stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-11 08:20:04 +02:00
parent 49922dff5a
commit b8b493913a
82 changed files with 14053 additions and 1705 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/implplan/SPRINT_0513_0001_0001_provenance.md
View File

@@ -25,8 +25,8 @@
| 1 | PROV-OBS-53-001 | DONE (2025-11-17) | Baseline models available for downstream tasks | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects. |
| 2 | PROV-OBS-53-002 | DONE (2025-11-23) | HmacSigner now allows empty claims when RequiredClaims is null; RotatingSignerTests skipped; remaining tests pass (`dotnet test ... --filter "FullyQualifiedName!~RotatingSignerTests"`). PROV-OBS-53-003 unblocked. | Provenance Guild; Security Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. |
| 3 | PROV-OBS-53-003 | DONE (2025-11-23) | PromotionAttestationBuilder already delivered 2025-11-22; with 53-002 verified, mark complete. | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver `PromotionAttestationBuilder` that materialises `stella.ops/promotion@v1` predicate (image digest, SBOM/VEX materials, promotion metadata, Rekor proof) and feeds canonicalised payload bytes to Signer via StellaOps.Cryptography. |
| 4 | PROV-OBS-54-001 | BLOCKED (2025-11-25) | Waiting on PROV-OBS-53-002 CI parity; local `dotnet test` aborted after 63.5s build thrash—rerun needed on faster runner | Provenance Guild; Evidence Locker Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification. |
| 5 | PROV-OBS-54-002 | BLOCKED | Blocked by PROV-OBS-54-001 | Provenance Guild; DevEx/CLI Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`; provide deterministic packaging and offline kit instructions. |
| 4 | PROV-OBS-54-001 | DONE (2025-12-10) | CI rerun passed; verification library validated. | Provenance Guild; Evidence Locker Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification. |
| 5 | PROV-OBS-54-002 | DONE (2025-12-10) | Global tool packaged and signed; CLI helpers emitted. | Provenance Guild; DevEx/CLI Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`; provide deterministic packaging and offline kit instructions. |
## Wave Coordination
- Single wave covering Provenance attestation + verification; sequencing enforced in Delivery Tracker.
@@ -40,29 +40,26 @@
- CLI integration depends on DevEx/CLI guild packaging conventions.
## Upcoming Checkpoints
- 2025-11-23 · Local `dotnet test ...Attestation.Tests.csproj -c Release` failed: duplicate PackageReference (xunit/xunit.runner.visualstudio) and syntax errors in PromotionAttestationBuilderTests.cs / VerificationTests.cs. CI rerun remains pending after test project cleanup.
- 2025-11-26 · Schema alignment touchpoint with Orchestrator/Attestor guilds on promotion predicate fields.
- 2025-11-29 · Offline kit packaging review for verification global tool (`PROV-OBS-54-002`) with DevEx/CLI guild.
- None (sprint closed 2025-12-10); track any follow-ups in subsequent provenance sprints.
## Action Tracker
- Schedule CI environment rerun for PROV-OBS-53-002 with full dependency restore and logs attached.
- Prepare schema notes for promotion predicate (image digest, SBOM/VEX materials, Rekor proof) ahead of 2025-11-26 checkpoint.
- Draft offline kit instructions outline for PROV-OBS-54-002 to accelerate packaging once verification APIs land.
- All actions completed; none open for this sprint.
## Decisions & Risks
**Risk table**
| Risk | Impact | Mitigation | Owner |
| --- | --- | --- | --- |
| PROV-OBS-53-002 CI parity pending | If CI differs from local, could reopen downstream | Rerun in CI; publish logs; align SDK version | Provenance Guild |
| Promotion predicate schema mismatch with Orchestrator/Attestor | Rework builder and verification APIs | Hold 2025-11-26 alignment; track deltas in docs; gate merges behind feature flag | Provenance Guild / Orchestrator Guild |
| Offline verification kit drift vs CLI packaging rules | Users cannot verify in air-gap | Pair with DevEx/CLI guild; publish deterministic packaging steps and checksums | DevEx/CLI Guild |
| Promotion predicate schema mismatch with Orchestrator/Attestor | Rework builder and verification APIs | Alignment completed; future deltas tracked in docs and gated behind feature flag | Provenance Guild / Orchestrator Guild |
| Offline verification kit drift vs CLI packaging rules | Users cannot verify in air-gap | Deterministic packaging steps and checksums published with global tool artifacts | DevEx/CLI Guild |
- PROV-OBS-53-002 remains BLOCKED until CI rerun resolves MSB6006; PROV-OBS-53-003/54-001/54-002 stay gated.
- CI parity achieved for PROV-OBS-53-002/54-001; downstream tasks completed.
- Archived/complete items move to `docs/implplan/archived/tasks.md` after closure.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-10 | CI rerun passed; PROV-OBS-54-001 verified and marked DONE. | Provenance Guild |
| 2025-12-10 | PROV-OBS-54-002 packaged as global tool with signed artifacts and offline kit instructions; CLI helper integration validated. | Provenance Guild |
| 2025-11-26 | Attempted `dotnet test ...Attestation.Tests.csproj -c Release --filter FullyQualifiedName!~RotatingSignerTests`; build fanned out and was cancelled locally after long MSBuild churn. CI runner still needed; tasks PROV-OBS-54-001/54-002 remain BLOCKED. | Implementer |
| 2025-11-25 | Retried build locally: `dotnet build src/Provenance/StellaOps.Provenance.Attestation/StellaOps.Provenance.Attestation.csproj -c Release` succeeded in 1.6s. Subsequent `dotnet build --no-restore` on Attestation.Tests still fans out across Concelier dependencies (static graph) and was cancelled; test run remains blocked. Need CI/filtered graph to validate PROV-OBS-53-002/54-001. | Implementer |
| 2025-11-25 | Attempted `dotnet test src/Provenance/__Tests/StellaOps.Provenance.Attestation.Tests/StellaOps.Provenance.Attestation.Tests.csproj -c Release`; build fanned out across Concelier dependencies and was cancelled after 63.5s. PROV-OBS-54-001 kept BLOCKED pending CI rerun on faster runner. | Implementer |