From cfa2274d311b76ecabe5d58a922156287d22775e Mon Sep 17 00:00:00 2001 From: StellaOps Bot Date: Thu, 27 Nov 2025 21:09:47 +0200 Subject: [PATCH] up --- docs/benchmarks/signals/bench-determinism.md | 9 +-- .../SPRINT_0132_0001_0001_scanner_surface.md | 1 + ...1_0001_0001_reachability_evidence_chain.md | 23 +++--- docs/implplan/SPRINT_0512_0001_0001_bench.md | 7 +- ...RINT_186_record_deterministic_execution.md | 6 +- docs/implplan/tasks-all.md | 36 ++++----- .../scanner/deterministic-execution.md | 4 +- scripts/bench/README.md | 1 + .../__pycache__/run_bench.cpython-312.pyc | Bin 15888 -> 0 bytes .../__pycache__/__init__.cpython-312.pyc | Bin 182 -> 0 bytes .../test_run_bench.cpython-312.pyc | Bin 3771 -> 0 bytes .../Determinism/DeterminismContext.cs | 2 + .../Surface/SurfaceManifestStageExecutor.cs | 70 +++++++++++++++--- .../StellaOps.Scanner.Worker/Program.cs | 2 + .../SurfaceManifestStageExecutorTests.cs | 9 ++- 15 files changed, 123 insertions(+), 47 deletions(-) delete mode 100644 src/Bench/StellaOps.Bench/Determinism/__pycache__/run_bench.cpython-312.pyc delete mode 100644 src/Bench/StellaOps.Bench/Determinism/tests/__pycache__/__init__.cpython-312.pyc delete mode 100644 src/Bench/StellaOps.Bench/Determinism/tests/__pycache__/test_run_bench.cpython-312.pyc diff --git a/docs/benchmarks/signals/bench-determinism.md b/docs/benchmarks/signals/bench-determinism.md index 7cea6488f..8eff339fb 100644 --- a/docs/benchmarks/signals/bench-determinism.md +++ b/docs/benchmarks/signals/bench-determinism.md @@ -68,7 +68,7 @@ python run_reachability.py --graphs inputs/graphs/*.json \ --runtime inputs/runtime/*.ndjson --output results ``` -Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results-reach.json` (reachability hashes), and manifests `inputs.sha256` + `dataset.sha256`. +Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results-reach.json` (reachability hashes), and manifests `inputs.sha256` + `dataset.sha256` (if reachability). Feed bundle hashes live in the same manifest when provided via `DET_EXTRA_INPUTS`. ## How to run (CI) @@ -78,10 +78,9 @@ Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results ## Offline/air-gap workflow -1. Place feeds bundle, SBOMs, VEX, and reachability corpus under `offline/inputs/` with matching `inputs.sha256` and `dataset.sha256`. -2. Run `./offline_run.sh --inputs offline/inputs --outputs offline/results` to execute both benches without network. -3. Verify hashes: `sha256sum -c offline/inputs/inputs.sha256` and `sha256sum -c offline/inputs/dataset.sha256`. -4. Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`). +1. Place feeds bundle (see `src/Bench/StellaOps.Bench/Determinism/inputs/feeds/README.md`), SBOMs, VEX, and optional reachability corpus under `offline/inputs/` with matching `inputs.sha256` and (if reachability) `dataset.sha256`. A sample `inputs/inputs.sha256` is provided for the bundled demo SBOM/VEX/config. +2. Run `./offline_run.sh --inputs offline/inputs --output offline/results` (script lives under `src/Bench/StellaOps.Bench/Determinism`) to execute benches without network (defaults: runs=10, threshold=0.95; manifest verification on). Use `--no-verify` to skip hash checks if manifests are absent. +3. Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`). ## Notes - Keep file ordering deterministic (lexicographic) when generating manifests. diff --git a/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md b/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md index d3528e297..44b0b57d4 100644 --- a/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md +++ b/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md @@ -55,6 +55,7 @@ | Date (UTC) | Update | Owner | | --- | --- | --- | +| 2025-11-27 | Attempted targeted Node analyzer test slice (`StellaOps.Scanner.Node.slnf --filter FullyQualifiedName~NodeLanguageAnalyzerTests --no-restore`); build graph pulled broader solution and was cancelled to avoid runaway runtime. Node tasks remain DOING pending slimmer graph/clean runner. | Node Analyzer Guild | | 2025-11-27 | SCANNER-ANALYZERS-NATIVE-20-010: Implemented plugin packaging in `Plugin/` namespace. Created `INativeAnalyzerPlugin` interface (Name, Description, Version, SupportedFormats, IsAvailable, CreateAnalyzer), `INativeAnalyzer` interface (AnalyzeAsync, AnalyzeBatchAsync), `NativeAnalyzerOptions` configuration. Implemented `NativeAnalyzer` core class orchestrating format detection, parsing (ELF/PE/Mach-O), heuristic scanning, and resolution. Created `NativeAnalyzerPlugin` factory (always available, supports ELF/PE/Mach-O). Built `NativeAnalyzerPluginCatalog` with convention-based loading (`StellaOps.Scanner.Analyzers.Native*.dll`), registration, sealing, and analyzer creation. Added `ServiceCollectionExtensions` with `AddNativeAnalyzer()` (options binding, DI registration) and `AddNativeRuntimeCapture()`. Created `NativeAnalyzerServiceOptions` with platform-specific default search paths. Added NuGet dependencies (Microsoft.Extensions.*). 20 new tests in `PluginPackagingTests.cs` covering plugin properties, catalog operations, DI registration, and analyzer integration. Total native analyzer: 163 tests passing. Task → DONE. | Native Analyzer Guild | | 2025-11-26 | SCANNER-ANALYZERS-NATIVE-20-009: Implemented runtime capture adapters in `RuntimeCapture/` namespace. Created models (`RuntimeEvidence.cs`): `RuntimeLoadEvent`, `RuntimeCaptureSession`, `RuntimeEvidence`, `RuntimeLibrarySummary`, `RuntimeDependencyEdge` with reason codes (`runtime-dlopen`, `runtime-loadlibrary`, `runtime-dylib`). Created configuration (`RuntimeCaptureOptions.cs`): buffer size, duration limits, include/exclude patterns, redaction options (home dirs, SSH keys, secrets), sandbox mode with mock events. Created interface (`IRuntimeCaptureAdapter.cs`): state machine (Idle→Starting→Running→Stopping→Stopped/Faulted), events, factory pattern. Created platform adapters: `LinuxEbpfCaptureAdapter` (bpftrace/eBPF), `WindowsEtwCaptureAdapter` (ETW ImageLoad), `MacOsDyldCaptureAdapter` (dtrace). Created aggregator (`RuntimeEvidenceAggregator.cs`) merging runtime evidence with static/heuristic analysis. Added `NativeObservationRuntimeEdge` model and `AddRuntimeEdge()` builder method. 26 new tests in `RuntimeCaptureTests.cs` covering options validation, redaction, aggregation, sandbox capture, state transitions. Total native analyzer: 143 tests passing. Task → DONE. | Native Analyzer Guild | | 2025-11-26 | SCANNER-ANALYZERS-NATIVE-20-008: Implemented cross-platform fixture generator (`NativeFixtureGenerator`) with methods `GenerateElf64()`, `GeneratePe64()`, `GenerateMachO64()` producing minimal valid binaries programmatically. Added performance benchmarks (`NativeBenchmarks`) validating <25ms parsing requirement across all formats. Created integration tests (`NativeFixtureTests`) exercising full pipeline: fixture generation → parsing → resolution → heuristic scanning → serialization. 17 new tests passing (10 fixture tests, 7 benchmark tests). Total native analyzer: 117 tests passing. Task → DONE. | Native Analyzer Guild | diff --git a/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md b/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md index e956f1268..d5af270b4 100644 --- a/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md +++ b/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md @@ -33,10 +33,10 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | GRAPH-CAS-401-001 | TODO | Await richgraph-v1 schema approval and CAS layout alignment. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{sha256}`, update adapters/fixtures. | -| 2 | GAP-SYM-007 | TODO | Align with GRAPH-CAS-401-001; keep DTOs/docs deterministic. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. | -| 3 | SCAN-REACH-401-009 | TODO | Needs symbolizer adapters from tasks 1/4; add golden fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. | -| 4 | SCANNER-NATIVE-401-015 | TODO | Stand up native readers/demanglers; coordinate with Symbols Server. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. | +| 1 | GRAPH-CAS-401-001 | BLOCKED (2025-11-27) | Await richgraph-v1 schema approval and CAS layout alignment. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{sha256}`, update adapters/fixtures. | +| 2 | GAP-SYM-007 | BLOCKED (2025-11-27) | Waiting on GRAPH-CAS-401-001 schema/hash decisions. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. | +| 3 | SCAN-REACH-401-009 | BLOCKED (2025-11-27) | Needs symbolizer adapters from tasks 1/4; add golden fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. | +| 4 | SCANNER-NATIVE-401-015 | BLOCKED (2025-11-27) | Stand up native readers/demanglers; awaiting Symbols Server contract. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. | | 5 | SYMS-SERVER-401-011 | TODO | Blocked on DSSE predicate catalog + storage layout confirmation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. | | 6 | SYMS-CLIENT-401-012 | TODO | Depends on server readiness; integrate with Scanner Symbolizer. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. | | 7 | SYMS-INGEST-401-013 | TODO | Follow SYMBOL_MANIFEST spec final; document pipelines. | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. | @@ -61,10 +61,10 @@ | 26 | DOCS-VEX-401-012 | TODO | Align with GAP-DOC-008 and bench playbook. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. | | 27 | SYMS-BUNDLE-401-014 | TODO | Depends on SYMBOL_MANIFEST spec and ingest pipeline. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. | | 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. | -| 29 | POLICY-LIB-401-001 | TODO | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. | -| 30 | POLICY-LIB-401-002 | TODO | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. | -| 31 | POLICY-ENGINE-401-003 | TODO | Depends on 29/30; ensure determinism hashes stable. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) | Replace in-service DSL compilation with shared library, support legacy packs and inline syntax, keep determinism stable. | -| 32 | CLI-EDITOR-401-004 | TODO | Relies on shared DSL lib; add git edit flow. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | Enhance `stella policy` verbs (edit/lint/simulate) to edit Git-backed DSL files, run coverage tests, commit SemVer metadata. | +| 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. | +| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. | +| 31 | POLICY-ENGINE-401-003 | DONE (2025-11-27) | Depends on 29/30; ensure determinism hashes stable. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) | Replace in-service DSL compilation with shared library, support legacy packs and inline syntax, keep determinism stable. | +| 32 | CLI-EDITOR-401-004 | DONE (2025-11-27) | Relies on shared DSL lib; add git edit flow. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | Enhance `stella policy` verbs (edit/lint/simulate) to edit Git-backed DSL files, run coverage tests, commit SemVer metadata. | | 33 | DOCS-DSL-401-005 | DONE (2025-11-26) | Docs follow 29–32 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. | | 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild · Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. | | 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. | @@ -76,8 +76,8 @@ | 41 | UNCERTAINTY-UI-401-027 | TODO | UI/CLI depends on 38/39 outputs. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). | | 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. | | 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild · Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject→Rekor map drafted. | -| 44 | PROV-BACKFILL-401-029 | TODO | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. | -| 45 | PROV-INDEX-401-030 | TODO | Blocked until 44 defines data model. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. | +| 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. | +| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. | | 46 | QA-CORPUS-401-031 | TODO | Needs reachbench corpus creation; align with QA harness. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. | | 47 | UI-VEX-401-032 | TODO | Depends on policy/CLI evidence chain (13–15,21). | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI “Explain/Verify” surfaces on VEX decisions with call paths, runtime hits, attestation verify button. | | 48 | POLICY-GATE-401-033 | TODO | Gate depends on Signals/Scanner reach evidence. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. | @@ -136,10 +136,13 @@ ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | +| 2025-11-27 | Marked GRAPH-CAS-401-001, GAP-SYM-007, SCAN-REACH-401-009, and SCANNER-NATIVE-401-015 BLOCKED pending richgraph schema + Symbols Server contracts. | Project Mgmt | | 2025-11-27 | Completed AUTH-REACH-401-005: added `StellaOps.Attestation` reference to Authority project; created `AuthoritySignerAdapter` to wrap ICryptoSigner as IAuthoritySigner; created `IAuthorityDsseStatementSigner` interface and `AuthorityDsseStatementSigner` service for signing In-toto statements with Authority's signing keys; service reuses existing DsseHelper.WrapAsync for DSSE envelope creation; fixed null-reference issue in DsseHelper.cs. Rekor mirroring leverages existing Attestor `IRekorClient` infrastructure. | Authority Guild | | 2025-11-27 | Completed DSSE-LIB-401-020: `StellaOps.Attestation` library now packages Envelope primitives. Added `DsseEnvelopeExtensions.cs` with conversion utilities (`ToSerializableDict`, `FromBase64`, `GetPayloadString`, `GetPayloadBase64`). Envelope types (`DsseEnvelope`, `DsseSignature`, etc.) are exposed as transitive dependencies; consumers only need to reference `StellaOps.Attestation` to access both high-level InToto/DSSE helpers and low-level envelope primitives. Build verified. | Attestor Guild | | 2025-11-27 | Completed DSSE-CLI-401-021: implemented `stella attest` CLI command with verify/list/show subcommands in `CommandFactory.cs` and `CommandHandlers.cs`. Added handlers for offline DSSE verification (`HandleAttestVerifyAsync`), attestation listing (`HandleAttestListAsync`), and attestation details (`HandleAttestShowAsync`). Added CI workflow snippets for GitHub Actions and GitLab CI to `docs/modules/cli/guides/attest.md`. Fixed pre-existing build errors (`SanitizeFileName` missing, `NodePackageCollector.AttachEntrypoints` parameter mismatch). All CLI commands functional with placeholder handlers for backend integration. | CLI Guild | | 2025-11-27 | Completed DSSE-DOCS-401-022: updated `docs/ci/dsse-build-flow.md` status from Draft to Complete, updated CLI verification command syntax to match implemented `stella attest verify --envelope` with additional options (`--policy`, `--root`, `--transparency-checkpoint`), updated references to completed tasks. Attestor architecture documentation at `docs/modules/attestor/architecture.md` was already comprehensive with CLI touchpoints, verification pipeline, and API details. | Docs Guild | +| 2025-11-27 | Completed PROV-BACKFILL-401-029: created `EventProvenanceBackfillService` in `src/StellaOps.Events.Mongo/` for backfilling historical events with DSSE provenance metadata; added `IAttestationResolver` interface for resolving attestations by subject digest; added `StubAttestationResolver` for testing; documented in `docs/provenance/inline-dsse.md` section 10 (Backfill service) with usage examples, implementation guide, and reference files. Build verified. | Platform Guild | +| 2025-11-27 | Completed PROV-INDEX-401-030: created `ops/mongo/indices/events_provenance_indices.js` ops deployment script with 5 indexes (subject+kind+provenance, unproven by kind, Rekor log index, envelope digest, timestamp+kind+verified); updated `src/StellaOps.Events.Mongo/MongoIndexes.cs` to include 2 new indexes (envelope digest for dedup, timestamp+kind for compliance reporting); updated `docs/provenance/inline-dsse.md` section 4 with additional indexes and deployment options. Build verified. | Platform Guild | | 2025-11-26 | Completed SIGN-VEX-401-018: added `stella.ops/vexDecision@v1` and `stella.ops/graph@v1` predicate types to PredicateTypes.cs; added helper methods IsVexRelatedType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType; added OpenVEX VexDecisionPredicateJson and richgraph-v1 GraphPredicateJson fixtures; updated SigningRequestBuilder with WithVexDecisionPredicate and WithGraphPredicate; added 12 new unit tests covering new predicate types and helper methods; updated integration tests to cover all 8 StellaOps predicate types. All 102 Signer tests pass. | Signing Guild | | 2025-11-26 | BENCH-DETERMINISM-401-057 completed: added offline harness + mock scanner at `src/Bench/StellaOps.Bench/Determinism`, sample SBOM/VEX inputs, manifests (`results/inputs.sha256`), and summary output; unit tests under `Determinism/tests` passing. | Bench Guild | | 2025-11-26 | BENCH-DETERMINISM-401-057 follow-up: default runs set to 10 per scanner/SBOM pair; harness supports `--manifest-extra`/`DET_EXTRA_INPUTS` for frozen feeds; CI wrapper enforces threshold. | Bench Guild | diff --git a/docs/implplan/SPRINT_0512_0001_0001_bench.md b/docs/implplan/SPRINT_0512_0001_0001_bench.md index ba96db893..b2bea8672 100644 --- a/docs/implplan/SPRINT_0512_0001_0001_bench.md +++ b/docs/implplan/SPRINT_0512_0001_0001_bench.md @@ -32,7 +32,7 @@ | 5 | BENCH-POLICY-20-002 | BLOCKED | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. | | 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. | | 7 | BENCH-SIG-26-002 | BLOCKED | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. | -| 8 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Feed-freeze hash + SBOM/VEX bundle list from Sprint 0401. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/bench-determinism.md`) | Run cross-scanner determinism bench from 23-Nov advisory; publish determinism% and CVSS delta σ; CI workflow `bench-determinism` runs harness and uploads manifests/results. | +| 8 | BENCH-DETERMINISM-401-057 | DONE (2025-11-27) | Feed-freeze hash + SBOM/VEX bundle list from Sprint 0401. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/bench-determinism.md`) | Run cross-scanner determinism bench from 23-Nov advisory; publish determinism% and CVSS delta σ; CI workflow `bench-determinism` runs harness and uploads manifests/results; offline runner added. | ## Wave Coordination - Single wave; benches sequenced by dataset availability. No parallel wave gating beyond Delivery Tracker dependencies. @@ -76,6 +76,11 @@ ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | +| 2025-11-27 | Added offline runner `Determinism/offline_run.sh` with manifest verification toggle; updated bench doc offline workflow. | Bench Guild | +| 2025-11-27 | Added feeds placement note (`Determinism/inputs/feeds/README.md`) and linked in bench offline workflow. | Bench Guild | +| 2025-11-27 | Added sample manifest `inputs/inputs.sha256` for bundled demo SBOM/VEX/config; documented in bench README and offline workflow. | Bench Guild | +| 2025-11-27 | Synced BENCH-DETERMINISM-401-057 status date to 2025-11-27 after offline runner/docs completion. | Bench Guild | +| 2025-11-27 | Added offline runner `src/Bench/StellaOps.Bench/Determinism/offline_run.sh` (defaults runs=10, threshold=0.95) for air-gapped determinism/reachability runs; mirrored in bench doc offline workflow. | Bench Guild | | 2025-11-26 | Added optional reachability hashing path (DET_REACH_GRAPHS/DET_REACH_RUNTIME) to determinism run script; reachability helper `run_reachability.py` with sample graph/runtime fixtures and unit tests added. | Bench Guild | | 2025-11-26 | Default runs raised to 10 per scanner/SBOM pair in harness and determinism-run wrapper to match 10x2 matrix requirement. | Bench Guild | | 2025-11-26 | Added DET_EXTRA_INPUTS/DET_RUN_EXTRA_ARGS support to determinism run script to include frozen feeds in manifests; documented in scripts/bench/README.md. | Bench Guild | diff --git a/docs/implplan/SPRINT_186_record_deterministic_execution.md b/docs/implplan/SPRINT_186_record_deterministic_execution.md index 12a59a991..2549e7913 100644 --- a/docs/implplan/SPRINT_186_record_deterministic_execution.md +++ b/docs/implplan/SPRINT_186_record_deterministic_execution.md @@ -7,14 +7,14 @@ Summary: Enable Scanner services to emit replay manifests/bundles, wire determin Task ID | State | Task description | Owners (Source) --- | --- | --- | --- SCAN-REPLAY-186-001 | DONE (2025-11-26) | Implement `record` mode in `StellaOps.Scanner.WebService` (manifest assembly, policy/feed/tool hash capture, CAS uploads) and document the workflow in `docs/modules/scanner/architecture.md` with references to `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`) -SCAN-REPLAY-186-002 | TODO | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) | +SCAN-REPLAY-186-002 | DOING (2025-11-27) | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) | SIGN-REPLAY-186-003 | TODO | Extend Signer/Authority DSSE flows to cover replay manifest/bundle payload types with multi-profile support; refresh `docs/modules/signer/architecture.md` and `docs/modules/authority/architecture.md` to capture the new signing/verification path referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 5. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/Authority/StellaOps.Authority`) SIGN-CORE-186-004 | TODO | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography`) SIGN-CORE-186-005 | TODO | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Signing Guild (`src/Signer/StellaOps.Signer.Core`) SIGN-TEST-186-006 | TODO | Upgrade signer integration tests to run against the real crypto abstraction and fixture predicates (promotion, SBOM, replay), replacing stub tokens/digests with deterministic test data. | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) AUTH-VERIFY-186-007 | TODO | Expose an Authority-side verification helper/service that validates DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints, enabling offline audit flows. | Authority Guild, Provenance Guild (`src/Authority/StellaOps.Authority`, `src/Provenance/StellaOps.Provenance.Attestation`) SCAN-DETER-186-008 | DONE (2025-11-26) | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`) -SCAN-DETER-186-009 | TODO | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) +SCAN-DETER-186-009 | DONE (2025-11-27) | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) SCAN-DETER-186-010 | DONE (2025-11-27) | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`) SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) SCAN-ENTROPY-186-012 | DONE (2025-11-26) | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`) @@ -34,4 +34,6 @@ DOCS-REPLAY-186-004 | DONE (2025-11-26) | Author `docs/replay/TEST_STRATEGY.md` | 2025-11-26 | SCAN-ENTROPY-186-011/012 completed: entropy stage emits windowed metrics; WebService surfaces entropy reports/layer summaries via surface manifest, status API; docs already published. | Scanner Guild | | 2025-11-27 | Surface manifest now emits `determinism.json` (pins + runtime toggles) to support replay verification; worker determinism context carries concurrency cap. | Scanner Guild | | 2025-11-27 | SCAN-DETER-186-010 completed: determinism.json now published with per-payload hashes in surface manifest, satisfying determinism evidence requirements for release bundles. | Scanner Guild | +| 2025-11-27 | SCAN-REPLAY-186-002 moved to DOING: starting worker sealed-bundle consumption and Merkle metadata wiring. | Scanner Guild | +| 2025-11-27 | SCAN-DETER-186-009 completed: added determinism harness library/tests to compute per-run hash matrices and scores for release bundles. | Scanner Guild | | 2025-11-26 | SCAN-DETER-186-008 implemented: determinism pins for feed/policy metadata, policy pin enforcement, concurrency clamp, validation/tests. | Scanner Guild | diff --git a/docs/implplan/tasks-all.md b/docs/implplan/tasks-all.md index 1a0cc5df2..8d4ee0e4d 100644 --- a/docs/implplan/tasks-all.md +++ b/docs/implplan/tasks-all.md @@ -51,7 +51,7 @@ | 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 | | 34-101 | DONE | 2025-11-22 | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 | | 401-004 | BLOCKED | 2025-11-25 | SPRINT_0401_0001_0001_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Blocked: awaiting SGSI0101 runtime facts + CAS policy from GAP-REP-004 | RPRC0101 | -| BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0512_0001_0001_bench | Bench Guild · Signals Guild · Policy Guild | src/Bench/StellaOps.Bench/Determinism | Determinism harness + mock scanner; manifests/results generated; CI workflow `bench-determinism` enforces threshold; defaults to 10 runs; supports frozen feed manifests via DET_EXTRA_INPUTS. | Feed-freeze hash + SBOM/VEX bundle list (SPRINT_0401) | | +| BENCH-DETERMINISM-401-057 | DONE (2025-11-27) | 2025-11-27 | SPRINT_0512_0001_0001_bench | Bench Guild · Signals Guild · Policy Guild | src/Bench/StellaOps.Bench/Determinism | Determinism harness + mock scanner; manifests/results generated; CI workflow `bench-determinism` enforces threshold; defaults to 10 runs; supports frozen feed manifests via DET_EXTRA_INPUTS; offline runner available. | Feed-freeze hash + SBOM/VEX bundle list (SPRINT_0401) | | | 41-001 | BLOCKED | 2025-11-25 | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | Awaiting TaskRunner architecture/API contract; upstream Sprint 120/130/140 inputs | ORTR0101 | | 44-001 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | Waiting on consolidated service list/version pins from upstream module releases (mirrors Compose-44-001 block) | DVDO0103 | | 44-002 | BLOCKED | 2025-11-25 | SPRINT_501_ops_deployment_i | Deployment Guild (ops/deployment) | ops/deployment | 44-001 | Blocked until 44-001 unblocks | DVDO0103 | @@ -823,7 +823,7 @@ | DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 | | DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 | | DSSE-CLI-401-021 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | Ship a `stella attest` CLI (or sample `StellaOps.Attestor.Tool`) plus GitLab/GitHub workflow snippets that emit DSSE per build step (scan/package/push) using the new library and Authority keys. | Need CLI updates from latest DSSE release | DODS0101 | -| DSSE-DOCS-401-022 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | Document the build-time attestation walkthrough (`docs/ci/dsse-build-flow.md`): models, helper usage, Authority integration, storage conventions, and verification commands, aligning with the advisory. | Depends on #1 | DODS0101 | +| DSSE-DOCS-401-022 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | Document the build-time attestation walkthrough (`docs/ci/dsse-build-flow.md`): models, helper usage, Authority integration, storage conventions, and verification commands, aligning with the advisory. | Depends on #1 | DODS0101 | | DSSE-LIB-401-020 | DONE (2025-11-27) | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Attestor Guild · Platform Guild | `src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope` | DsseEnvelopeExtensions added with conversion utilities; Envelope types exposed as transitive dependencies; consumers reference only StellaOps.Attestation. | Need attestor library API freeze | DOAL0101 | | DVOFF-64-002 | TODO | | SPRINT_160_export_evidence | DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | DevPortal Offline + AirGap Controller Guilds | Needs exporter DSSE schema from 002_ATEL0101 | DEVL0102 | | EDITOR-401-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md` | Gather CLI/editor alignment notes | Gather CLI/editor alignment notes | DOCL0103 | @@ -1098,7 +1098,7 @@ | GRAPH-API-28-009 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API + Observability Guilds | src/Graph/StellaOps.Graph.Api | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. Dependencies: GRAPH-API-28-008. | GRAPH-API-28-007 | GRAPI0101 | | GRAPH-API-28-010 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. Dependencies: GRAPH-API-28-009. | GRAPH-API-28-008 | GRAPI0101 | | GRAPH-API-28-011 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. Dependencies: GRAPH-API-28-010. | GRAPH-API-28-009 | GRAPI0101 | -| GRAPH-CAS-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/StellaOps.Scanner.Worker` | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Depends on #1 | CASC0101 | +| GRAPH-CAS-401-001 | BLOCKED (2025-11-27) | Await richgraph-v1 schema + CAS layout | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/StellaOps.Scanner.Worker` | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Depends on #1 | CASC0101 | | GRAPH-DOCS-0001 | DONE (2025-11-05) | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Validate that graph module README/diagrams reflect the latest overlay + snapshot updates. | GRAPI0101 evidence | GRDG0101 | | GRAPH-DOCS-0002 | DONE (2025-11-26) | 2025-11-26 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Pending DOCS-GRAPH-24-003 to add API/query doc cross-links | GRAPI0101 outputs | GRDG0101 | | GRAPH-ENG-0001 | TODO | | SPRINT_321_docs_modules_graph | Module Team | docs/modules/graph | Keep module milestones in sync with `/docs/implplan/SPRINT_141_graph.md` and related files. | GRSC0101 | GRDG0101 | @@ -1430,8 +1430,8 @@ | POLICY-ENGINE-80-002 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Create joining layer to read `reachability_facts` efficiently | POLICY-ENGINE-80-001 | Waiting on reachability input contract (80-001). | | POLICY-ENGINE-80-003 | BLOCKED (2025-11-26) | | SPRINT_0127_0001_0001_policy_reasoning | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation | POLICY-ENGINE-80-002 | Blocked by reachability inputs/80-002. | | POLICY-ENGINE-80-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Emit metrics | POLICY-ENGINE-80-003 | | -| POLICY-LIB-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | `src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md` | Extract the policy DSL parser/compiler into `StellaOps.PolicyDsl`, add the lightweight syntax (default action + inline rules), and expose `PolicyEngineFactory`/`SignalContext` APIs for reuse. | | | -| POLICY-LIB-401-002 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild, CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | `tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md` | Ship unit-test harness + sample `policy/default.dsl` (table-driven cases) and wire `stella policy lint/simulate` to the shared library. | | | +| POLICY-LIB-401-001 | DONE (2025-11-27) | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | `src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md` | Extract the policy DSL parser/compiler into `StellaOps.PolicyDsl`, add the lightweight syntax (default action + inline rules), and expose `PolicyEngineFactory`/`SignalContext` APIs for reuse. | | Created StellaOps.PolicyDsl library with PolicyEngineFactory, SignalContext, tokenizer, parser, compiler, and IR serialization. | +| POLICY-LIB-401-002 | DONE (2025-11-27) | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild, CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | `tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md` | Ship unit-test harness + sample `policy/default.dsl` (table-driven cases) and wire `stella policy lint/simulate` to the shared library. | | Created test harness with 25 unit tests, sample DSL files (minimal.dsl, default.dsl), and wired stella policy lint command to PolicyDsl library. | | POLICY-OBS-50-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · Observability Guild | src/Policy/StellaOps.Policy.Engine | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs | Wait for telemetry schema drop (046_TLTY0101) | PLOB0101 | | POLICY-OBS-51-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · DevOps Guild | src/Policy/StellaOps.Policy.Engine | Emit golden-signal metrics | POLICY-OBS-50-001 | PLOB0101 | | POLICY-OBS-52-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild | src/Policy/StellaOps.Policy.Engine | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics | POLICY-OBS-51-001 | PLOB0101 | @@ -1464,8 +1464,8 @@ | PROBE-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | | | | | PROMO-70-001 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | | | PROMO-70-002 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | | -| PROV-BACKFILL-401-029 | DOING | | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform Guild | `docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh` | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Depends on #1 | RBRE0101 | -| PROV-INDEX-401-030 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform + Ops Guilds | `docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js` | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Depends on #3 | RBRE0101 | +| PROV-BACKFILL-401-029 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform Guild | `docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh` | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Depends on #1 | RBRE0101 | +| PROV-INDEX-401-030 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform + Ops Guilds | `docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js` | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Depends on #3 | RBRE0101 | | PROV-INLINE-401-028 | DONE | | SPRINT_0401_0001_0001_reachability_evidence_chain | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | `docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo` | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using `StellaOps.Provenance.Mongo`. | | | | PROV-OBS-53-001 | DONE | 2025-11-17 | SPRINT_0513_0001_0001_provenance | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | src/Provenance/StellaOps.Provenance.Attestation | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects. | — | PROB0101 | | PROV-OBS-53-002 | BLOCKED | | SPRINT_0513_0001_0001_provenance | Provenance Guild · Security Guild | src/Provenance/StellaOps.Provenance.Attestation | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. Dependencies: PROV-OBS-53-001. | Await CI rerun to clear MSB6006 and verify signer abstraction | PROB0101 | @@ -1585,14 +1585,14 @@ | SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | | | | | SCAN-90-004 | TODO | | SPRINT_505_ops_devops_iii | DevOps Guild, Scanner Guild (ops/devops) | ops/devops | | | | | SCAN-DETER-186-008 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild · Provenance Guild | `src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker` | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | ENTROPY-186-012 & SCANNER-ENV-02 | SCDE0102 | -| SCAN-DETER-186-009 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | | | +| SCAN-DETER-186-009 | DONE (2025-11-27) | | SPRINT_186_record_deterministic_execution | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`) | `src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests` | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | | | | SCAN-DETER-186-010 | DONE (2025-11-27) | | SPRINT_186_record_deterministic_execution | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`) | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md` | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | | | | SCAN-ENTROPY-186-011 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | `src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries` | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | | | | SCAN-ENTROPY-186-012 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`) | `src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md` | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | | | | SCAN-REACH-201-002 | DOING | 2025-11-08 | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | `src/Scanner/StellaOps.Scanner.Worker` | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. | | | | SCAN-REACH-401-009 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | `src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries` | Ship .NET/JVM symbolizers and call-graph generators (roots, edges, framework adapters), merge results into component-level reachability manifests, and back them with golden fixtures. | | | | SCAN-REPLAY-186-001 | DONE (2025-11-26) | | SPRINT_186_record_deterministic_execution | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`) | `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md` | Implement `record` mode in `StellaOps.Scanner.WebService` (manifest assembly, policy/feed/tool hash capture, CAS uploads) and document the workflow in `docs/modules/scanner/architecture.md` with references to `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | | | -| SCAN-REPLAY-186-002 | TODO | | SPRINT_186_record_deterministic_execution | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md` | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | | | +| SCAN-REPLAY-186-002 | DOING (2025-11-27) | | SPRINT_186_record_deterministic_execution | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md` | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | | | | SCANNER-ANALYZERS-DENO-26-001 | DONE | | SPRINT_130_scanner_surface | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno | Build the deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers so analyzers have a canonical file view. | | | | SCANNER-ANALYZERS-DENO-26-002 | DONE | | SPRINT_130_scanner_surface | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno | Implement the module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions, and annotate edges with their resolution provenance. | SCANNER-ANALYZERS-DENO-26-001 | | | SCANNER-ANALYZERS-DENO-26-003 | DONE | | SPRINT_130_scanner_surface | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | SCANNER-ANALYZERS-DENO-26-002 | | @@ -1786,8 +1786,8 @@ | SEC-CRYPTO-90-009 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro) | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Replace the placeholder CryptoPro plug-in with a true CryptoPro CSP implementation (GostCryptography, certificate-store lookup, DER/raw normalization) so RootPack_RU exposes a qualified-signature path. | | | | SEC-CRYPTO-90-010 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography + .DependencyInjection) | src/__Libraries/StellaOps.Cryptography + .DependencyInjection | Introduce `StellaOpsCryptoOptions` / configuration binding for registry profiles/keys and ship an `AddStellaOpsCryptoRu(IConfiguration, …)` helper so hosts can enable `ru-offline` via YAML without custom code. | | | | SEC-CRYPTO-90-011 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security & Ops Guilds (src/Tools/StellaOps.CryptoRu.Cli) | src/Tools/StellaOps.CryptoRu.Cli | Build the sovereign crypto CLI (`StellaOps.CryptoRu.Cli`) to list keys, perform test-sign operations, and emit determinism/audit snapshots referenced in the RootPack docs. | | | -| SEC-CRYPTO-90-012 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests) | src/__Libraries/__Tests/StellaOps.Cryptography.Tests | Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into `scripts/crypto/run-rootpack-ru-tests.sh`, covering Streebog vectors and DER/raw signatures. | | | -| SEC-CRYPTO-90-013 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. | | | +| SEC-CRYPTO-90-012 | BLOCKED (2025-11-27) | Env-gated; no CryptoPro/PKCS#11 runner available | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests) | src/__Libraries/__Tests/StellaOps.Cryptography.Tests | Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into `scripts/crypto/run-rootpack-ru-tests.sh`, covering Streebog vectors and DER/raw signatures. | | | +| SEC-CRYPTO-90-013 | BLOCKED (2025-11-27) | Depends on SEC-CRYPTO-90-021 registry wiring | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. | SEC-CRYPTO-90-021 | | | SEC-CRYPTO-90-014 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Service Guilds | | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register the RU providers, bind `StellaOps:Crypto` profiles, and expose configuration toggles per the new options model. | Wait for AUIN0101 approvals | CRSA0101 | | SEC-CRYPTO-90-015 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Docs Guild | docs/security/rootpack_ru_*.md | Refresh RootPack/validation documentation once the CLI/config/tests exist (remove TODO callouts, document final workflows). | Depends on #1 | CRSA0101 | | SEC-CRYPTO-90-016 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro) | src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro | Quarantine CryptoPro dependencies by default until IT.GostCryptography is patched; add MSBuild flag `StellaOpsEnableCryptoPro` and follow-up plan to re-enable the plug-in once a safe package exists. | | | @@ -1795,7 +1795,7 @@ | SEC-CRYPTO-90-018 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Docs Guild | docs/security/rootpack_ru_*.md, docs/dev/crypto.md | Update developer/RootPack documentation to describe the new fork, sync steps, and licensing so operators know where the CryptoPro sources live and how to refresh them. | Depends on #3 | CRSA0101 | | SEC-CRYPTO-90-019 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild | third_party/forks/AlexMAS.GostCryptography | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). | Needs fork validation | CRSA0101 | | SEC-CRYPTO-90-020 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. | Depends on #5 | CRSA0101 | -| SEC-CRYPTO-90-021 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 | +| SEC-CRYPTO-90-021 | BLOCKED (2025-11-27) | Windows CSP runner pending (depends on 90-020) | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 | | SEC-OBS-50-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild, Security Guild (docs) | | | | | | SEC2 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard | | | | | SEC3 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard | | | | @@ -3036,7 +3036,7 @@ | DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 | | DSL-401-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 | | DSSE-CLI-401-021 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md` | Ship a `stella attest` CLI (or sample `StellaOps.Attestor.Tool`) plus GitLab/GitHub workflow snippets that emit DSSE per build step (scan/package/push) using the new library and Authority keys. | Need CLI updates from latest DSSE release | DODS0101 | -| DSSE-DOCS-401-022 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | Document the build-time attestation walkthrough (`docs/ci/dsse-build-flow.md`): models, helper usage, Authority integration, storage conventions, and verification commands, aligning with the advisory. | Depends on #1 | DODS0101 | +| DSSE-DOCS-401-022 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | Document the build-time attestation walkthrough (`docs/ci/dsse-build-flow.md`): models, helper usage, Authority integration, storage conventions, and verification commands, aligning with the advisory. | Depends on #1 | DODS0101 | | DSSE-LIB-401-020 | DONE (2025-11-27) | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Attestor Guild · Platform Guild | `src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope` | DsseEnvelopeExtensions added with conversion utilities; Envelope types exposed as transitive dependencies; consumers reference only StellaOps.Attestation. | Need attestor library API freeze | DOAL0101 | | DVOFF-64-002 | TODO | | SPRINT_160_export_evidence | DevPortal Offline Guild | docs/modules/export-center/devportal-offline.md | DevPortal Offline + AirGap Controller Guilds | Needs exporter DSSE schema from 002_ATEL0101 | DEVL0102 | | EDITOR-401-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · CLI Guild | `src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md` | Gather CLI/editor alignment notes | Gather CLI/editor alignment notes | DOCL0103 | @@ -3283,7 +3283,7 @@ | GAP-REP-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | GAP-DOC-008 | GAPG0101 | | GAP-SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild · GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 | | GAP-SIG-003 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Security Guild · GAP Guild | `src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md` | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), and emit `signals.fact.updated` events. Document retention/RBAC. | GAP-POL-005 | GAPG0101 | -| GAP-SYM-007 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 | +| GAP-SYM-007 | BLOCKED (2025-11-27) | Waiting on GRAPH-CAS-401-001 schema/hash | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 | | GAP-VEX-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | VEX Guild | `docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md` | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI `--evidence=graph`/`--threshold` plus Notify template updates. | GAP-POL-005 | GAPG0101 | | GAP-ZAS-002 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Zastava Guild | `src/Zastava/StellaOps.Zastava.Observer`, `docs/modules/zastava/architecture.md`, `docs/reachability/function-level-evidence.md` | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 401 lands ingestion. | GAP-SCAN-001 | GAPG0101 | | GO-32-001 | DONE | | SPRINT_0153_0001_0003_orchestrator_iii | Worker SDK Guild (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go`) | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | DOOR0102 APIs | DOOR0102 APIs | GOSD0101 | @@ -3643,8 +3643,8 @@ | POLICY-ENGINE-80-002 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Create joining layer to read `reachability_facts` efficiently | POLICY-ENGINE-80-001 | | | POLICY-ENGINE-80-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation | POLICY-ENGINE-80-002 | | | POLICY-ENGINE-80-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Emit metrics | POLICY-ENGINE-80-003 | | -| POLICY-LIB-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | `src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md` | Extract the policy DSL parser/compiler into `StellaOps.PolicyDsl`, add the lightweight syntax (default action + inline rules), and expose `PolicyEngineFactory`/`SignalContext` APIs for reuse. | | | -| POLICY-LIB-401-002 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild, CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | `tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md` | Ship unit-test harness + sample `policy/default.dsl` (table-driven cases) and wire `stella policy lint/simulate` to the shared library. | | | +| POLICY-LIB-401-001 | DONE (2025-11-27) | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | `src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md` | Extract the policy DSL parser/compiler into `StellaOps.PolicyDsl`, add the lightweight syntax (default action + inline rules), and expose `PolicyEngineFactory`/`SignalContext` APIs for reuse. | | Created StellaOps.PolicyDsl library with PolicyEngineFactory, SignalContext, tokenizer, parser, compiler, and IR serialization. | +| POLICY-LIB-401-002 | DONE (2025-11-27) | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild, CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | `tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md` | Ship unit-test harness + sample `policy/default.dsl` (table-driven cases) and wire `stella policy lint/simulate` to the shared library. | | Created test harness with 25 unit tests, sample DSL files (minimal.dsl, default.dsl), and wired stella policy lint command to PolicyDsl library. | | POLICY-OBS-50-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · Observability Guild | src/Policy/StellaOps.Policy.Engine | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs | Wait for telemetry schema drop (046_TLTY0101) | PLOB0101 | | POLICY-OBS-51-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild · DevOps Guild | src/Policy/StellaOps.Policy.Engine | Emit golden-signal metrics | POLICY-OBS-50-001 | PLOB0101 | | POLICY-OBS-52-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild | src/Policy/StellaOps.Policy.Engine | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics | POLICY-OBS-51-001 | PLOB0101 | @@ -3677,8 +3677,8 @@ | PROBE-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | | | | | PROMO-70-001 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | | | PROMO-70-002 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | | -| PROV-BACKFILL-401-029 | DOING | | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform Guild | `docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh` | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Depends on #1 | RBRE0101 | -| PROV-INDEX-401-030 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform + Ops Guilds | `docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js` | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Depends on #3 | RBRE0101 | +| PROV-BACKFILL-401-029 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform Guild | `docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh` | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Depends on #1 | RBRE0101 | +| PROV-INDEX-401-030 | DONE | 2025-11-27 | SPRINT_0401_0001_0001_reachability_evidence_chain | Platform + Ops Guilds | `docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js` | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Depends on #3 | RBRE0101 | | PROV-INLINE-401-028 | DONE | | SPRINT_0401_0001_0001_reachability_evidence_chain | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | `docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo` | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using `StellaOps.Provenance.Mongo`. | | | | PROV-OBS-53-001 | DONE | 2025-11-17 | SPRINT_0513_0001_0001_provenance | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | src/Provenance/StellaOps.Provenance.Attestation | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects. | — | PROB0101 | | PROV-OBS-53-002 | BLOCKED | | SPRINT_0513_0001_0001_provenance | Provenance Guild · Security Guild | src/Provenance/StellaOps.Provenance.Attestation | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. Dependencies: PROV-OBS-53-001. | Await CI rerun to clear MSB6006 and verify signer abstraction | PROB0101 | diff --git a/docs/modules/scanner/deterministic-execution.md b/docs/modules/scanner/deterministic-execution.md index 54f7f2d60..97ab23cac 100644 --- a/docs/modules/scanner/deterministic-execution.md +++ b/docs/modules/scanner/deterministic-execution.md @@ -10,7 +10,9 @@ This note collects the invariants required for reproducible Scanner runs and rep - Concurrency cap: `scanner:determinism:concurrencyLimit=1` (worker clamps `MaxConcurrentJobs` to this) or `SCANNER__DETERMINISM__CONCURRENCYLIMIT=1`. - Feed/policy pins: `scanner:determinism:feedSnapshotId=` and `scanner:determinism:policySnapshotId=` to stamp submissions and reject mismatched runtime policies. - Log filtering: `scanner:determinism:filterLogs=true` to strip timestamps/PIDs before hashing. -- Evidence: worker emits `determinism.json` into the surface manifest (view `replay`) summarising fixed clock, seed, concurrency cap, feed/policy pins, and per-payload hashes so replay kits can assert settings. +- Evidence: worker emits `determinism.json` into the surface manifest (view `replay`) summarising fixed clock, seed, concurrency cap, feed/policy pins, per-payload hashes, and a Merkle root over payload hashes for quick verification. +- Sealed replay intake: worker reads `replay.bundle.uri` + `replay.bundle.sha256` (and `determinism.feed`/`determinism.policy` pins) from job metadata; stores bundle pins in analysis so downstream stages stay hermetic. Stage: `ingest-replay` runs before image resolution. +- Surface manifest includes `replayBundle` (uri + sha256 + pins) so offline kits can verify sealed inputs without scheduler context. ## Ordering - Sort inputs (images, layers, files, findings) deterministically before processing/serialization. diff --git a/scripts/bench/README.md b/scripts/bench/README.md index d29e33b90..51ce3650d 100644 --- a/scripts/bench/README.md +++ b/scripts/bench/README.md @@ -1,6 +1,7 @@ # Bench scripts - `determinism-run.sh`: runs BENCH-DETERMINISM-401-057 harness (`src/Bench/StellaOps.Bench/Determinism`), writes artifacts to `out/bench-determinism`, and enforces threshold via `BENCH_DETERMINISM_THRESHOLD` (default 0.95). Defaults to 10 runs per scanner/SBOM pair. Pass `DET_EXTRA_INPUTS` (space-separated globs) to include frozen feeds in `inputs.sha256`; `DET_RUN_EXTRA_ARGS` to forward extra args to the harness; `DET_REACH_GRAPHS`/`DET_REACH_RUNTIME` to hash reachability datasets and emit `dataset.sha256` + `results-reach.*`. +- `offline_run.sh` (in `Determinism/`): air-gapped runner that reads inputs from `offline/inputs`, writes to `offline/results`, defaults runs=10 threshold=0.95, and calls reachability hashing when graph/runtime inputs exist. Usage: ```sh diff --git a/src/Bench/StellaOps.Bench/Determinism/__pycache__/run_bench.cpython-312.pyc b/src/Bench/StellaOps.Bench/Determinism/__pycache__/run_bench.cpython-312.pyc deleted file mode 100644 index f0813ce211dbfa502a75febdb7d02e4c2c6820c1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15888 zcmbt*X>c3Yoo6@DxG#eDB@sL%5)u#Hx8>-dE=!aw%FdXM4TETq0tEteHzovCN;sYrg)CK#fe-WC-R~p z$`2d*3_PWcQDdKx#X_IJVpE@q#pXUUi!FT?7F+wQh=r(a*xqMnZB0?fu(Qv}(&ngZ z*xl!5X-m{IT+&xE?CtXom-dwom-Uqmm-m(D$E)b8FmPd~XuW59AG4yzz@6ko`}a7} z@xDRLd0&mVzDjYU==`40S0y%xF2vQMPjn-$5gSDh;##puEJ0i+Hj7@w^f3bK}NwqkmiQB`nr{Je&wi!;x4-9`^Nz zW1-8#LFtO`a!`teW!X0nmwZRNdybvzINp7!`{KFNJ*Rumb?n-u^&UNc&KHb{z8Aay#3#l>qr>4?LiUYC5|`tn319dcCL0SzeW749 zDtBV|3sPJh4WTDdUq>Pm!u;jS)IFw;VdJp~8nAxb;vf1_Fvb5E#ZW zMk(zK1YREvM)M_}K%i*<0s*NMlatC3+~rmga*r=`4aX8);Vv@$?dl3EGH+U@P-?(#i;qhcWtk4E|xvkH-l?Q-~<7#R%92?8d9ESZM$Np%Pnr&=q} zKMwGgXi?4h$u#XrZrM?KLKt(4+9uW7BA2pkv=%Tr8Y&oRA4NM~IJvV~Q{&#}P*3LD6qegb~~?g&&Y< z>wWocu~A`w>Pa2QZpBaDggJp7#DQ z^`#LxUsCoX3LeW=G<>^ar}3{%hb&L*8XYIwwF^l6aWKg5Uw+Tl0|rshcC454n|dz! z4UhTu$NT{-(_b4{;<<5P`oK(R_R{>&qT|StrFaS08)UpLn|-D+6~ltoe-Wfu6{TeSHN0KH_Rbp zgjNIW^)1YP!Zcw{nTl3rF0AS;!}W533mGTO6Q*8VuwJy|@tZJ=sVP=6#z`A6Ghk7B zM2^JdL=aQ~piWf6ktb^boT_5UzW^f;MKOW84aUAzqZAud1jbT*UcFdewv~I|Gs-`@JHp?aDGrhN7y7|&uFK0^{r%YPa?nP^DZs)!w&;Gl+ z=C;oTXZW`dreB|J&X#RnDA}C#?9W*D=N#_IGkb1<@z%McYRFYQf8nSSIBUg5DaeYge&C|-Nd{6h2gpl2-1xlprKc`qs)`? zth+C6eP2paB{F}#DpitlU*(aif66>dM2~0@4QuAKljgG?@`Oml-ScXrK=3L}nZ>eq z3_5yqjdA|+9>pbxuR=CRj0gH7LHQr^(8DR#kznXb5Zn!@8o22&lM58r)zK(qieP^v ziY8!%P&6tlmeJUiSbQvoR!lrd$Pyu}$e#dQ2h}cHzVTb)TX>jA9UaE`ea9TS5L-wev)Gs9h{UA+=C)euiz&v`HmHE#;f6LjAxggqXy?F=%FBp0Cf_>2}Pij zR1d(CKQx>)9YR13htaWmAhZ(%BjH#;J6gp!a%GV1o9soYO0J4R6)%>o-6$!J%E$1N zd$6;U+^>$Ed%HWm=R3pOv!SEt6*+ZlcVR+DDwrYl8p4R79xTh%wK(`~b-v);}rbFQlH*0r10 zX6IJ?a~b#l3;d3J0zGWYs?`Mf#PviE*jw&t0sGr5X}*_MTh&2t?K<$I^P zbI$S`=cms`{HF?o50wE|eylrjyuzS>ucPZ{o+v>Olh zwF=l7Y+k~n)g2-xV9f(O$^PzH-p}vAge3v&qdr3<3$J-VwJO(S;Z?)EV1#wHM6|BI zZ=hWUt^RlTJOgS1hPL%c0rbVh@T4`bAMhnhe8UkLeCVJruL1BIB*HrqVcSc@x`Zx= zLst}cC^(WB#hq65C5n)MMkiVOLQEbV83D?GDkhI^e57YM;PX2ry438lswjjM0E+!Z z;)J>-DK1I0Wl)C1rQu)#C}XrAhye;A8Qkq?EHCholm~%FPKX%TZ|0VWk% zfuZs#mdQA0%A*7XM=7BgL&KtC&Z~t;deBgeieDUrU-EO8-b8T}KlyJEK$Nt&zn^+D zHFNb-%Z6o7!>o0#b$;*C&hCYs-C56xjP=CBe1-8(ExsIN@n@%>%{ZEtOY76u<}5#R z-gVA?JF~kxv*ARx^kl|)GS_|fzXU!C{L=lx{Yz7c8*fa%F>9N>!hsE$e3ao363+sp!KlRRF4usn%5WxNXH`m8H%YZxeLK0_pq!XS5kA!ebWtGdShaG zB3IrD4CygXp8TDYb5_6Oo*m0pcV!*hGQu{McLui8A16`_2l_M|SX`Q~Ch`Ria{_4+ zalyd_fm@90^Vcckx|$e+sOw>#QbYKoHB6#e!&yZ~wf=Y((W=$ej!?8c!LuW$JhfNKm0m_rqzjS0h4*BW4nKL!^;I@&hT0J_2Aj2g_QiMi&jsf_3!UG{ zG#!~#IVZc&ga)GUaV=6;r*9QaJ1NFBwF4OHJ2+i{{dWHOKr0XdE z9)5X|TqEtt*&SKWW-uqM{>d{rZ_OjlYO<4zUAkngS+LeTtln_PcH1_)d9Ep2-H~hD z{9etwHFMA2KbmcPHdotl$A8;DdulF{t=+f0v3a)pz0>cWo{Qc;mTmb)cH;hD)7hql7v96H9i~K#E zVdlZfi^iYuO#4GOc+De1w=J4MGzkpwKn-b3=wLUb>wnZz3RAdR_jK@u&?&4Z$h@C# z004!a>J2HPre9#U2V}XGDq3RUF|yh~#IO%U!cmdb?NAFT zW_3WtG<*fN45^JO8({-c?4;3W#t}(zjFFM#ayW=_6)Ss@;$sjCEP3*%*j4%-KuhTs z`d|`_VpgjH)Z=4}wlJid2Wl594CH%|eu7qS<0nrd00|Y`OG3qhP_ZP`EeLh9$LGOq z)-4MA6mKs;+g5g?VY(q*Ham9TFx8N?9bDlAQ{(;Dm%*wN8RX}N7QOqyeOuj2*4hPY z?V`0lR|bxqw>3^3%Q;Jlu}&ZR%<22Wh^#LyX#FL1@dX8sWkTBj@d$U6GyWZCI%=~# zp;#iIVgOwZFbAIb{{ZMGRGk2CU_?Q~rvNtWMKKTqqwAa;=8%6h0M#(*gkS?`e;p{V z2fSa;lWJppU9bB1Cg6K;#cQ9G0N$E7<*KzM1!D(ln18G@1-M4v0rlXA2vM(jpo<{$ zZ649!vYVlYAj`*^C#CbX&_S?2tqoZgnz;n=m+Wcbq%u+*f881^+yHe~nJpCr{NVDb`08>_EMFEiW&Tgn-M+k9>tRwW{||i^9QNRn27ga!KXP)rIDrizT}rac0xODPh^WAuZmC-;QTDc4fWWrpzk_qir(@ z^QoJux4ykpwSA##`_EfGZ2O??ueU7iIKHsscy`B$Y}LuBQ!8f9=Dy*acBaiU*V58# z+fvicg{Ga^rrnvwJ@fsUiv6Ei53IN_%!-?{S1sA<7HoCtV{@$;TV2++V})!>^TC|e zMt#h@uxPDgh9{Q)PrtKpq~<1B24fsooC}tl|7z z%v`BY;zQK9N3~K2py0Qc%{-U2`zDX&Jl=wys&@8b*4w7@ekC_N)1GB#S+1g%>@Ml6 zv*X!{?S;3i*^16wo-y=itJ`yRzB~JG@1OnF{Elqhp5J|i>vNV*o>#d%ox8$pXz7e7 z+7Ygg-HO0Ux2s&)i-kK1vZ1J#e22s!OOXHqLZBV|ac+huH9WJeSto2oU}e<~5-NIq zektA0XTp&(u+|_c6V8HSq+mN_rD!?f5)COq0zkrSAq=3^D}O+)JLQIw+?;S=z3fTZ z^$|Tqxw>F80mZs#WNN8MLRS)zxd6n_#zGehokIj3YaS?OEJL)nYaWPbxT^GM@r3v5 zl|%`h?54aRgcjJQbi;?nJQGQ86C%Gvn88XnSxWIc5-s+A_phNpv%7DQ90p* z_9}FlIV_C?Bhpwz4*Q@|k`9zEvT38>Kc;aGZjh2viQkU#b|R;TR*jiZK}( zVQvjj%LikFVTo{?sxM*aX%}9h(t^Vdl=S9{ES9>d&H)PEq<|z#M!lIDgs}qt3TWe@ zI+J0L3}1sc31KTmpxH{egwW3AxqnCyibp5s(DX?`St24_(9B4LxugjSUZY@)g1CRUoT?beL+|AvtS;@DGq76SJA;37(8p@!3YII_B*oeS(_* ziJIKR?V03$SISu(Q@g*Le7iSY@mAlbmWE|_b*AQI)_p2tJ@v3<^W@3phNjuwbDOda z+g7;^rpg6t-IQ%+-*Q=f`lW1H>y&l5v@U%rTe@k=^02C5m8-E;LcL#ApT6|g8>?Kk zt8&Je+tBt4%iS#xE@tXaJ>sgol{3eGRo9TK_APJfn7f?aw0EXwxut#Xo7tA#Gv~lz zq?4ak`Ij5E&W+Dqx$nKd@BWqtM;?S8yzoimCnx{=+5dX>lf#+zzNPlyLVGaNAIY{4 zWgD)fh2@PccZP2d-#a!h%=gas&)e?r$hIHOZhSUvT=wspfAv9c)_*$fUT)htf9}D~ zY}?7S>+?p8Iv;sZjUHdVoNbKEoLO$%KEEZ~_{_|iTzTECo|`=nTRY!Ny_?FlbiCK| zZcnax>wC|<`%JE-E!Vtxxn;-v-VYCbaOgqJC#NzmzLsqXE_ZC3uYEu8g~wV``+K9k zqViE4*89kaeRyQV)~wjDg)4`kI9L+O7liWkrMcr7p?p!;4lU?p&sUXay6&JI=XHyV zz_o};;roDz4Y0AR3Lb;1;K93*&=+EX;sF6{2)~}1ELCJ|UXKky4<_oN2oD?(Aeu}F z_?gh>I;@Q*B7si8eTMma6zGqRt&^YtFaYQ!MHEP{qm3$Bh-!e^_)|imMM|&7`Vy}1 zBYY%5Cy_Fdxw)4Ut&Dk5FW3NBgjc|-!@PDP=c#lyN92xgbTkQ7A$c_Qxho&TyK}ny!ck#g0+6i1doX8^30wezL9m*rC-lFe9#oU9ZGM0>&k+& zar(rH1#P~tavPhc_RMroABM-=oKbh1!{qfxhub8B+X9_g&-a9BxloUu322$tgD%lX z`mI5pX}Acj;~|aIx^=CnYeQXo!G!eGx(?APy6(9(t=UuSc@nfH_J}2-_g<++L!a8B zOe_~G?p6NLo~y)avF2YegIW>pA7b5_HGPdj1h=5RC%K`>@AIn;&ycYlVptAI5#}bG zv~+Z+q>kT`EK?=aE|$@?rIWk{lT|09@%}d1&nP$ZURG<7%_|m^2H}j5ze&)}g`*=$ zQ%46VS<;*D3~8;a%HpnwJy5G8tsNbzfRL@+qSj@OY`C^{;J5$E@)Q}u53wS_weJKM>b9G=m>0k8(jfCGzd)~&;tYyn0HrLC@jePUDZ>GT&JNH(3Q<%nR=fN?Z7Bu+ zjGs)qM7~uOORkm$S4(F5g+Zf~xnH0OG8#m1Scf5(|j<`o#PN|zk<3y%7%Va6GC?ShxHzsL#A&2(J>*o-$7y5^1hWPG86mCfWD&#VAFVHpRSv?t&UG({ zZeZ6p!$;}@=?pbhnn`*OJ*ny`fgnn;L}b_mqhUtrAdSP*C_!HtfW4(VgbSR{U`nVp z0=YAMZ3HZ8fWfBpkLVg7pK$UwkpShYt_6iDt9yj)ZJx6H%2NsFiska!cXs_~&z*y} z55i7Z*Oe{b2Fhk@o;psBBdO`spMN`7QgO?9)0w{XSxM6uCX}sM&;gx~ck--yD*4@D z5$ypJwf~Cgp9{oA+pCG9vjB<6lZ)amw7oC()J9Dm#TV-8H4TOHMNMm=hL+N68jHkW zZisYCYaYEO9BL(kBS%5|T&w^{c(sO4^hgSpHILS#7L!ND6TRwM;P3DWT{lhs87UK1 zQ@N%)ydszMv}+zPS;qJCPzn|gwp3!dpr$B@!RC}MR)aKR1TrQ6OXokxQ|*-T8ZW~M zc#xT)C#*$cv=w6tG^Qq+^ISp~rVFegJQ=|*u({b&_Myf#%b*$Q0_+fO-`Ynsr)&{k zv=q!^Pl~pQR;`8TNLir1aHedc>qmm<{&A5JY@G9ZdXjs4;_7EUKGCpWAibKop}vAB;cq>-?kg!)=7Z;1mYWDlPc>W)d)n~|3^e^ZJl!oFmguWfCkXOhOwodb_~zrUPO19tnRzeOv? zUn_2no&^{^Q&EmtrGkpRcN`z840m6PB%}|~L@}$hn@Ob7N7M<4(##CTbk~e4R#cUF zfV^gyXN$Cx+L}frau9YX0ue2B3J<9D#}xb>1x%sHICgED$Tn9bovZsr%nxv%`Z*Z9 zDb!tKib>{MT_jGcT)Z$GjKrjW!Vp!2_jVuvF?3Y?@X+M(WoLD|{7&ud+N`q$I(7C| zeY-mAY{FY*)9kLL<~<9|d$N^#C(kc?D`v!7S8iU(dYdNC{0~RTZ4(o{FJ|4n8Efz7 zp89t#&9=O^_1&%64V_s}*W{^RIm%d#eOWj8f`9I=N}JN7vzO`RHBh#>B{@{H%v*Xx< z?HPObXTk}F(&=+3+RQ)z+GDz)iiv%zLq11vnTn|!+a zTys$_DN2$qRn^m(*Yp(Ho23)fo{UV=NeY+}h?P?c4pRe&9=o6Xs!J6k{}kk>-_?FfLElS zJyB2kKX}Ei|A!}XlP=aEkELEwKhP*)*YUAi|6We*?*X-h#HQZNq*pK2TYp3~*f|_T zN)h_w@u+&2*>ve@CoA-3tk?W!c(Mq zKBpp=_TeG>yie`${}!66>-Q^`KmgxpsvqzTj55c*fMi5HX_KdpnRP4pDAE) z){lo4l!+Y?+ zRzFxgEZJ~~_~+yjgs{Bv{1<|S7k*#D@y-9hd4A2=f6cjn%{hL}xqi)gf5X-MhHLx{ zSN-?gp3k^F$o#_085}b$i+t6W27&K@;{xBYYUB*nEA+Zr%Jc23Rs&zZYUlZj{HoQ) zdseFrynof*!tY+a$UFF>{A#_0-@aPz;wx8u7QS({+=2S_PQHAlo$K7O;%Vp0a*mo6 zBjSgMO^9KY^!QdRl(KRT_lk{DcFtY8;-Hk1^H!|5DCOoVx3V5qN;q@vsuy{yukudJ ps>#hatTtJB?`mZ&f0AE0zzNQ&PO4oIE6^53AT97&-6`uVgDQT%cinJ_Cu`U0ykx0dk9K&v0*rsDkj+8cX;Fv+XptvK7EV-m- zmX^elfDO2?0;i1yA1t6fC^rQ%5am?&R5$1$Krh-#D2a^%6v)XpCo*7Ez4Xm4|18OY zi;kc-GjHDC?7a8Q@b7MSBZBrIb0j|PLg+g-sWeAtQ~CAzm;SQ2brxCOVW&R-uzh_r)EDbc%wY?;NO8E%I2 zyPmN5sGl>%pGWjb=-aR0R3=R#WF{0RII5?~%oFx4qGd&^D~E_S_QCW4!YItCD9o#p z%HI~lf-2lbVNn%U1<({>YY15h&ZphH2Tc8(y2B3Y?4T{GR09ZPW?<`B{~(jwQzu(XjDWS+3{g-F1hDSrjz=f|{jDf4GogdDMzjJSZBlJQ-vg5ZB^7rsP9w5D%gq8XqLY^Na9d6c)>fD#g_v58=D z2TaRDxz>;;FNDyiQk0LQDE~`9xq_6JREZ%Q^bXcf@Gx?+(S81tb`cdEAcGQZ+kNYv z3NK$pRn=AV1sDu}wfPMAQARG5u^Zm8SZI>)A-sY_eJQL`Y)I?<8JkMbJ|j z(+QEWuuLbxG@FF_7cD~^F&!)*OsNxu_t}m3nBq}ZKMDk&*5c7fQi*6#xb{v}#a2>M z5j{GYJF{~oy{bOjEPV_Fip{-u)xG~IYHsLX7+d#s%^$xXpS`&5+gtSc4WGZ%+VP-q zuCcCj&$&xpU#YXZw5Ru(+qtWG_TsZv)X`J)3>u!n<=Cp{%xtJ6w-)7IL+)L8bJ4RV z_x~$&`Jdi*A6>t9eSY^`e&H7jH$JYHg?uC2^F0;DCVdSyarf-Nxzoa5PkYauaD3I;1LLnwNQ|DA z&Wp|$s+^s-RpqB3AO6QG-=X&HtEeF4g+vttz(cvIe5DRKq_e}e+W(6NP<((<68T31-D9)V+BX9cNFcZZh`MDfb_l>@&lGOL&Bd`XEa zTGT>QT@S0Tqk;qcu$tP^)J8y;@`caAlVL}hrdN>R>SeZL(@POa9?i)U7^^g(M@S%+ zqYPIVgRne!$1jpS&=dB2BRxROmQ+NGPq6aF(>jUJTvHhq0#SM+=eC~+0Xi8uHh3Z@ zW%Y^vlW;-1;08~taVegwW= zqH_q`(*FRdL6)aspdPY1I_Ew2hZdTRj==1NlH695dknc}KDH(weg!z|0XQq|KfK_4 z*5a}-tsS|2MfrdsA6U4!cy+m8^oQ2u3#DDJE$lUR4a{Czm%T;#bwhrAG4#do=fjUW z{?hg5E~D@K>V+h~Iq zrEA;|a*Ncz(c2*n*y2o*c}qp&nxgpIO@Yq9rJRA^6v_Cwb-kJ{9e!C%#FN-cSJRc% z*wItSFhyZ(h>YEg>EsQ}Gzr#pO4w7y6qz0NYGxNMnAVAv+NSFYsGnyqT`SU4mMjZ_ zybZ(JMmAkPwKso;T!sbqkfT#To(deteS;dmMV;TGBj2Ew?;WVcbMNF`t=N3fXg;{w ze7M*gFq#94*Nx^kZZ?&WaL0Aab*JT4%RO%H_`Tn(dJe3igWsXnXO2E@VE$6EyWi;U le}-W4^j91b<=Nangxw{v?dGLBBezC=``%LliCtD;{{;-yR`~z` diff --git a/src/Scanner/StellaOps.Scanner.Worker/Determinism/DeterminismContext.cs b/src/Scanner/StellaOps.Scanner.Worker/Determinism/DeterminismContext.cs index b3a72e358..12998df20 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/Determinism/DeterminismContext.cs +++ b/src/Scanner/StellaOps.Scanner.Worker/Determinism/DeterminismContext.cs @@ -16,6 +16,8 @@ public sealed class DeterminismContext ConcurrencyLimit = concurrencyLimit; } + public bool IsDeterminismEnabled => FixedClock || RngSeed.HasValue || ConcurrencyLimit.HasValue || FilterLogs; + public bool FixedClock { get; } public DateTimeOffset FixedInstantUtc { get; } diff --git a/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs b/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs index 2d87a9c80..ae4dec361 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs +++ b/src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs @@ -74,6 +74,12 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor var payloads = CollectPayloads(context); await PersistRubyPackagesAsync(context, cancellationToken).ConfigureAwait(false); + + var determinismPayload = BuildDeterminismPayload(context, payloads, out var merkleRoot); + if (determinismPayload is not null) + { + payloads.Add(determinismPayload); + } if (payloads.Count == 0) { _metrics.RecordSurfaceManifestSkipped(context); @@ -96,7 +102,12 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor Payloads: payloads, Component: "scanner.worker", Version: _componentVersion, - WorkerInstance: Environment.MachineName); + WorkerInstance: Environment.MachineName, + DeterminismMerkleRoot: merkleRoot, + ReplayBundleUri: GetReplayBundleUri(context), + ReplayBundleHash: GetReplayBundleHash(context), + ReplayPolicyPin: GetPin(context, "determinism.policy"), + ReplayFeedPin: GetPin(context, "determinism.feed")); var result = await _publisher.PublishAsync(request, cancellationToken).ConfigureAwait(false); @@ -233,8 +244,9 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor return payloads; } - private SurfaceManifestPayload? BuildDeterminismPayload(ScanJobContext context, IEnumerable payloads) + private SurfaceManifestPayload? BuildDeterminismPayload(ScanJobContext context, IEnumerable payloads, out string? merkleRoot) { + merkleRoot = null; var pins = new Dictionary(StringComparer.OrdinalIgnoreCase); if (context.Lease.Metadata.TryGetValue("determinism.feed", out var feed) && !string.IsNullOrWhiteSpace(feed)) { @@ -246,12 +258,8 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor pins["policy"] = policy; } - var artifactHashes = new Dictionary(StringComparer.OrdinalIgnoreCase); - foreach (var payload in payloads) - { - var digest = ComputeDigest(payload.Content.Span); - artifactHashes[payload.Kind] = digest; - } + var (artifactHashes, merkle) = ComputeDeterminismHashes(payloads); + merkleRoot = merkle; var report = new { @@ -261,9 +269,13 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor filterLogs = _determinism.FilterLogs, concurrencyLimit = _determinism.ConcurrencyLimit, pins = pins, - artifacts = artifactHashes + artifacts = artifactHashes, + merkleRoot = merkle }; + var evidence = new Determinism.DeterminismEvidence(artifactHashes, merkle); + context.Analysis.Set(ScanAnalysisKeys.DeterminismEvidence, evidence); + var json = JsonSerializer.Serialize(report, JsonOptions); return new SurfaceManifestPayload( ArtifactDocumentType.SurfaceObservation, @@ -274,6 +286,46 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor View: "replay"); } + private static (Dictionary Hashes, string MerkleRoot) ComputeDeterminismHashes(IEnumerable payloads) + { + var map = new Dictionary(StringComparer.OrdinalIgnoreCase); + using var sha = SHA256.Create(); + + foreach (var payload in payloads.OrderBy(p => p.Kind, StringComparer.Ordinal)) + { + var digest = ComputeDigest(payload.Content.Span); + map[payload.Kind] = digest; + } + + // Build Merkle-like root by hashing the ordered list of kind:digest lines. + var builder = new StringBuilder(); + foreach (var kvp in map.OrderBy(kv => kv.Key, StringComparer.Ordinal)) + { + builder.Append(kvp.Key).Append(':').Append(kvp.Value).Append('\n'); + } + + var rootBytes = Encoding.UTF8.GetBytes(builder.ToString()); + var rootHash = sha.ComputeHash(rootBytes); + var merkleRoot = Convert.ToHexString(rootHash).ToLowerInvariant(); + + return (map, merkleRoot); + } + + private static string? GetReplayBundleUri(ScanJobContext context) + => context.Lease.Metadata.TryGetValue("replay.bundle.uri", out var value) && !string.IsNullOrWhiteSpace(value) + ? value.Trim() + : null; + + private static string? GetReplayBundleHash(ScanJobContext context) + => context.Lease.Metadata.TryGetValue("replay.bundle.sha256", out var value) && !string.IsNullOrWhiteSpace(value) + ? value.Trim().ToLowerInvariant() + : null; + + private static string? GetPin(ScanJobContext context, string key) + => context.Lease.Metadata.TryGetValue(key, out var value) && !string.IsNullOrWhiteSpace(value) + ? value.Trim() + : null; + private async Task PersistRubyPackagesAsync(ScanJobContext context, CancellationToken cancellationToken) { if (!context.Analysis.TryGet>(ScanAnalysisKeys.LanguageAnalyzerResults, out var results)) diff --git a/src/Scanner/StellaOps.Scanner.Worker/Program.cs b/src/Scanner/StellaOps.Scanner.Worker/Program.cs index 480d5cf94..d649dbb63 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/Program.cs +++ b/src/Scanner/StellaOps.Scanner.Worker/Program.cs @@ -87,6 +87,8 @@ builder.Services.AddSingleton(); builder.Services.AddSingleton(); builder.Services.AddSingleton(); +builder.Services.AddSingleton(); +builder.Services.AddSingleton(); var storageSection = builder.Configuration.GetSection("ScannerStorage"); var connectionString = storageSection.GetValue("Mongo:ConnectionString"); diff --git a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs index 77b4cd71a..208a873f4 100644 --- a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs +++ b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs @@ -25,6 +25,7 @@ using StellaOps.Scanner.Worker.Processing.Surface; using StellaOps.Scanner.Worker.Tests.TestInfrastructure; using Xunit; using StellaOps.Cryptography; +using StellaOps.Scanner.Worker.Determinism; namespace StellaOps.Scanner.Worker.Tests; @@ -99,6 +100,7 @@ public sealed class SurfaceManifestStageExecutorTests Assert.True(context.Analysis.TryGet(ScanAnalysisKeys.SurfaceManifest, out var result)); Assert.NotNull(result); Assert.Equal(publisher.LastManifestDigest, result!.ManifestDigest); + Assert.Equal(result.DeterminismMerkleRoot, publisher.LastRequest!.DeterminismMerkleRoot); Assert.Equal(4, cache.Entries.Count); Assert.Contains(cache.Entries.Keys, key => key.Namespace == "surface.artifacts.entrytrace.graph" && key.Tenant == "tenant-a"); @@ -163,6 +165,10 @@ public sealed class SurfaceManifestStageExecutorTests Assert.Equal("feed-001", json.RootElement.GetProperty("pins").GetProperty("feed").GetString()); Assert.Equal("rev-77", json.RootElement.GetProperty("pins").GetProperty("policy").GetString()); Assert.True(json.RootElement.GetProperty("artifacts").EnumerateObject().Any()); + + Assert.True(context.Analysis.TryGet(ScanAnalysisKeys.DeterminismEvidence, out var evidence)); + Assert.False(string.IsNullOrWhiteSpace(evidence!.MerkleRootSha256)); + Assert.Equal(evidence.PayloadHashes["entrytrace.ndjson"], json.RootElement.GetProperty("artifacts").GetProperty("entrytrace.ndjson").GetString()); } [Fact] @@ -500,7 +506,8 @@ public sealed class SurfaceManifestStageExecutorTests ManifestDigest: manifestDigest, ManifestUri: $"cas://test/manifests/{manifestDigest}", ArtifactId: $"surface-manifest::{manifestDigest}", - Document: document); + Document: document, + DeterminismMerkleRoot: request.DeterminismMerkleRoot); return Task.FromResult(result); }