feat: Add new provenance and crypto registry documentation

- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages. - Added a comprehensive crypto registry decision document outlining defaults and required follow-ups. - Created an offline feeds manifest for bundling air-gap resources. - Implemented a script to generate and update binary manifests for curated binaries. - Added a verification script to ensure binary artefacts are located in approved directories. - Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload. - Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts. - Updated vendor manifest to track pinned binaries for integrity.
2025-11-18 23:47:13 +02:00
parent d3ecd7f8e6
commit e91da22836
44 changed files with 6793 additions and 99 deletions
--- a/docs/events/advisoryai.evidence.bundle@0.json
+++ b/docs/events/advisoryai.evidence.bundle@0.json
@@ -0,0 +1,58 @@
+{
+  "$id": "https://stella-ops.org/schemas/events/advisoryai.evidence.bundle@0.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "AdvisoryAI evidence bundle (draft v0)",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["bundleId", "advisoryId", "tenant", "generatedAt", "observations"],
+  "properties": {
+    "bundleId": {"type": "string", "description": "Deterministic bundle identifier (UUID or ULID)."},
+    "advisoryId": {"type": "string", "description": "Upstream advisory identifier (vendor or CVE-style)."},
+    "tenant": {"type": "string", "description": "Owning tenant."},
+    "generatedAt": {"type": "string", "format": "date-time", "description": "UTC timestamp when bundle was assembled."},
+    "schemaVersion": {"type": "integer", "default": 0},
+    "observations": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["observationId", "source"],
+        "properties": {
+          "observationId": {"type": "string"},
+          "source": {"type": "string", "description": "Publisher or feed name."},
+          "purl": {"type": "string", "description": "Optional package URL."},
+          "cve": {"type": "string"},
+          "severity": {"type": "string", "description": "Publisher-reported severity label."},
+          "cvss": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "vector": {"type": "string"},
+              "score": {"type": "number"}
+            }
+          },
+          "summary": {"type": "string"},
+          "evidence": {
+            "type": "object",
+            "description": "Raw upstream statement or excerpt.",
+            "additionalProperties": true
+          }
+        }
+      }
+    },
+    "signatures": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["signature", "keyId"],
+        "properties": {
+          "signature": {"type": "string", "description": "Base64 signature over canonical JSON."},
+          "keyId": {"type": "string"},
+          "algorithm": {"type": "string"}
+        }
+      }
+    }
+  }
+}