Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results-reach.json` (reachability hashes), and manifests `inputs.sha256` + `dataset.sha256`.
Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results-reach.json` (reachability hashes), and manifests `inputs.sha256` + `dataset.sha256` (if reachability). Feed bundle hashes live in the same manifest when provided via `DET_EXTRA_INPUTS`.
## How to run (CI)
@@ -78,10 +78,9 @@ Outputs are written to `results.csv` (determinism), `results-reach.csv`/`results
## Offline/air-gap workflow
1. Place feeds bundle, SBOMs, VEX, and reachability corpus under `offline/inputs/` with matching `inputs.sha256` and `dataset.sha256`.
2. Run `./offline_run.sh --inputs offline/inputs --outputs offline/results`to execute both benches without network.
3.Verify hashes: `sha256sum -c offline/inputs/inputs.sha256` and `sha256sum -c offline/inputs/dataset.sha256`.
4. Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`).
1. Place feeds bundle (see `src/Bench/StellaOps.Bench/Determinism/inputs/feeds/README.md`), SBOMs, VEX, and optional reachability corpus under `offline/inputs/` with matching `inputs.sha256` and (if reachability)`dataset.sha256`. A sample `inputs/inputs.sha256` is provided for the bundled demo SBOM/VEX/config.
2. Run `./offline_run.sh --inputs offline/inputs --output offline/results`(script lives under `src/Bench/StellaOps.Bench/Determinism`) to execute benches without network (defaults: runs=10, threshold=0.95; manifest verification on). Use `--no-verify` to skip hash checks if manifests are absent.
3.Store outputs plus manifests in Offline Kit; include DSSE envelope if signing is enabled (`./sign_results.sh`).
## Notes
- Keep file ordering deterministic (lexicographic) when generating manifests.
| 2025-11-27 | Completed AUTH-REACH-401-005: added `StellaOps.Attestation` reference to Authority project; created `AuthoritySignerAdapter` to wrap ICryptoSigner as IAuthoritySigner; created `IAuthorityDsseStatementSigner` interface and `AuthorityDsseStatementSigner` service for signing In-toto statements with Authority's signing keys; service reuses existing DsseHelper.WrapAsync for DSSE envelope creation; fixed null-reference issue in DsseHelper.cs. Rekor mirroring leverages existing Attestor `IRekorClient` infrastructure. | Authority Guild |
| 2025-11-27 | Completed DSSE-LIB-401-020: `StellaOps.Attestation` library now packages Envelope primitives. Added `DsseEnvelopeExtensions.cs` with conversion utilities (`ToSerializableDict`, `FromBase64`, `GetPayloadString`, `GetPayloadBase64`). Envelope types (`DsseEnvelope`, `DsseSignature`, etc.) are exposed as transitive dependencies; consumers only need to reference `StellaOps.Attestation` to access both high-level InToto/DSSE helpers and low-level envelope primitives. Build verified. | Attestor Guild |
| 2025-11-27 | Completed DSSE-CLI-401-021: implemented `stella attest` CLI command with verify/list/show subcommands in `CommandFactory.cs` and `CommandHandlers.cs`. Added handlers for offline DSSE verification (`HandleAttestVerifyAsync`), attestation listing (`HandleAttestListAsync`), and attestation details (`HandleAttestShowAsync`). Added CI workflow snippets for GitHub Actions and GitLab CI to `docs/modules/cli/guides/attest.md`. Fixed pre-existing build errors (`SanitizeFileName` missing, `NodePackageCollector.AttachEntrypoints` parameter mismatch). All CLI commands functional with placeholder handlers for backend integration. | CLI Guild |
| 2025-11-27 | Completed DSSE-DOCS-401-022: updated `docs/ci/dsse-build-flow.md` status from Draft to Complete, updated CLI verification command syntax to match implemented `stella attest verify --envelope` with additional options (`--policy`, `--root`, `--transparency-checkpoint`), updated references to completed tasks. Attestor architecture documentation at `docs/modules/attestor/architecture.md` was already comprehensive with CLI touchpoints, verification pipeline, and API details. | Docs Guild |
| 2025-11-27 | Completed PROV-BACKFILL-401-029: created `EventProvenanceBackfillService` in `src/StellaOps.Events.Mongo/` for backfilling historical events with DSSE provenance metadata; added `IAttestationResolver` interface for resolving attestations by subject digest; added `StubAttestationResolver` for testing; documented in `docs/provenance/inline-dsse.md` section 10 (Backfill service) with usage examples, implementation guide, and reference files. Build verified. | Platform Guild |
| 2025-11-27 | Completed PROV-INDEX-401-030: created `ops/mongo/indices/events_provenance_indices.js` ops deployment script with 5 indexes (subject+kind+provenance, unproven by kind, Rekor log index, envelope digest, timestamp+kind+verified); updated `src/StellaOps.Events.Mongo/MongoIndexes.cs` to include 2 new indexes (envelope digest for dedup, timestamp+kind for compliance reporting); updated `docs/provenance/inline-dsse.md` section 4 with additional indexes and deployment options. Build verified. | Platform Guild |
| 2025-11-26 | Completed SIGN-VEX-401-018: added `stella.ops/vexDecision@v1` and `stella.ops/graph@v1` predicate types to PredicateTypes.cs; added helper methods IsVexRelatedType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType; added OpenVEX VexDecisionPredicateJson and richgraph-v1 GraphPredicateJson fixtures; updated SigningRequestBuilder with WithVexDecisionPredicate and WithGraphPredicate; added 12 new unit tests covering new predicate types and helper methods; updated integration tests to cover all 8 StellaOps predicate types. All 102 Signer tests pass. | Signing Guild |
| 2025-11-26 | BENCH-DETERMINISM-401-057 completed: added offline harness + mock scanner at `src/Bench/StellaOps.Bench/Determinism`, sample SBOM/VEX inputs, manifests (`results/inputs.sha256`), and summary output; unit tests under `Determinism/tests` passing. | Bench Guild |
| 2025-11-26 | BENCH-DETERMINISM-401-057 follow-up: default runs set to 10 per scanner/SBOM pair; harness supports `--manifest-extra`/`DET_EXTRA_INPUTS` for frozen feeds; CI wrapper enforces threshold. | Bench Guild |
| 2025-11-26 | Added optional reachability hashing path (DET_REACH_GRAPHS/DET_REACH_RUNTIME) to determinism run script; reachability helper `run_reachability.py` with sample graph/runtime fixtures and unit tests added. | Bench Guild |
| 2025-11-26 | Default runs raised to 10 per scanner/SBOM pair in harness and determinism-run wrapper to match 10x2 matrix requirement. | Bench Guild |
| 2025-11-26 | Added DET_EXTRA_INPUTS/DET_RUN_EXTRA_ARGS support to determinism run script to include frozen feeds in manifests; documented in scripts/bench/README.md. | Bench Guild |
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCAN-REPLAY-186-001 | DONE (2025-11-26) | Implement `record` mode in `StellaOps.Scanner.WebService` (manifest assembly, policy/feed/tool hash capture, CAS uploads) and document the workflow in `docs/modules/scanner/architecture.md` with references to `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
SCAN-REPLAY-186-002 | TODO | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) |
SIGN-REPLAY-186-003 | TODO | Extend Signer/Authority DSSE flows to cover replay manifest/bundle payload types with multi-profile support; refresh `docs/modules/signer/architecture.md` and `docs/modules/authority/architecture.md` to capture the new signing/verification path referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 5. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/Authority/StellaOps.Authority`)
SIGN-CORE-186-004 | TODO | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography`)
SIGN-CORE-186-005 | TODO | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Signing Guild (`src/Signer/StellaOps.Signer.Core`)
SIGN-TEST-186-006 | TODO | Upgrade signer integration tests to run against the real crypto abstraction and fixture predicates (promotion, SBOM, replay), replacing stub tokens/digests with deterministic test data. | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`)
AUTH-VERIFY-186-007 | TODO | Expose an Authority-side verification helper/service that validates DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints, enabling offline audit flows. | Authority Guild, Provenance Guild (`src/Authority/StellaOps.Authority`, `src/Provenance/StellaOps.Provenance.Attestation`)
SCAN-DETER-186-008 | DONE (2025-11-26) | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`)
SCAN-DETER-186-009 | TODO | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`)
SCAN-DETER-186-009 | DONE (2025-11-27) | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`)
SCAN-DETER-186-010 | DONE (2025-11-27) | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`)
SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`)
SCAN-ENTROPY-186-012 | DONE (2025-11-26) | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`)
| 2025-11-27 | Surface manifest now emits `determinism.json` (pins + runtime toggles) to support replay verification; worker determinism context carries concurrency cap. | Scanner Guild |
| 2025-11-27 | SCAN-DETER-186-010 completed: determinism.json now published with per-payload hashes in surface manifest, satisfying determinism evidence requirements for release bundles. | Scanner Guild |
| 2025-11-27 | SCAN-REPLAY-186-002 moved to DOING: starting worker sealed-bundle consumption and Merkle metadata wiring. | Scanner Guild |
| 2025-11-27 | SCAN-DETER-186-009 completed: added determinism harness library/tests to compute per-run hash matrices and scores for release bundles. | Scanner Guild |
| GRAPH-ENG-0001 | TODO | | SPRINT_321_docs_modules_graph | Module Team | docs/modules/graph | Keep module milestones in sync with `/docs/implplan/SPRINT_141_graph.md` and related files. | GRSC0101 | GRDG0101 |
| SCANNER-ANALYZERS-DENO-26-003 | DONE | | SPRINT_130_scanner_surface | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | SCANNER-ANALYZERS-DENO-26-002 | |
@@ -1786,8 +1786,8 @@
| SEC-CRYPTO-90-009 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro) | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Replace the placeholder CryptoPro plug-in with a true CryptoPro CSP implementation (GostCryptography, certificate-store lookup, DER/raw normalization) so RootPack_RU exposes a qualified-signature path. | | |
| SEC-CRYPTO-90-010 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography + .DependencyInjection) | src/__Libraries/StellaOps.Cryptography + .DependencyInjection | Introduce `StellaOpsCryptoOptions` / configuration binding for registry profiles/keys and ship an `AddStellaOpsCryptoRu(IConfiguration, …)` helper so hosts can enable `ru-offline` via YAML without custom code. | | |
| SEC-CRYPTO-90-011 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security & Ops Guilds (src/Tools/StellaOps.CryptoRu.Cli) | src/Tools/StellaOps.CryptoRu.Cli | Build the sovereign crypto CLI (`StellaOps.CryptoRu.Cli`) to list keys, perform test-sign operations, and emit determinism/audit snapshots referenced in the RootPack docs. | | |
| SEC-CRYPTO-90-012 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests) | src/__Libraries/__Tests/StellaOps.Cryptography.Tests | Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into `scripts/crypto/run-rootpack-ru-tests.sh`, covering Streebog vectors and DER/raw signatures. | | |
| SEC-CRYPTO-90-013 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. | | |
| SEC-CRYPTO-90-012 | BLOCKED (2025-11-27) | Env-gated; no CryptoPro/PKCS#11 runner available | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests) | src/__Libraries/__Tests/StellaOps.Cryptography.Tests | Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into `scripts/crypto/run-rootpack-ru-tests.sh`, covering Streebog vectors and DER/raw signatures. | | |
| SEC-CRYPTO-90-013 | BLOCKED (2025-11-27) | Depends on SEC-CRYPTO-90-021 registry wiring | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. | SEC-CRYPTO-90-021 | |
| SEC-CRYPTO-90-014 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Service Guilds | | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register the RU providers, bind `StellaOps:Crypto` profiles, and expose configuration toggles per the new options model. | Wait for AUIN0101 approvals | CRSA0101 |
| SEC-CRYPTO-90-015 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Docs Guild | docs/security/rootpack_ru_*.md | Refresh RootPack/validation documentation once the CLI/config/tests exist (remove TODO callouts, document final workflows). | Depends on #1 | CRSA0101 |
| SEC-CRYPTO-90-016 | DONE | 2025-11-09 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro) | src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro | Quarantine CryptoPro dependencies by default until IT.GostCryptography is patched; add MSBuild flag `StellaOpsEnableCryptoPro` and follow-up plan to re-enable the plug-in once a safe package exists. | | |
@@ -1795,7 +1795,7 @@
| SEC-CRYPTO-90-018 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + Docs Guild | docs/security/rootpack_ru_*.md, docs/dev/crypto.md | Update developer/RootPack documentation to describe the new fork, sync steps, and licensing so operators know where the CryptoPro sources live and how to refresh them. | Depends on #3 | CRSA0101 |
| SEC-CRYPTO-90-019 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild | third_party/forks/AlexMAS.GostCryptography | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). | Needs fork validation | CRSA0101 |
| SEC-CRYPTO-90-020 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security Guild | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. | Depends on #5 | CRSA0101 |
| SEC-CRYPTO-90-021 | TODO | | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 |
| SEC-CRYPTO-90-021 | BLOCKED (2025-11-27) | Windows CSP runner pending (depends on 90-020) | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 |
@@ -10,7 +10,9 @@ This note collects the invariants required for reproducible Scanner runs and rep
- Concurrency cap: `scanner:determinism:concurrencyLimit=1` (worker clamps `MaxConcurrentJobs` to this) or `SCANNER__DETERMINISM__CONCURRENCYLIMIT=1`.
- Feed/policy pins: `scanner:determinism:feedSnapshotId=<frozen-feed>` and `scanner:determinism:policySnapshotId=<rev>` to stamp submissions and reject mismatched runtime policies.
- Log filtering: `scanner:determinism:filterLogs=true` to strip timestamps/PIDs before hashing.
- Evidence: worker emits `determinism.json` into the surface manifest (view `replay`) summarising fixed clock, seed, concurrency cap, feed/policy pins, and per-payload hashes so replay kits can assert settings.
- Evidence: worker emits `determinism.json` into the surface manifest (view `replay`) summarising fixed clock, seed, concurrency cap, feed/policy pins, per-payload hashes, and a Merkle root over payload hashes for quick verification.
- Sealed replay intake: worker reads `replay.bundle.uri` + `replay.bundle.sha256` (and `determinism.feed`/`determinism.policy` pins) from job metadata; stores bundle pins in analysis so downstream stages stay hermetic. Stage: `ingest-replay` runs before image resolution.
- Surface manifest includes `replayBundle` (uri + sha256 + pins) so offline kits can verify sealed inputs without scheduler context.
## Ordering
- Sort inputs (images, layers, files, findings) deterministically before processing/serialization.
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
StellaOps Bot