docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints
Archive completed sprint documentation and deliverables: ## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅) - Windows filesystem hash sanitization (colon → underscore) - Namespace conflict resolution (Subgraph → PoESubgraph) - Mock test improvements with It.IsAny<>() - Direct orchestrator unit tests - 8/8 PoE tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/ ## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅) - Four-tier backport detection system - 9 production modules (4,044 LOC) - Binary fingerprinting (TLSH + instruction hashing) - VEX integration with proof-carrying verdicts - 42+ unit tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅) - PostgreSQL repository implementations - Database migrations (4 evidence tables + audit) - Test data seed scripts (12 evidence records, 3 CVEs) - Integration tests with Testcontainers - <100ms proof generation performance - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅) - Console admin RBAC UI components - Branding editor with tenant isolation - Authority backend endpoints - Archived to: docs/implplan/archived/ ## Additional Documentation - CLI command reference and compliance guides - Module architecture docs (26 modules documented) - Data schemas and contracts - Operations runbooks - Security risk models - Product roadmap All archived sprints achieved 100% completion of planned deliverables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
46
docs2/operations/replay-and-determinism.md
Normal file
46
docs2/operations/replay-and-determinism.md
Normal file
@@ -0,0 +1,46 @@
|
||||
# Replay and determinism
|
||||
|
||||
Deterministic replay lets any scan be reproduced byte for byte. The replay
|
||||
system captures every input, environment detail, and output hash.
|
||||
|
||||
Core artifacts
|
||||
- Replay manifest (canonical JSON)
|
||||
- Input bundle (feeds, policies, tools)
|
||||
- Output bundle (SBOM, findings, VEX, logs)
|
||||
- DSSE envelopes for each artifact
|
||||
- Merkle summaries for layers and feed chunks
|
||||
|
||||
Replay manifest sections
|
||||
- scan: id, time, versions, crypto profile
|
||||
- subject: image digest and layer merkle roots
|
||||
- inputs: feeds, rules, tool hashes, env normalization
|
||||
- policy: lattice and mute hashes
|
||||
- outputs: hashes for SBOM, findings, VEX, logs
|
||||
- reachability: graph and runtime trace references
|
||||
- provenance: signer and optional ledger anchors
|
||||
|
||||
Deterministic execution rules
|
||||
- Freeze time to scan.time unless explicitly overridden.
|
||||
- Use stable ordering for traversal and output serialization.
|
||||
- Derive RNG seeds from scan id and layer merkle roots.
|
||||
- Canonicalize JSON before hashing or signing.
|
||||
|
||||
Verification and CLI
|
||||
- stella scan --record produces manifest and bundles.
|
||||
- stella verify checks hashes and DSSE signatures.
|
||||
- stella replay re-runs with strict or what-if modes.
|
||||
- stella diff compares manifests and highlights drift.
|
||||
|
||||
Storage
|
||||
- replay_runs, bundles, subjects tables in PostgreSQL.
|
||||
- CAS locations use content addressed naming.
|
||||
|
||||
Offline posture
|
||||
- All inputs must be included in the replay bundle.
|
||||
- Trust anchors are supplied via RootPack snapshots.
|
||||
|
||||
Related references
|
||||
- docs/replay/DETERMINISTIC_REPLAY.md
|
||||
- docs/replay/DEVS_GUIDE_REPLAY.md
|
||||
- docs/replay/TEST_STRATEGY.md
|
||||
- docs/runbooks/replay_ops.md
|
||||
29
docs2/operations/runbooks.md
Normal file
29
docs2/operations/runbooks.md
Normal file
@@ -0,0 +1,29 @@
|
||||
# Operations runbooks
|
||||
|
||||
Runbooks capture operational procedures for incidents, replay verification,
|
||||
policy emergencies, and airgap workflows. They are designed to be offline
|
||||
and deterministic.
|
||||
|
||||
Runbook set (current)
|
||||
- docs/runbooks/assistant-ops.md
|
||||
- docs/runbooks/incidents.md
|
||||
- docs/runbooks/policy-incident.md
|
||||
- docs/runbooks/reachability-runtime.md
|
||||
- docs/runbooks/replay_ops.md
|
||||
- docs/runbooks/vex-ops.md
|
||||
- docs/runbooks/vuln-ops.md
|
||||
|
||||
Common expectations
|
||||
- Hash and store any inbound artifacts with SHA256SUMS.
|
||||
- Record UTC timestamps and stable ordering in logs.
|
||||
- Avoid external network calls unless explicitly permitted.
|
||||
- Keep links to the relevant specs and schemas for verification.
|
||||
|
||||
Operational evidence
|
||||
- Replay verification logs
|
||||
- Policy decision evidence bundles
|
||||
- Incident timelines and postmortems
|
||||
|
||||
Related references
|
||||
- docs/operations/*
|
||||
- docs/airgap/*
|
||||
Reference in New Issue
Block a user