Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00
parent 7ac70ece71
commit bc4318ef97
88 changed files with 6974 additions and 1230 deletions
--- a/docs2/operations/score-proofs.md
+++ b/docs2/operations/score-proofs.md
@@ -0,0 +1,46 @@
+# Score proofs and replay
+
+Purpose
+- Provide deterministic score proofs with replayable inputs and attestations.
+
+When to replay
+- Determinism audits and compliance checks.
+- Dispute resolution or vendor verification.
+- Regression investigation after feed or policy changes.
+
+Replay operations
+- Trigger replay via CLI or API with scan or job id.
+- Support batch replay with concurrency limits.
+- Nightly replay jobs validate determinism at scale.
+
+Verification
+- Online verification uses DSSE and Rekor proofs.
+- Offline verification uses embedded proofs and local trust bundles.
+- Verification checks include bundle hash, signature, and input digests.
+
+Bundle contents
+- Manifest with inputs and hashes.
+- SBOM, advisories, VEX snapshots.
+- Deterministic scoring outputs and explain traces.
+- DSSE bundle and transparency proof.
+
+Retention and export
+- Retain bundles per policy; export for audit with manifests.
+- Store in Evidence Locker and Offline Kits.
+
+Monitoring metrics
+- score_replay_duration_seconds
+- proof_verification_success_rate
+- proof_bundle_size_bytes
+- replay_queue_depth
+- proof_generation_failures
+
+Alerting cues
+- Replay latency p95 > 30s.
+- Verification failures or queue backlog spikes.
+
+Related references
+- operations/proof-verification.md
+- operations/replay-and-determinism.md
+- docs/operations/score-proofs-runbook.md
+- docs/operations/score-replay-runbook.md