work work hard work
This commit is contained in:
StellaOps Bot
@@ -24,6 +24,20 @@
|
||||
- `docs/modules/export-center/operations/kms-envelope-pattern.md` (for 37-002 encryption/KMS)
|
||||
- `docs/modules/export-center/operations/risk-bundle-provider-matrix.md` (for 69/70 risk bundle chain)
|
||||
- Sprint file `docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md`
|
||||
- Offline triage bundle format: `docs/airgap/offline-bundle-format.md` (SPRINT_3603/3605)
|
||||
|
||||
## Offline Evidence Bundles & Cache (SPRINT_3603 / SPRINT_3605)
|
||||
- Bundle format: `.stella.bundle.tgz` with DSSE-signed manifest and deterministic entry hashing (no external fetches required to verify).
|
||||
- Core implementation (source of truth):
|
||||
- `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/OfflineBundle/BundleManifest.cs`
|
||||
- `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/OfflineBundle/BundlePredicate.cs`
|
||||
- `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/OfflineBundle/OfflineBundlePackager.cs`
|
||||
- Determinism requirements:
|
||||
- All manifest entries and tarball paths must be sorted deterministically (ordinal string compare).
|
||||
- Hash inputs must be canonical and stable; retrying packaging MUST yield identical bundle bytes when inputs are unchanged.
|
||||
- Local evidence cache (offline-first, side-by-side with scan artefacts):
|
||||
- `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/LocalEvidenceCacheService.cs`
|
||||
- Cache manifests and enrichment queue must be deterministic and replay-safe.
|
||||
|
||||
## Working Agreements
|
||||
- Enforce tenant scoping and RBAC on every API, worker fetch, and distribution path; no cross-tenant exports unless explicitly whitelisted and logged.
|
||||
|
||||
Reference in New Issue
Block a user