save checkpoint

docs/modules/evidence-locker/portable-audit-pack-determinism.md

@@ -0,0 +1,46 @@
+# Portable Audit Pack Determinism Profile
+
+Status: Draft frozen for implementation handoff (2026-02-10).
+
+## Scope
+Deterministic requirements for portable pack generation (`manifest.json`, BOM, DSSE envelope, Rekor material, optional VEX/Parquet artifacts).
+
+## Normative rules
+1. Canonical JSON MUST use RFC 8785/JCS-compatible serialization.
+2. File inventory in `manifest.files` MUST be lexicographically sorted by canonical path.
+3. Archive entries MUST have fixed metadata:
+   - `mtime`: `2026-01-01T00:00:00Z`
+   - `uid/gid`: `0/0`
+   - file mode `0644`, directory mode `0755`
+4. Digests MUST be lowercase SHA-256 hex.
+5. Optional artifacts (`merged_vex.json`, `components.parquet`) MUST not change ordering of required files.
+6. Compression toolchain versions MUST be pinned in release manifests.
+
+## Canonicalization conformance tests (required)
+- Nested object key ordering stability.
+- Unicode normalization and escaping stability.
+- Non-finite number rejection (`NaN`, `Infinity`).
+- DSSE payload preimage digest stability across repeated runs.
+
+## Byte stability gate
+- CI must generate the same pack twice from identical frozen input fixtures.
+- Outputs must be byte-identical (`sha256sum pack1 == pack2`).
+- On mismatch, pipeline fails with `ERR_PACK_NON_DETERMINISTIC`.
+
+## Deterministic fixture layout
+- `testvectors/portable-audit-pack/minimal/`
+- `testvectors/portable-audit-pack/with-vex/`
+- `testvectors/portable-audit-pack/with-parquet/`
+
+Each fixture set should include:
+- inputs (`sbom.json`, optional `vex.json`)
+- expected canonical files
+- expected per-file SHA-256 digests
+- expected package archive digest
+
+## Toolchain pin set (to be implemented)
+- JCS canonicalizer version
+- DSSE signer library version
+- tar implementation/version
+- compression implementation/version
+- Parquet writer version (if profile enabled)