feat: Add DigestUpsertRequest and LockEntity models
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
This commit is contained in:
StellaOps Bot
@@ -14,10 +14,12 @@ Planned Evidence Locker paths (to fill post-signing):
|
||||
- `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)
|
||||
|
||||
Pending steps:
|
||||
0) Provide signing key: CI/ops should supply `COSIGN_PRIVATE_KEY_B64` (base64 of private key) and optional `COSIGN_PASSWORD`. Local dev can place a key at `tools/cosign/cosign.key` (see `tools/cosign/cosign.key.example` stub) or decode the env var to `/tmp/cosign.key`. The helper script `tools/cosign/sign-signals.sh` auto-detects the key and cosign version.
|
||||
1) Sign each artifact with its predicate (cosign v3.0.2 in `/usr/local/bin`, use `--bundle`; v2.6.0 fallback in `tools/cosign` also works with `--output-signature`):
|
||||
- `stella.ops/confidenceDecayConfig@v1`
|
||||
- `stella.ops/unknownsScoringManifest@v1`
|
||||
- `stella.ops/heuristicCatalog@v1`
|
||||
Shortcut: `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh`
|
||||
Example (v3, replace KEY):
|
||||
```bash
|
||||
cosign sign-blob \
|
||||
|
||||
Reference in New Issue
Block a user