`).
|
||||
- Validation:
|
||||
- hash must match `digest` supplied; timestamps UTC.
|
||||
- tenant_id must match auth principal or delegated token.
|
||||
- schema_version must equal `replay.record.v1` until upgraded.
|
||||
- Storage layout proposal: bucket prefix `replay/records/{tenant_id}/{record_id}.ndjson`, immutable; metadata indexed in Mongo with `{record_id, image_digest, created_at}`.
|
||||
|
||||
## 4) Open dependencies
|
||||
- Scanner team to freeze exact `observations` and `signals` schema in Sprint 0186.
|
||||
- Need DSSE profile for `attestations` (Authority/Attestor alignment).
|
||||
- CLI replay commands depend on finalized pointer format to retrieve records.
|
||||
|
||||
## 5) Next actions
|
||||
- Once Sprint 0186 publishes sample payloads, update this doc with enumerated observation/signal types and add JSON schema file under `docs/modules/evidence-locker/schemas/replay-record-v1.json`.
|
||||
|
||||
## 6) Handoff
|
||||
Reference this document from sprint trackers for PREP-EVID-REPLAY-187-001 and related CLI/Attestor PREP tasks. Update when upstream payloads are available.
|
||||
Reference in New Issue
Block a user