stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-11 01:32:14 +02:00
parent 5593212b41
commit cf5b72974f
2316 changed files with 68799 additions and 3808 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs-archived/product/advisories/10-Feb-2026 - Evidence-based release gates (CUE-Rego-DSSE-Rekor).md Normal file
View File

@@ -0,0 +1,27 @@
# 10-Feb-2026 - Evidence-based release gates (CUE-Rego-DSSE-Rekor)
## Advisory source
- Source: user-provided product advisory text (2026-02-10 UTC).
- Scope: evidence-based promotion decisions using data-driven gate policy (CUE/JSON), OPA/Rego evaluation, Rekor inclusion freshness, in-toto build digest binding, and k-of-n DSSE signatures.
## Outcome
- Result: partially implemented; additional contract and implementation gaps confirmed.
- Decision: translated to updated docs and sprint delivery tasks.
## Confirmed gap themes
- No active CUE-style gate policy contract wired to release promotion with full threshold semantics.
- Promotion gate path does not yet enforce all advisory checks together (score threshold, build product digest equality, k-of-n signer threshold).
- Decision workflow does not yet expose explicit `hold_async` and `escalate` outcomes with signed human-decision linkage.
- Existing policy attestation gate primitives are present but currently excluded from active build/evaluation paths.
## Translation artifacts
- Active sprint update: `docs/implplan/SPRINT_20260209_001_DOCS_repro_bundle_gap_closure.md` (`RB-009` through `RB-013`)
- High-level docs update: `docs/key-features.md`
- Detailed contract: `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
## De-dup / lineage
- Extends: `docs-archived/product/advisories/09-Feb-2026 - Repro Bundle SLSA v1 in-toto DSSE offline mode.md`
- Supersedes: none
## Notes
- External web fetches: none.

27
docs-archived/product/advisories/10-Feb-2026 - Portable software supply chain audit pack.md Normal file
View File

@@ -0,0 +1,27 @@
# 10-Feb-2026 - Portable software supply chain audit pack
## Advisory source
- Source: user-provided product advisory text (planning session, 2026-02-10 UTC).
- Scope: portable software-supply-chain audit pack with canonical BOM, DSSE attestations, Rekor inclusion/tile material, signed manifest, and offline verification.
## Outcome
- Result: partially aligned implementation with confirmed contract and determinism gaps.
- Decision: translated into active docs + sprint tasks for contract unification and rollout.
## Confirmed gap themes
- Portable pack manifest fields are fragmented across multiple bundle models.
- Deterministic generation behavior is inconsistent across pack writers/serializers.
- Rekor tile material packaging/export contract is not uniformly defined at pack level.
- CLI generation/verification behavior is not yet fully aligned with a single portable pack profile.
- Optional Parquet analytics profile is not yet defined in portable pack contract.
## Translation artifacts
- Translation sprint (completed): `docs-archived/implplan/2026-02-10-completed-sprints/SPRINT_20260210_003_DOCS_portable_audit_pack_translation.md`
- Active implementation sprint: `docs/implplan/SPRINT_20260210_005_EvidenceLocker_portable_audit_pack_implementation.md`
- Product plan: `docs/product/portable-audit-pack-plan.md`
- Module contract: `docs/modules/evidence-locker/portable-audit-pack-contract.md`
## Notes
- Supersedes/extends: extends reproducibility and offline evidence work already tracked in `docs/implplan/SPRINT_20260209_001_DOCS_repro_bundle_gap_closure.md`.
- External web fetches: none.

24
docs-archived/product/advisories/10-Feb-2026 - SBOM attestation Postgres hot lookup profile.md Normal file
View File

@@ -0,0 +1,24 @@
# 10-Feb-2026 - SBOM attestation Postgres hot lookup profile
## Advisory source
- Source: user-provided product advisory text (analysis session, 2026-02-10 UTC).
- Scope: PostgreSQL storage/query shape for SBOM and attestation hot lookups (digest, component, VEX triage), partitioning, and retention.
## Outcome
- Result: partial gaps confirmed.
- Decision: advisory translated into docs + sprint tasks and archived.
## Confirmed gap themes
- Scanner lacks an explicit contract for a partitioned Postgres hot-lookup projection that supports direct SQL lookup by digest/PURL/pending-triage state.
- Existing CAS-first architecture and BOM-index sidecar strategy remain valid, but the Postgres projection boundary and operational lifecycle needed formalization.
- Analytics separation is already present, but scanner OLTP vs analytics responsibility needed clearer contract language.
## Translation artifacts
- Active sprint: `docs/implplan/SPRINT_20260210_001_DOCS_sbom_attestation_hot_lookup_contract.md`
- High-level docs update: `docs/key-features.md`
- Module contract: `docs/modules/scanner/sbom-attestation-hot-lookup-profile.md`
## Notes
- Supersedes/extends:
- `docs-archived/product/advisories/14-Dec-2025/01-Dec-2025 - PostgreSQL Patterns for Each StellaOps Module.md`
- External web fetches: none.