chore(sprints): archive 20260226 advisories and expand deterministic tests

2026-03-04 03:09:23 +02:00
parent 4fe8eb56ae
commit aaad8104cb
35 changed files with 4686 additions and 1 deletions
--- a/docs/modules/tools/supply-chain-hardening-suite.md
+++ b/docs/modules/tools/supply-chain-hardening-suite.md
@@ -0,0 +1,81 @@
+# Supply-Chain Hardening Suite
+
+## Purpose
+
+The supply-chain hardening suite provides deterministic negative-path and mutation testing for scanner/attestor/symbols evidence workflows without requiring external network calls.
+
+Working location:
+- `tests/supply-chain/`
+
+## Lanes
+
+1. `01-jcs-property`
+- Verifies canonicalization idempotence.
+- Verifies key-order permutation invariance.
+- Verifies duplicate-key rejection.
+
+2. `02-schema-fuzz`
+- Runs deterministic schema-aware mutation lane.
+- Emits crash diagnostics and replay seed on unexpected exceptions.
+- Enforces zero-crash gate in CI.
+
+3. `03-rekor-neg`
+- Simulates Rekor negative paths (413/424/504/unsupported/202).
+- Verifies deterministic error classification.
+- Emits per-case `diagnostic_blob.json` and bundle archive.
+
+4. `04-big-dsse-referrers`
+- Validates oversized DSSE and malformed referrer rejection behavior.
+- Requires deterministic `unknown_state` and `reprocessToken` outputs.
+
+5. `05-corpus`
+- Stores deterministic fixture corpus.
+- Provides deterministic archive manifest builder for corpus updates.
+
+## Execution Profiles
+
+1. PR / push gate profile (`smoke`)
+- Seed: `20260226`
+- Fuzz lane bounds: `limit=1000`, `time=60s`
+- Artifact retention: 14 days
+
+2. Nightly profile (`nightly`)
+- Seed: `20260226`
+- Fuzz lane bounds: `limit=5000`, `time=300s`
+- Artifact retention: 30 days
+
+## Commands
+
+1. Run smoke profile:
+- `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226`
+
+2. Run nightly profile:
+- `python tests/supply-chain/run_suite.py --profile nightly --seed 20260226`
+
+3. Rebuild corpus archive metadata:
+- `python tests/supply-chain/05-corpus/build_corpus_archive.py --output out/supply-chain/05-corpus`
+
+## CI Integration
+
+Workflow:
+- `.gitea/workflows/supply-chain-hardening.yml`
+
+Outputs:
+- `out/supply-chain/summary.json`
+- lane-level `junit.xml` files
+- lane-level `report.json` files
+- `03-rekor-neg/rekor_negative_cases.tar.gz`
+- `04-big-dsse-referrers/big_dsse_payloads.tar.gz`
+
+## Failure Replay
+
+1. Download CI artifact `supply-chain-hardening-<run-id>`.
+2. Read failing lane diagnostics under `failures/<case-id>/`.
+3. Re-run locally with the same seed:
+- `python tests/supply-chain/run_suite.py --profile smoke --seed 20260226 --output out/supply-chain-replay`
+
+## Advisory Traceability
+
+| Advisory | Sprint | Coverage |
+| --- | --- | --- |
+| `docs-archived/product/advisories/20260222 - Fuzz & mutation hardening suite.md` | `docs-archived/implplan/2026-03-03-completed-sprints/SPRINT_20260226_228_Tools_supply_chain_fuzz_mutation_hardening_suite.md` | Lanes `01` through `05` + CI gate |
--- a/docs/product/advisories/README.md
+++ b/docs/product/advisories/README.md
@@ -0,0 +1,10 @@
+# Open Product Advisories
+
+This directory contains only advisories that are not yet translated into sprint execution.
+
+Current status:
+- No open advisories in the 2026-02-20 through 2026-02-26 batch.
+
+Related records:
+- Translation register: `docs/product/advisory-translation-20260226.md`
+- Archive log: `docs-archived/product/advisories/ARCHIVE_LOG_20260303.md`
--- a/docs/product/advisory-translation-20260226.md
+++ b/docs/product/advisory-translation-20260226.md
@@ -0,0 +1,34 @@
+# Advisory Translation Register (2026-02-26 Batch)
+
+This register maps each advisory from the 2026-02-20 through 2026-02-26 batch to implementation sprints and module documentation commitments.
+
+Archival status (2026-03-03):
+- Advisory source files are archived under `docs-archived/product/advisories/`.
+- Completed sprint artifacts are archived under `docs-archived/implplan/2026-03-03-completed-sprints/`.
+
+## Advisory to Sprint Mapping
+
+| Advisory | Primary Sprint(s) | Module Doc Commitments |
+| --- | --- | --- |
+| `20260220 - OCI 1.1 referrers compatibility across major registries` | `SPRINT_20260226_224_Scanner_oci_referrers_runtime_stack_and_replay_data` | `docs/modules/scanner/architecture.md` |
+| `20260221 - Building a verifiable SBOM and attestation spine` | `SPRINT_20260226_222_Cli_proof_chain_verification_and_replay_parity`, `SPRINT_20260226_225_Attestor_signature_trust_and_verdict_api_hardening`, `SPRINT_20260226_226_Symbols_dsse_rekor_merkle_and_hash_integrity` | `docs/modules/cli/architecture.md`, `docs/modules/attestor/architecture.md`, `docs/modules/binary-index/architecture.md` |
+| `20260221 - Four novel, testable moat hypotheses` | `SPRINT_20260226_227_FE_triage_risk_score_widget_wiring_and_parity`, `SPRINT_20260226_229_DOCS_advisory_hygiene_dedup_and_archival_translation` | `docs/modules/ui/architecture.md`, `docs/modules/platform/architecture.md` |
+| `20260222 - Fuzz & mutation hardening suite` | `SPRINT_20260226_228_Tools_supply_chain_fuzz_mutation_hardening_suite` | `docs/modules/tools/supply-chain-hardening-suite.md` |
+| `20260223 - Auditor UX experiments: measurement plan` | `SPRINT_20260226_227_FE_triage_risk_score_widget_wiring_and_parity`, `SPRINT_20260226_229_DOCS_advisory_hygiene_dedup_and_archival_translation` | `docs/modules/ui/architecture.md` |
+| `20260223 - Unified symbolization across platforms and vendors` | `SPRINT_20260226_226_Symbols_dsse_rekor_merkle_and_hash_integrity` | `docs/modules/binary-index/architecture.md` |
+| `20260224 - Deterministic tile verification with Rekor v2` | `SPRINT_20260226_226_Symbols_dsse_rekor_merkle_and_hash_integrity`, `SPRINT_20260226_225_Attestor_signature_trust_and_verdict_api_hardening` | `docs/modules/binary-index/architecture.md`, `docs/modules/attestor/architecture.md` |
+| `20260224 - Turning defensibility into measurable business moats` | `SPRINT_20260226_223_Platform_score_explain_contract_and_replay_alignment`, `SPRINT_20260226_227_FE_triage_risk_score_widget_wiring_and_parity` | `docs/modules/platform/architecture.md`, `docs/modules/ui/architecture.md` |
+| `20260226 - Deterministic call-stack analysis and resolver strategy` | `SPRINT_20260226_224_Scanner_oci_referrers_runtime_stack_and_replay_data` | `docs/modules/scanner/architecture.md` |
+| `20260226 - Deterministic score service and replay control` | `SPRINT_20260226_223_Platform_score_explain_contract_and_replay_alignment`, `SPRINT_20260226_222_Cli_proof_chain_verification_and_replay_parity`, `SPRINT_20260226_227_FE_triage_risk_score_widget_wiring_and_parity` | `docs/modules/platform/architecture.md`, `docs/modules/cli/architecture.md`, `docs/modules/ui/architecture.md` |
+| `20260226 - Deterministic tile verification with Rekor v2` | Canonicalized duplicate target for `20260224` advisory; implemented via same sprint set | `docs/modules/binary-index/architecture.md`, `docs/modules/attestor/architecture.md` |
+| `20260226 - Triage explainability: four measurable fixes` | `SPRINT_20260226_227_FE_triage_risk_score_widget_wiring_and_parity` | `docs/modules/ui/architecture.md` |
+
+## Deduplication Decisions
+
+1. `20260224 - Deterministic tile verification with Rekor v2` is superseded by `20260226 - Deterministic tile verification with Rekor v2`.
+2. `20260223 - Auditor UX experiments` was malformed and replaced with a repaired measurement-plan advisory before archival.
+
+## Translation Status
+
+- All advisories from the 2026-02-20 through 2026-02-26 batch have mapped sprint execution and are archived.
+- Sprint trackers for this batch are `DONE` and archived.