Add signal contracts for reachability, exploitability, trust, and unknown symbols
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
This commit is contained in:
StellaOps Bot
6
docs/modules/signals/dev-smoke/2025-12-04/SHA256SUMS
Normal file
6
docs/modules/signals/dev-smoke/2025-12-04/SHA256SUMS
Normal file
@@ -0,0 +1,6 @@
|
||||
7d2f7e34acd2ef5b6ec6b1d99177cef03befeef4146c6e3386f35ed5a3bf43ff confidence_decay_config.sigstore.json
|
||||
170892f6a48b0aef6f426ea97a86f6cd4420bc52634f12a92f72e20f0fa12e29 ../../decay/confidence_decay_config.yaml
|
||||
91ced62e93409ab6880465fd50ecf8919275447fcfd9d88fa93f04d1059f57a6 unknowns_scoring_manifest.sigstore.json
|
||||
450675035928e4771cca1b9e5f9e42035dbe10b3de7b66a4077a7b729b2c5b13 ../../unknowns/unknowns_scoring_manifest.json
|
||||
618e43a1517cb7205c4e1876a3c20503a685ca6ad226d335fcfcb833355c4fbb heuristics_catalog.sigstore.json
|
||||
e33fa0963493252a5ac379a12f820f6b356ea94310afd1db9ad7394e8307000e ../../heuristics/heuristics.catalog.json
|
||||
@@ -0,0 +1 @@
|
||||
{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"publicKey":{"hint":"1/nAsWLsk/yOPl4sjynn6FOCC1ixnrbxSK9UHxjF8MQ="},"tlogEntries":[{"logIndex":"741918992","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"hashedrekord","version":"0.0.1"},"integratedTime":"1764886405","inclusionPromise":{"signedEntryTimestamp":"MEYCIQC+ZHqagsrB9xcLCZoPvkT60dlHFvKAIhRvVpkbPMjxowIhAN9x92EO24+l/F6BPBlHtNRh5/4XEpeoON3EV4ZzQ/Yf"},"inclusionProof":{"logIndex":"620014730","rootHash":"eAQ3rPsqF86CSTtL/YN5hZjexS8HXUkSAUOeJHarr9k=","treeSize":"620014731","hashes":["F/LmDH+ZAjyzUmyuXub9v84E5EnQ1uWz2YJTPVST/wU=","v+L6Vg7QPzlybKDIfLl512gaoHIsGygBHZHURYEqeA0=","yXSFRkGXzx/oyI/73u4Nfp0nA1zOjlU0pxzLgH0siXQ=","ZgNIp7f8+R4ts+jXnyLtYxAjmPR6tLXiGaJA30+TJMk=","PADizUpyshrBmVEwjUe3SP6/WpGdBpEtML2NmyvSnes=","n+0Vf/51myrnoK265V6LwF37riOqw5FOAZHhbitXT7c=","TMHRsLObrpHbd4Kf5cnZismsTDSiYFbQQKDPj6XuGh4=","ADL1dqlw5HTerbkzS06E2GSWcqWOYXsS9QqmrM77njI=","Mo/+V8ftGFQQbS+XsKdaF+l1sDADl3NB/NC1OoAr9WM=","RsQ5xuBa0gKvWk53V8F8JismpQAqEf9N2nqMjFfr/KA=","etMFukD8mHOD37ceTwB1Al2nC3iIzy/CTtNjwflJmDE=","huaH1ZSkRyP4+vpmGtpmkkL845lhcmN9io8MIe6Sob0=","ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=","T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n620014731\neAQ3rPsqF86CSTtL/YN5hZjexS8HXUkSAUOeJHarr9k=\n\n— rekor.sigstore.dev wNI9ajBFAiBiHc21523qcx0c09pKKmBo/iIHGNM13UdOklHzel1hQwIhANu9sIf2F5nJw9sNOgRCv4eprjH/aqJlUeMktVhAbIs0\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNzA4OTJmNmE0OGIwYWVmNmY0MjZlYTk3YTg2ZjZjZDQ0MjBiYzUyNjM0ZjEyYTkyZjcyZTIwZjBmYTEyZTI5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQ2hKYkRxZ0UzMDJVemx4dXhYWEp2dFJlaHdFMVUxQ3hLZUl3RlJueXdRZUFpRUE3aTlyQ09xS0pvMzJuSGJpWUVqTURBdTdYejFUeGtvRXRFNDJSZ1dtTkNZPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWm05Skt6bFNSa05VWTJacVpVMXhjRU5STTBaQmVYWkxkMEpSVlFwWlFVbE5NbU5tUkZJNFZ6azRUM2h1V0ZZcloyWldOVVJvWm05cE9IRnZaa0Z1Unk5MlF6ZEVZa0pzV0RKMEwyZFVOMGRMVlZwQlEyaEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIICyjADAgEAMIICwQYJKoZIhvcNAQcCoIICsjCCAq4CAQMxDTALBglghkgBZQMEAgEwgbgGCyqGSIb3DQEJEAEEoIGoBIGlMIGiAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgjct6btyQyDhEQnzkzy1RiweuLtlCSK1DeZ2km93UeVcCFQCQfrhvdNAk2det1sZXE/x5MaGGZBgPMjAyNTEyMDQyMjEzMjVaMAMCAQGgMqQwMC4xFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEVMBMGA1UEAxMMc2lnc3RvcmUtdHNhoAAxggHbMIIB1wIBATBRMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFDoTVC8MkGHuvMFDL8uKjosqI4sMMAsGCWCGSAFlAwQCAaCB/DAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1MTIwNDIyMTMyNVowLwYJKoZIhvcNAQkEMSIEIM8UiAqXpUGIYxRLLpKG2JIxZq0G3QC5Ey8WIYz7VQHkMIGOBgsqhkiG9w0BCRACLzF/MH0wezB5BCCF+Se8B6tiysO0Q1bBDvyBssaIP9p6uebYcNnROs0FtzBVMD2kOzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQ6E1QvDJBh7rzBQy/Lio6LKiOLDDAKBggqhkjOPQQDAgRnMGUCMQCHae2v+FNcSZPzLV2csHqD1LU283CoUAGi0Gr0UQfhozk61jWmtKX3qx/icWiLD9ECMAgpC1DHsRvBXN4qbXbxelmBZsUT8ybRD/HTk01S9E6eo7tNjU340eA0USguyUdaHg=="}]}},"messageSignature":{"messageDigest":{"algorithm":"SHA2_256","digest":"FwiS9qSLCu9vQm6peob2zUQgvFJjTxKpL3LiDw+hLik="},"signature":"MEUCIChJbDqgE302UzlxuxXXJvtRehwE1U1CxKeIwFRnywQeAiEA7i9rCOqKJo32nHbiYEjMDAu7Xz1TxkoEtE42RgWmNCY="}}
|
||||
@@ -0,0 +1 @@
|
||||
{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"publicKey":{"hint":"1/nAsWLsk/yOPl4sjynn6FOCC1ixnrbxSK9UHxjF8MQ="},"tlogEntries":[{"logIndex":"741919081","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"hashedrekord","version":"0.0.1"},"integratedTime":"1764886409","inclusionPromise":{"signedEntryTimestamp":"MEUCIQDC+clBc3oYzLcCJ38MkbZKEyLlYUpjU4ZE6BPMpRB4DwIgXA0zSYlw9FhpF9LlHJAZzPxeWyddunDdfxsBNE2KTiY="},"inclusionProof":{"logIndex":"620014819","rootHash":"rTqjSnnpGY/hoar8ETHIIGp4pQTV6NSjlKBBoeR9h7c=","treeSize":"620014825","hashes":["aPPYsionEQpETmnqlO33tbRN5Ps44tzijHMFDad1UAE=","U52btC8FRhQ/XucngaCv1dsjGQwMHWOAcSub5g2MxDE=","6bAXHkxe3ld4wPw1C7H8lK6v/TsVGvtWat8YLhjaQpc=","MDrcEuVGp6HkhYnTHm48QxxcI2CO908pLKgv84aDkI4=","pdxvVKDmRgD0zo4tCuk9uEVaxf23KaJzWq2UowxNQwE=","TZvx79RM8pnA6jMfcLY7IPW+4F1q6B7iGQcjThTYsFs=","yXSFRkGXzx/oyI/73u4Nfp0nA1zOjlU0pxzLgH0siXQ=","ZgNIp7f8+R4ts+jXnyLtYxAjmPR6tLXiGaJA30+TJMk=","PADizUpyshrBmVEwjUe3SP6/WpGdBpEtML2NmyvSnes=","n+0Vf/51myrnoK265V6LwF37riOqw5FOAZHhbitXT7c=","TMHRsLObrpHbd4Kf5cnZismsTDSiYFbQQKDPj6XuGh4=","ADL1dqlw5HTerbkzS06E2GSWcqWOYXsS9QqmrM77njI=","Mo/+V8ftGFQQbS+XsKdaF+l1sDADl3NB/NC1OoAr9WM=","RsQ5xuBa0gKvWk53V8F8JismpQAqEf9N2nqMjFfr/KA=","etMFukD8mHOD37ceTwB1Al2nC3iIzy/CTtNjwflJmDE=","huaH1ZSkRyP4+vpmGtpmkkL845lhcmN9io8MIe6Sob0=","ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=","T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n620014825\nrTqjSnnpGY/hoar8ETHIIGp4pQTV6NSjlKBBoeR9h7c=\n\n— rekor.sigstore.dev wNI9ajBEAiAm1Mg3b30wKKzTofuRGoDKNDSp4N1KUV54iiOCT/TlsgIgdR56SZ3XY388icr807OdOlkq3vZ5K7W1UDFKWVFM5FQ=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlMzNmYTA5NjM0OTMyNTJhNWFjMzc5YTEyZjgyMGY2YjM1NmVhOTQzMTBhZmQxZGI5YWQ3Mzk0ZTgzMDcwMDBlIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM2K2JVZWxORTZHd3hvZHRMZlBpK3MyQVNZNFBCYTR2Uno4Q3NXMzkxMkh3SWdPY0doVG5iaiswOStjT0ZGTGQveXJ5TWpXQW1rVEc3RXl2SlU5SGI3SnVrPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWm05Skt6bFNSa05VWTJacVpVMXhjRU5STTBaQmVYWkxkMEpSVlFwWlFVbE5NbU5tUkZJNFZ6azRUM2h1V0ZZcloyWldOVVJvWm05cE9IRnZaa0Z1Unk5MlF6ZEVZa0pzV0RKMEwyZFVOMGRMVlZwQlEyaEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIICyjADAgEAMIICwQYJKoZIhvcNAQcCoIICsjCCAq4CAQMxDTALBglghkgBZQMEAgEwgbgGCyqGSIb3DQEJEAEEoIGoBIGlMIGiAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQg/0oSYFOhhWtP8A93mi/e6TcpgxvBGN5cH7EYmcVUfxMCFQDkXoyqUhAjBiK5SAphIeSr1b5anBgPMjAyNTEyMDQyMjEzMjlaMAMCAQGgMqQwMC4xFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEVMBMGA1UEAxMMc2lnc3RvcmUtdHNhoAAxggHbMIIB1wIBATBRMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFDoTVC8MkGHuvMFDL8uKjosqI4sMMAsGCWCGSAFlAwQCAaCB/DAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1MTIwNDIyMTMyOVowLwYJKoZIhvcNAQkEMSIEIMZhkgdkM2piYdPZrQt77iqtp1tfHWRV20hSYBHxDISFMIGOBgsqhkiG9w0BCRACLzF/MH0wezB5BCCF+Se8B6tiysO0Q1bBDvyBssaIP9p6uebYcNnROs0FtzBVMD2kOzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQ6E1QvDJBh7rzBQy/Lio6LKiOLDDAKBggqhkjOPQQDAgRnMGUCMQCUDGGLE9CkwWZwiqPRBz/PtyGX6BdzgRbUzlQoU/Z/Y9H3reF4UsHF9MGyZNAQHKACMFlSZoYutcmOl6buXE5/j3dVTeb53AARKQ7TsDXZrXQjqOqad/cwmdfy/kU1ljlxcw=="}]}},"messageSignature":{"messageDigest":{"algorithm":"SHA2_256","digest":"4z+gljSTJSpaw3mhL4IPazVuqUMQr9Hbmtc5ToMHAA4="},"signature":"MEUCIQC6+bUelNE6GwxodtLfPi+s2ASY4PBa4vRz8CsW3912HwIgOcGhTnbj+09+cOFFLd/yryMjWAmkTG7EyvJU9Hb7Juk="}}
|
||||
@@ -0,0 +1 @@
|
||||
{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"publicKey":{"hint":"1/nAsWLsk/yOPl4sjynn6FOCC1ixnrbxSK9UHxjF8MQ="},"tlogEntries":[{"logIndex":"741919046","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"hashedrekord","version":"0.0.1"},"integratedTime":"1764886407","inclusionPromise":{"signedEntryTimestamp":"MEUCIA3/O19l/Aaj6E+vXhbwGkTsZ+22A89bIEZLlDDbBJnaAiEA6LcphYlxX16FCTUlEA3IfXlV3KKz0FzdxRFJAAYcrzc="},"inclusionProof":{"logIndex":"620014784","rootHash":"SveF4czd7DxKRnpObfYSqYghJbz1fN7IcQk3mHlaQHY=","treeSize":"620014789","hashes":["roFEPPDy4MNeYaRiGImtAYAZaSOfEqB4PMRX0QfEHj4=","NTOqAxRPc7aNHck62yTD9sh4lD9mXbh6vWLDntk1M8M=","fh3HIcufIitN45GRTE2Y2T7be0kSxC6ZDGF42r0EF6g=","TZvx79RM8pnA6jMfcLY7IPW+4F1q6B7iGQcjThTYsFs=","yXSFRkGXzx/oyI/73u4Nfp0nA1zOjlU0pxzLgH0siXQ=","ZgNIp7f8+R4ts+jXnyLtYxAjmPR6tLXiGaJA30+TJMk=","PADizUpyshrBmVEwjUe3SP6/WpGdBpEtML2NmyvSnes=","n+0Vf/51myrnoK265V6LwF37riOqw5FOAZHhbitXT7c=","TMHRsLObrpHbd4Kf5cnZismsTDSiYFbQQKDPj6XuGh4=","ADL1dqlw5HTerbkzS06E2GSWcqWOYXsS9QqmrM77njI=","Mo/+V8ftGFQQbS+XsKdaF+l1sDADl3NB/NC1OoAr9WM=","RsQ5xuBa0gKvWk53V8F8JismpQAqEf9N2nqMjFfr/KA=","etMFukD8mHOD37ceTwB1Al2nC3iIzy/CTtNjwflJmDE=","huaH1ZSkRyP4+vpmGtpmkkL845lhcmN9io8MIe6Sob0=","ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=","T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n620014789\nSveF4czd7DxKRnpObfYSqYghJbz1fN7IcQk3mHlaQHY=\n\n— rekor.sigstore.dev wNI9ajBFAiEAk1F29XIl+MJKZjEtl7RC7+KIRu1I3J1hvpE52TchQhwCIAjcmqn55hYy4EJq30RoJcqjaa2YjzU3Fz9ZmLagRUkp\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0NTA2NzUwMzU5MjhlNDc3MWNjYTFiOWU1ZjllNDIwMzVkYmUxMGIzZGU3YjY2YTQwNzdhN2I3MjliMmM1YjEzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURnZHIvUUYyU2NRZFRLTEZiZi9NbXBFUy9FeUlQbkZ4VDZzNWdncTVHcE1RSWdZT1o2ditTVmF0NjhhNld2M2FKV2Jyc1grYmRLZXUyYzhwbkoyRkR5WmQ4PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWm05Skt6bFNSa05VWTJacVpVMXhjRU5STTBaQmVYWkxkMEpSVlFwWlFVbE5NbU5tUkZJNFZ6azRUM2h1V0ZZcloyWldOVVJvWm05cE9IRnZaa0Z1Unk5MlF6ZEVZa0pzV0RKMEwyZFVOMGRMVlZwQlEyaEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIICyjADAgEAMIICwQYJKoZIhvcNAQcCoIICsjCCAq4CAQMxDTALBglghkgBZQMEAgEwgbcGCyqGSIb3DQEJEAEEoIGnBIGkMIGhAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgstEHBkhEQn5BWHaDsd12awP2UzNfXZfIEbL3APw8bYkCFGogTw2WF2bCdBT7TFpuO80U9VDMGA8yMDI1MTIwNDIyMTMyN1owAwIBAaAypDAwLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2GgADGCAdwwggHYAgEBMFEwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUOhNULwyQYe68wUMvy4qOiyojiwwwCwYJYIZIAWUDBAIBoIH8MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjUxMjA0MjIxMzI3WjAvBgkqhkiG9w0BCQQxIgQgHtv3gRImNDY6l7k03sGgaMhYxnjaskxMDmUgPSa1aTQwgY4GCyqGSIb3DQEJEAIvMX8wfTB7MHkEIIX5J7wHq2LKw7RDVsEO/IGyxog/2nq55thw2dE6zQW3MFUwPaQ7MDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFDoTVC8MkGHuvMFDL8uKjosqI4sMMAoGCCqGSM49BAMCBGgwZgIxAOqsNu05oQAdu79Xu/EUIsDG4hw7oHgyYcWWXWcPiezIYWH4xZ5OWwwzcNmK6ggH4QIxAK0Su1pzh7KmU8XV5KAxlTPOuARkaSsQqS+zmWsGO1BI36OamFJIM3+R3fuQ0oQiIA=="}]}},"messageSignature":{"messageDigest":{"algorithm":"SHA2_256","digest":"RQZ1A1ko5HccyhueX55CA12+ELPee2akB3p7cpssWxM="},"signature":"MEUCIQDgdr/QF2ScQdTKLFbf/MmpES/EyIPnFxT6s5ggq5GpMQIgYOZ6v+SVat68a6Wv3aJWbrsX+bdKeu2c8pnJ2FDyZd8="}}
|
||||
@@ -2,46 +2,82 @@
|
||||
|
||||
Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:
|
||||
|
||||
- Decay config: `docs/modules/signals/decay/confidence_decay_config.yaml`
|
||||
- Unknowns scoring manifest: `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`
|
||||
- Heuristic catalog + schema + fixtures: `docs/modules/signals/heuristics/`
|
||||
- Checksums: `docs/modules/signals/SHA256SUMS`
|
||||
| Artifact | Path | Predicate |
|
||||
|----------|------|-----------|
|
||||
| Decay config | `docs/modules/signals/decay/confidence_decay_config.yaml` | `stella.ops/confidenceDecayConfig@v1` |
|
||||
| Unknowns manifest | `docs/modules/signals/unknowns/unknowns_scoring_manifest.json` | `stella.ops/unknownsScoringManifest@v1` |
|
||||
| Heuristics catalog | `docs/modules/signals/heuristics/heuristics.catalog.json` | `stella.ops/heuristicCatalog@v1` |
|
||||
| Checksums | `docs/modules/signals/SHA256SUMS` | — |
|
||||
|
||||
Planned Evidence Locker paths (to fill post-signing):
|
||||
- `evidence-locker/signals/decay/2025-12-01/confidence_decay_config.dsse`
|
||||
- `evidence-locker/signals/unknowns/2025-12-01/unknowns_scoring_manifest.dsse`
|
||||
- `evidence-locker/signals/heuristics/2025-12-01/heuristics_catalog.dsse`
|
||||
- `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)
|
||||
## CI Automated Signing
|
||||
|
||||
Pending steps:
|
||||
0) Provide signing key: CI/ops should supply `COSIGN_PRIVATE_KEY_B64` (base64 of private key) and optional `COSIGN_PASSWORD`. Local dev can place a key at `tools/cosign/cosign.key` (see `tools/cosign/cosign.key.example` stub) or decode the env var to `/tmp/cosign.key`. The helper script `tools/cosign/sign-signals.sh` auto-detects the key and cosign version.
|
||||
1) Sign each artifact with its predicate (cosign v3.0.2 in `/usr/local/bin`, use `--bundle`; v2.6.0 fallback in `tools/cosign` also works with `--output-signature`):
|
||||
- `stella.ops/confidenceDecayConfig@v1`
|
||||
- `stella.ops/unknownsScoringManifest@v1`
|
||||
- `stella.ops/heuristicCatalog@v1`
|
||||
Shortcut: `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh`
|
||||
Example (v3, replace KEY):
|
||||
```bash
|
||||
cosign sign-blob \
|
||||
--key cosign.key \
|
||||
--predicate-type stella.ops/confidenceDecayConfig@v1 \
|
||||
--bundle confidence_decay_config.sigstore.json \
|
||||
decay/confidence_decay_config.yaml
|
||||
```
|
||||
v2.6.0 fallback (if PATH prefixed with `tools/cosign`):
|
||||
```bash
|
||||
cosign sign-blob \
|
||||
--key cosign.key \
|
||||
--predicate-type stella.ops/confidenceDecayConfig@v1 \
|
||||
--output-signature confidence_decay_config.dsse \
|
||||
decay/confidence_decay_config.yaml
|
||||
```
|
||||
2) Record SHA256 from `SHA256SUMS` in DSSE annotations (or bundle metadata); keep canonical filenames:
|
||||
- v3: `confidence_decay_config.sigstore.json`, `unknowns_scoring_manifest.sigstore.json`, `heuristics_catalog.sigstore.json`
|
||||
- v2 fallback: `.dsse` signatures.
|
||||
3) Place signed envelopes + checksums in the Evidence Locker paths above; update sprint tracker Delivery Tracker rows 5–7 and Decisions & Risks with the final URIs.
|
||||
4) Add signer/approver IDs to the sprint Execution Log once signatures are complete.
|
||||
The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing.
|
||||
|
||||
Notes:
|
||||
- Use UTC timestamps in DSSE `issuedAt`.
|
||||
- Ensure offline parity by copying envelopes + SHA256SUMS into the offline kit bundle when ready.
|
||||
### Prerequisites (CI Secrets)
|
||||
| Secret | Description |
|
||||
|--------|-------------|
|
||||
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) |
|
||||
| `COSIGN_PASSWORD` | Password for encrypted key (if applicable) |
|
||||
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push (optional) |
|
||||
|
||||
### Trigger
|
||||
- **Automatic**: Push to `main` affecting `docs/modules/signals/**` or `tools/cosign/sign-signals.sh`
|
||||
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing
|
||||
|
||||
### Output
|
||||
Signed artifacts uploaded as workflow artifact `signals-dsse-signed-{run}` and optionally pushed to Evidence Locker.
|
||||
|
||||
## Development Signing (Local Testing)
|
||||
|
||||
A development key pair is available for smoke tests:
|
||||
|
||||
```bash
|
||||
# Sign with dev key
|
||||
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
|
||||
OUT_DIR=docs/modules/signals/dev-test \
|
||||
tools/cosign/sign-signals.sh
|
||||
|
||||
# Verify signature
|
||||
cosign verify-blob \
|
||||
--key tools/cosign/cosign.dev.pub \
|
||||
--bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
|
||||
docs/modules/signals/decay/confidence_decay_config.yaml
|
||||
```
|
||||
|
||||
**Note**: Dev key signatures are NOT suitable for Evidence Locker or production use.
|
||||
|
||||
## Production Signing (Manual)
|
||||
|
||||
For production signing without CI:
|
||||
|
||||
```bash
|
||||
# Option 1: Place key file
|
||||
cp /path/to/production.key tools/cosign/cosign.key
|
||||
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
|
||||
|
||||
# Option 2: Use base64 env var
|
||||
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
|
||||
export COSIGN_PASSWORD=your-password
|
||||
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
|
||||
```
|
||||
|
||||
## Evidence Locker Paths
|
||||
|
||||
Post-signing, artifacts go to:
|
||||
- `evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.json`
|
||||
- `evidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.json`
|
||||
- `evidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.json`
|
||||
- `evidence-locker/signals/2025-12-01/SHA256SUMS`
|
||||
|
||||
## Post-Signing Checklist
|
||||
|
||||
1. Verify signatures against public key
|
||||
2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 5–7
|
||||
3. Add signer ID to Execution Log
|
||||
4. Copy to offline kit bundle for air-gap parity
|
||||
|
||||
## Notes
|
||||
|
||||
- All timestamps use UTC ISO-8601 format
|
||||
- Signatures disable tlog upload (`--tlog-upload=false`) for offline compatibility
|
||||
- See `tools/cosign/README.md` for detailed key management and CI setup
|
||||
|
||||
Reference in New Issue
Block a user