stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

audit notes work completed, test fixes work (95% done), new sprints, new data sources setup and configuration

Browse Source
This commit is contained in:
master
2026-01-14 10:48:00 +02:00
parent d7be6ba34b
commit 95d5898650
379 changed files with 40695 additions and 19041 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/evidence-locker/architecture.md
View File

@@ -274,5 +274,7 @@ Bundle N-1 Bundle N Bundle N+1
* Bundle packaging: `./bundle-packaging.md`
* Attestation contract: `./attestation-contract.md`
* Evidence bundle spec: `./evidence-bundle-v1.md`
* Evidence pack schema: `./guides/evidence-pack-schema.md`
* Audit bundle index schema: `./schemas/audit-bundle-index.schema.json`
* ExportCenter: `../export-center/architecture.md`
* Attestor: `../attestor/architecture.md`

5
docs/modules/evidence-locker/guides/evidence-pack-schema.md
View File

@@ -15,6 +15,11 @@
- **Offline Transfer:** Move evidence between air-gapped environments
- **Forensics:** Query pack contents without external dependencies
### Transparency and timestamp references
- `transparency.rekorEntries` lists Rekor UUIDs and optional inclusion proof paths.
- `timestamps` lists RFC3161 timestamp tokens and related metadata.
- When offline, leave these arrays empty and record skip reasons in the attestation predicates.
---
## Pack Structure

111
docs/modules/evidence-locker/schemas/audit-bundle-index.schema.json Normal file
View File

@@ -0,0 +1,111 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.dev/schemas/evidence/audit-bundle-index.schema.json",
"title": "StellaOps Audit Bundle Index",
"description": "Index/manifest for audit bundles with integrity hashes and referenced artifacts.",
"type": "object",
"additionalProperties": false,
"required": [
"manifestVersion",
"bundleId",
"createdAt",
"subject",
"artifacts",
"verification"
],
"properties": {
"manifestVersion": { "type": "string", "minLength": 1 },
"bundleId": { "type": "string", "minLength": 1 },
"createdAt": { "type": "string", "format": "date-time" },
"subject": { "$ref": "#/$defs/subject" },
"artifacts": {
"type": "array",
"minItems": 1,
"items": { "$ref": "#/$defs/artifact" }
},
"verification": { "$ref": "#/$defs/verification" },
"transparency": { "$ref": "#/$defs/transparency" },
"timestamps": {
"type": "array",
"items": { "$ref": "#/$defs/timestampEntry" }
}
},
"$defs": {
"subject": {
"type": "object",
"additionalProperties": false,
"required": ["type", "digest"],
"properties": {
"type": { "type": "string", "minLength": 1 },
"digest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
"name": { "type": "string" }
}
},
"artifact": {
"type": "object",
"additionalProperties": false,
"required": ["path", "type", "digest", "size"],
"properties": {
"path": { "type": "string", "minLength": 1 },
"type": { "type": "string", "minLength": 1 },
"format": { "type": "string" },
"digest": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
"size": { "type": "integer", "minimum": 0 },
"mediaType": { "type": "string" },
"predicateType": { "type": "string" },
"signedBy": {
"type": "array",
"items": { "type": "string" }
},
"attributes": {
"type": "object",
"additionalProperties": { "type": "string" }
}
}
},
"verification": {
"type": "object",
"additionalProperties": false,
"required": ["merkleRoot", "algorithm", "checksumFile"],
"properties": {
"merkleRoot": { "type": "string", "pattern": "^sha256:[0-9a-f]{64}$" },
"algorithm": { "type": "string", "minLength": 1 },
"checksumFile": { "type": "string", "minLength": 1 }
}
},
"transparency": {
"type": "object",
"additionalProperties": false,
"properties": {
"rekorEntries": {
"type": "array",
"items": { "$ref": "#/$defs/rekorEntry" }
}
}
},
"rekorEntry": {
"type": "object",
"additionalProperties": false,
"required": ["uuid", "logIndex"],
"properties": {
"uuid": { "type": "string", "minLength": 1 },
"logIndex": { "type": "integer", "minimum": 0 },
"rootHash": { "type": "string" },
"inclusionProofPath": { "type": "string" },
"logUrl": { "type": "string" }
}
},
"timestampEntry": {
"type": "object",
"additionalProperties": false,
"required": ["tokenPath", "hashAlgorithm"],
"properties": {
"tokenPath": { "type": "string", "minLength": 1 },
"hashAlgorithm": { "type": "string", "minLength": 1 },
"signedAt": { "type": "string", "format": "date-time" },
"tsaName": { "type": "string" },
"tsaUrl": { "type": "string" }
}
}
}
}

169
docs/modules/evidence-locker/schemas/stellaops-evidence-pack.v1.schema.json Normal file
View File

@@ -0,0 +1,169 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.dev/schemas/evidence/stellaops-evidence-pack.v1.schema.json",
"title": "StellaOps Evidence Pack (v1)",
"description": "Deterministic evidence pack manifest for audit and replay workflows.",
"type": "object",
"additionalProperties": false,
"required": [
"_type",
"packId",
"generatedAt",
"tenantId",
"manifestVersion",
"contents"
],
"properties": {
"_type": {
"type": "string",
"const": "https://stellaops.dev/evidence-pack@v1"
},
"packId": {
"type": "string",
"minLength": 1
},
"generatedAt": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when the pack was assembled."
},
"tenantId": {
"type": "string",
"minLength": 1
},
"policyRunId": {
"type": "string"
},
"policyId": {
"type": "string"
},
"policyVersion": {
"type": "integer",
"minimum": 0
},
"manifestVersion": {
"type": "string",
"minLength": 1
},
"contents": {
"type": "object",
"additionalProperties": false,
"properties": {
"policy": { "$ref": "#/$defs/contentArray" },
"sbom": { "$ref": "#/$defs/contentArray" },
"advisories": { "$ref": "#/$defs/contentArray" },
"vex": { "$ref": "#/$defs/contentArray" },
"verdicts": { "$ref": "#/$defs/contentArray" },
"reachability": { "$ref": "#/$defs/contentArray" },
"attestations": { "$ref": "#/$defs/contentArray" }
}
},
"statistics": {
"type": "object",
"additionalProperties": false,
"properties": {
"totalFiles": { "type": "integer", "minimum": 0 },
"totalSize": { "type": "integer", "minimum": 0 },
"componentCount": { "type": "integer", "minimum": 0 },
"findingCount": { "type": "integer", "minimum": 0 },
"verdictCount": { "type": "integer", "minimum": 0 },
"advisoryCount": { "type": "integer", "minimum": 0 },
"vexStatementCount": { "type": "integer", "minimum": 0 }
}
},
"determinismHash": {
"type": "string",
"pattern": "^sha256:[0-9a-f]{64}$"
},
"signatures": {
"type": "array",
"items": { "$ref": "#/$defs/signature" }
},
"transparency": {
"type": "object",
"additionalProperties": false,
"properties": {
"rekorEntries": {
"type": "array",
"items": { "$ref": "#/$defs/rekorEntry" }
}
}
},
"timestamps": {
"type": "array",
"items": { "$ref": "#/$defs/timestampEntry" }
}
},
"$defs": {
"contentArray": {
"type": "array",
"items": { "$ref": "#/$defs/contentEntry" }
},
"contentEntry": {
"type": "object",
"additionalProperties": false,
"required": ["path", "digest", "size", "mediaType"],
"properties": {
"path": {
"type": "string",
"minLength": 1
},
"digest": {
"type": "string",
"pattern": "^(sha256|sha384|sha512):[0-9a-f]{64,128}$"
},
"size": {
"type": "integer",
"minimum": 0
},
"mediaType": {
"type": "string",
"minLength": 1
},
"capturedAt": {
"type": "string",
"format": "date-time"
},
"attributes": {
"type": "object",
"additionalProperties": { "type": "string" }
}
}
},
"signature": {
"type": "object",
"additionalProperties": false,
"required": ["keyId", "algorithm", "signature", "signedAt"],
"properties": {
"keyId": { "type": "string", "minLength": 1 },
"algorithm": { "type": "string", "minLength": 1 },
"signature": { "type": "string", "minLength": 1 },
"signedAt": { "type": "string", "format": "date-time" }
}
},
"rekorEntry": {
"type": "object",
"additionalProperties": false,
"required": ["uuid", "logIndex"],
"properties": {
"uuid": { "type": "string", "minLength": 1 },
"logIndex": { "type": "integer", "minimum": 0 },
"rootHash": { "type": "string" },
"inclusionProofPath": { "type": "string" },
"logUrl": { "type": "string" }
}
},
"timestampEntry": {
"type": "object",
"additionalProperties": false,
"required": ["tokenPath", "hashAlgorithm"],
"properties": {
"tokenPath": { "type": "string", "minLength": 1 },
"hashAlgorithm": { "type": "string", "minLength": 1 },
"signedAt": { "type": "string", "format": "date-time" },
"tsaName": { "type": "string" },
"tsaUrl": { "type": "string" }
}
}
}
}